Are Passwords Obsolete?
Passwords have been our main line of defense against information bandits since the earliest days of computing. “The thin typed line” of alphanumeric characters is all that stands between most of us and identity theft, raided bank accounts, extortion, and a host of other crimes. But the line is crumbling and it’s time for something new...
What Will Replace Passwords?
Alphanumeric passwords have been around a long time. My high school had a Model 33 Teletype, which was the first computer terminal I used. More than 35 years later, I can still remember my teletype login and password (HEL-N703,MTH). But some security experts are predicting that passwords will soon be as obsolete as my beloved teletype.
There are many problems with relying upon passwords alone for online security. First and foremost is human nature, which is lazy. Short, obvious, easily-cracked passwords that are reused on every website and never changed is the norm rather than the exception. People act as if the Internet is looking out for their security so they don’t have to.
But hackers have no difficulty breaking into major Web sites and stealing millions of passwords at one go. Now the Heartbleed bug has revealed that the infrastructure of the Internet itself is insecure, exposing hundreds of millions of users to password theft and worse. In every bulletin about a new security breach, you will read the phrase, “…passwords may have been compromised.”
Clearly, we need something to bolster or replace the extremely vulnerable password as the key to a person’s online identity and treasures. Several alternative authentication techniques have been tried; one looks like it will catch hold and become the new standard.
In general, you can prove to an online system that you are who you claim to be using something known to the system and yourself. That something may be:
- Something you know, such as a password
- Something you possess, such as a mobile phone
- Something you are, such as a person with a unique fingerprint
Two Out of Three Ain't Bad
Things that you know are discoverable by hackers. Information such as your mother’s maiden name, the first school you attended, the street you grew up on, etc., are rather easily discovered by any motivated thief who really cares to look. Passwords can be guessed or stolen wherever they are stored.
Things that you possess can be taken from you or lost. A mobile phone that receives one-time passwords via text message may deliver your online life into a hacker’s hands before you can get the phone shut down.
Even fingerprints can be stolen, though not in the gruesome manner that springs to mind. Plastic molds and casts of fingerprints lifted from drinking glasses and similar sources have been used to fool biometric security systems.
Every single authentication method is vulnerable to hackers. So it’s not a good idea to use just a single authentication method. Two-factor authentication – in which you must provide two out of the three types of authentication described above – is taking hold in the online world.
A password plus a fingerprint scan, or a password plus a one-time code sent to your smartphone, seems to be the sort of two-factor authentication that users and service providers can live with.
You Are the Password
Other types of biometric authentication are either unreliable or feel too intrusive. Users more willingly run their fingertips over scanners than they will stare into a camera while their eyeballs are scanned. Voice recognition can be ruined by a cold or laryngitis. Other biometrics, such as subdermal vein patterns or heartbeat rhythms, remain in the experimental phase.
Speaking of biometrics, a team of researchers at the Advanced Institute of Industrial Technology in Tokyo have developed a chair that can authenticate people with their buttocks. Yes really. Special sensors measure the contours of your backside and the pressure pattern you apply to the surface of the seat. It was originally developed as an automobile anti-theft system, but if someday you hear your computer say "please be seated," you'll know why.
If you can use two-factor authentication from the sites you consider most critical, do so. Google is urging two-factor authentication upon its users, and Facebook requires it for certain operations. Banks and other financial institutions are moving to two-factor authentication. (Note that some websites call it "two-step verification," "login approval," or "enhanced login security".) If you are offered the option, I highly recommend this more secure authentication method for your website logins.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 2 May 2014
|For Fun: Buy Bob a Snickers.|
Geekly Update - 01 May 2014
The Top Twenty
Facebook and Your Digital Shadow
There's more reader feedback... See all 32 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Are Passwords Obsolete? (Posted: 2 May 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved