Are Passwords Obsolete?
Passwords have been our main line of defense against information bandits since the earliest days of computing. “The thin typed line” of alphanumeric characters is all that stands between most of us and identity theft, raided bank accounts, extortion, and a host of other crimes. But the line is crumbling and it’s time for something new...
What Will Replace Passwords?
Alphanumeric passwords have been around a long time. My high school had a Model 33 Teletype, which was the first computer terminal I used. More than 35 years later, I can still remember my teletype login and password (HEL-N703,MTH). But some security experts are predicting that passwords will soon be as obsolete as my beloved teletype.
There are many problems with relying upon passwords alone for online security. First and foremost is human nature, which is lazy. Short, obvious, easily-cracked passwords that are reused on every website and never changed is the norm rather than the exception. People act as if the Internet is looking out for their security so they don’t have to.
But hackers have no difficulty breaking into major Web sites and stealing millions of passwords at one go. Now the Heartbleed bug has revealed that the infrastructure of the Internet itself is insecure, exposing hundreds of millions of users to password theft and worse. In every bulletin about a new security breach, you will read the phrase, “…passwords may have been compromised.”
Clearly, we need something to bolster or replace the extremely vulnerable password as the key to a person’s online identity and treasures. Several alternative authentication techniques have been tried; one looks like it will catch hold and become the new standard.
In general, you can prove to an online system that you are who you claim to be using something known to the system and yourself. That something may be:
- Something you know, such as a password
- Something you possess, such as a mobile phone
- Something you are, such as a person with a unique fingerprint
Two Out of Three Ain't Bad
Things that you know are discoverable by hackers. Information such as your mother’s maiden name, the first school you attended, the street you grew up on, etc., are rather easily discovered by any motivated thief who really cares to look. Passwords can be guessed or stolen wherever they are stored.
Things that you possess can be taken from you or lost. A mobile phone that receives one-time passwords via text message may deliver your online life into a hacker’s hands before you can get the phone shut down.
Even fingerprints can be stolen, though not in the gruesome manner that springs to mind. Plastic molds and casts of fingerprints lifted from drinking glasses and similar sources have been used to fool biometric security systems.
Every single authentication method is vulnerable to hackers. So it’s not a good idea to use just a single authentication method. Two-factor authentication – in which you must provide two out of the three types of authentication described above – is taking hold in the online world.
A password plus a fingerprint scan, or a password plus a one-time code sent to your smartphone, seems to be the sort of two-factor authentication that users and service providers can live with.
You Are the Password
Other types of biometric authentication are either unreliable or feel too intrusive. Users more willingly run their fingertips over scanners than they will stare into a camera while their eyeballs are scanned. Voice recognition can be ruined by a cold or laryngitis. Other biometrics, such as subdermal vein patterns or heartbeat rhythms, remain in the experimental phase.
Speaking of biometrics, a team of researchers at the Advanced Institute of Industrial Technology in Tokyo have developed a chair that can authenticate people with their buttocks. Yes really. Special sensors measure the contours of your backside and the pressure pattern you apply to the surface of the seat. It was originally developed as an automobile anti-theft system, but if someday you hear your computer say "please be seated," you'll know why.
If you can use two-factor authentication from the sites you consider most critical, do so. Google is urging two-factor authentication upon its users, and Facebook requires it for certain operations. Banks and other financial institutions are moving to two-factor authentication. (Note that some websites call it "two-step verification," "login approval," or "enhanced login security".) If you are offered the option, I highly recommend this more secure authentication method for your website logins.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 2 May 2014
|For Fun: Buy Bob a Snickers.|
Geekly Update - 01 May 2014
The Top Twenty
Facebook and Your Digital Shadow
There's more reader feedback... See all 32 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Are Passwords Obsolete? (Posted: 2 May 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved
Most recent comments on "Are Passwords Obsolete?"(See all 32 comments for this article.)
02 May 2014
I have a cellphone, but all it does is make & receive phone calls - text feature off. And, I only turn it on when I go out. So, I guess I fall into the the "old fartett" category.
If 2F verification becomes a must. I guess I'll be left out.
Now where did I put my Selectric?
02 May 2014
In response to Marty, the vast majority of sites do store hashed passwords, not clear text. The trouble is if someone steals the hashes, it's very quick and easy with the tools available today to crack all the simple passwords by brute force. Weak passwords will be guessed by this method within minutes or even seconds, and only really strong passwords will stand up, at least for many days of attempted cracking. Most users don't use strong passwords.
02 May 2014
Hi Bob can u please explain one of the above comments (2nd May from Marty) as it seemed 2b a possible alternative to passwords that might work 4me...
