Passwords – we love to hate them. Despite scribbled pages of notes and password keepers, we always forget them at the most inconvenient time. (By the way, written notes are a very insecure way to remember your password). They expire before we remember to reset them, as the IT department sets required password change rules. These days it feels like they have to be one hundred letters long, including hieroglyphics, roman numerals, and emojis.
And despite all that, they still aren’t very secure. Every few months we hear about another massive breach. One of the biggest, and most recent, was Yahoo. The company only just reported a 2014 breach that compromised 500 million users’ names, e-mail address, and other personally identifying information. If the password information could be decrypted and used along with this other PII, user accounts across other services – even bank logins – could be accessed. According the 2016 Verizon Data Breach Investigations Report, compromised passwords were used as a means of access for many attacks as well.
Is it time to ditch passwords all together? What might replace them? The technology, it turns out, is just around the corner.
As part of National Cyber Security Awareness Month, the White House encouraged US citizens to use stronger authentication whenever possible, claiming that using fingerprints or two-factor authentication prevent 62% of data breaches. But what exactly is wrong with passwords, anyway?
For one, users don’t use password best practices for security, like changing them regularly, making them unique, using long phrases, or taking advantage of a password manager. Only 29% of people reset passwords for security reasons, and the most common password — still — is 123456.
Brute force guessing (facilitated by computers, usually), man in the middle attacks (which intercept online communications), keyloggers (software and/or hardware that