'save the MD5 or SHA-1 hash of the password. Then whenever anybody logs on they supply their password.'
I'm a mum & a farmer with reasonable computer skills but have no idea what Marty is telling us we can do as a good alternative to 2SA
thanks Bob-really enjoy yr newsletters
yours Jenny :-]
02 May 2014
Fingerprint scans have proven to be problematical (probably because of dirty fingers or smudged scan screens). Actually, for me, the option that seems the best and most fool-proof and easily used is the retinal scan. My only question is why it's taking so long considering that virtually every tablet, smartphone and laptop have a camera already.
02 May 2014
Recently a friend lost his child living in another country. It has been an added nightmare for the family in trying to find out this person's accounts, insurance details etc.. At one time statements for bank accounts etc would be mailed out which helped leave a hard copy paper trail. Later, details would have been stored on a person's only computer. Now, people often have several devices but complicating things even more, this information now is often stored on the cloud, hidden behind passwords and accounts that loved ones often have no knowledge of. This has been a timely reminder for us all and any suggestions of a work around would be helpful. Eye scans etc would make this more difficult too. Not only is there no knowledge of the accounts, if these were known of, access passwords are not known. I guess banks, insurance etc are not obligated to front up with the information and wonder how much unclaimed money benefits these institutions.
03 May 2014
My favorite is your ECG. The BioNym is to be released soon.
03 May 2014
@Ross >> those key fobs are still being utilized by some corporation for their employees who take laptops home. One brand is called "RSA SecureID" (www.rsa.com) and has an LCD display that rolls a new 6 digit numeric key code every 30 seconds.
03 May 2014
Bob, good article, that has also, generated some good debate!
I honestly think, in the "future", who knows how far though, passwords will not be used. I am not sure, what will be used, to access pertinent information, but, I do think, it will not be passwords.
As for now, the 2-Factor Authorization seem to be the "fashionable" trend. I say trend, since, it is not widely used, at the moment. I may have read this article wrong ... But, it seems to be mostly geared to the Mobile Phone user, not the Desktop user.
Someone, somewhere with a "simple" mind, needs to really come up with a bang-up idea, for both the Mobile and Desktop/Laptop users ... To have a method that is easy, for even the Newbies ... To access their personal or business computers/mobile phones/tablets, safely.
Bob, you are exactly point on, when you said, the most computer/cell phone users are lazy. They are, exceedly so. They just want to get to the "business, at hand" and as quickly, as possible. This is why, I really think ... If ... Passwords will be a "thing of the past" ... It becomes paramount, that the "new" method of accessing our computers or communication devices, it has to as simple as a password, but, which much better security levels.
Don't have the solution, to this issue, either. For now, I am trying to change my habit, of using the same password, everywhere I go. Must admit though ... So far, I have been mighty lucky ... I haven't been compromised, yet. (Knock on wood!!!) :)
03 May 2014
Finger prints don't work for me! I 'messed up' both my primary and secondary finger prints and couldn't get into my laptop until I figured out how to change to a password.
With Windows 8 touch screen could you just sit on it? :o)
Marc de Piolenc
03 May 2014
I cringe at the use of biometrics for authentication. You may think your fingerprint is foolproof because it can't be duplicated, but it isn't your fingerprint that is presented for authentication against a database; it's a pattern of bits that can be just as easily duplicated and manipulated as any other such pattern. And in order to be useful, that pattern has to appear in at least one on-line database, so that there is something to which the fingerprint scanned by your bank can be compared. And when that fingerprint is compromised, YOU can't change it - you're stuck with that finger for life. Too bad, so sad, you're screwed. Give me an old-fashioned password that I can change any day!
04 May 2014
dear bob,what r we going to do about our passwords...its already exhausting..thanks..
05 May 2014
keypass generators are alive and well. I've had one for one of my online gaming accounts for going on 6 or 7 years now ($6 retail for the hardware...). My bank has been saying they will start offering them 'soon' for 2-3 years now.
06 May 2014
1)Biometrics can't work unless every computer and device have them and they are all working and the relevant data is available to check against.
2)Mobiles won't work until everybody has one (I don't) and you have a mobile signal you can use. I live in a UK city and our area has poor (sometimes absent) signal (I do have a mobile for work but unless I'm working it's not on me.) What if you are abroad?
One scheme is to have 2 factor for those occasions that do need them. My bank provides a chip and pin card reader as a verification means for some processes, you insert your card, enter your PIN and there is some form of query/response mechanism to proceed on the site.
Most sites really don't need to be that complex, do you really need all that security for a forum? A simple (even shared) password could be OK there. A bit more complex if it's a support forum for software you've paid for and so on. Banking and other sites that are really important you may want to secure further. One issue is people simply using there Google/Facebook accounts as login to other sites.
EDITOR'S NOTE: Biometric data can be stored on the device, as is commonly done with laptops and smartphones. And a mobile signal is not always needed for the 2-factor auth code. Google's authenticator app on Android phones does not. It relies on the date & time (and perhaps shoe size and phase of the moon) to generate a 6-digit code.
08 May 2014
One: years ago my wife was issued a pass code generator for work use. It had such a flimsy keyboard and small display that she could never been sure she had typed the right change into the device.(the Web Site gave a 6 digit number and you had to type that into the device and then type the Boxes response to the challenge back into the web site, all in 90 seconds. Anytime She really needed to get loged in I had to help her with the dang machine.
Two: Many cell Plans still charge a fee for each text message here in Canada. I really don't want to have to pay 25 cents each time I use a web site, so that the site can send me a magic number.
10 May 2014
The very secure solution I'm looking forward to is SQRL - see https://www.grc.com/sqrl/sqrl.htm. While you are there check out his write up on Password Haystacks. In the meantime, I use LastPass and long, totally random passwords that are unique to every website. Current two factor authentication sounds great, but when I installed Google Authenticator on my iPhone it killed several other unrelated apps.
11 May 2014
Security should be looked at as several layers of protection. 1. a firewalled connection 2. a good Antivirus prog 3. two anti malware progs 4. Win Patrol to deny unwanted changes 5. at least 2 alpha numeric passwords 6. inform yourself about "at risk" behavior while on the internet ex: airport free connections 7. read various forums that keep you up to date about changes in technology
12 May 2014
A major problem w/ this article is it supports LESS security. In order to get the "one time code" from Google/Facebook/etc, you have to provide them with your cell phone number. They, in turn, use it for advertising. I had to change my cell number after I fell for this gimmick. I hadn't had a telemarketer call in over 10 yrs before this debacle.
Yes, we need a better authentication system, but the options presented are major steps back.
EDITOR'S NOTE: I'd argue this was a coincidence, or that your number was compromised in some other way. It just makes no sense for Google or Facebook to do that. It's never happened to me, and I've been using both for years.
13 May 2014
So, how does one use 2FA without a smart phone or laptop? I know, others have asked the same question, but it does not seem practical to have to go out and buy new equipment and have to learn to use it, so that you can log in to GOOGLE or FACEBOOK! Thanks for the post, Bob.
21 May 2014
Biometrics are too volatile for reliable use, suppose you damage or lose a finger thumb or eye, even a fairly minor cut on your thumb will change its appearance.
As people age or get ill, they can develop conditions such as retinopathy or macular degeneration, where will that leave them if they need their device?
As for cardiac rhythms, just wait for the day when you can't log on to your device because you've been taking exercise or have just had sex!
Additionally, of course people can develop a whole range of cardiac arrhythmias well short of a full blown MI, particularly as they age.
Now if someone is suffering a full blown heart attack, then access to their device is the least of their problems but, should they recover, their heart will be scarred and its rhythm changed.
Remember, of course, that with the current system of checks and balances, you don't have to give your mother's REAL maiden name or the real name of your first school either if it can be guessed, if I put that my mother's maiden name was R2D2 and my first school was Chicken Curry, the authentication routine is not going to come back and say that was wrong. (I haven't used those by the way)
It seems somehow counter intuitive but you can add to your current level of protection by LYING!
01 Aug 2014
In te future, in my opinion, we will get rid of the simple "pass or fail" gates that protect our accounts.
The way many online services now work, is that they place a wall around the city, let anyone pass with valid papers (even if the black man who carried them last week has inexplicably become a white woman, and
In the future it won't be a simple "pass or fail" - it will be about chance. Intelligent software will monitor our behavior and evaluate the odds that the user logged in is legitimate.
This could be as simple as evaluating keystroke rhythms, mous movements, patterns in navigation, analysiss of a style of writing on forums, typical order of transactions on bank sites etc. Cross-checking data will becoming more prevalent as well, though not without many many issues and controversy.
If a user's behavior has become suspicious, the system will ask for additional verification, or might even alert some pre-defined party/parties so a human can intervene. It may even shut down the account - if my bank's site detects a sudden transfer of a large amount to some obscure account in the maldives. Or if I'm suddenly shopping for expensive book sets when I'm member of a local library and have said buying books is a waste of money.
Hell, identification on online/remote services could become a business where you register with a representative who will monitor your accounts for further protection.
Sure, such systems might require a formalisation/bureaucratisation of web usage. Then again, as we are doing more and more of our formal business online, that's only inevitable.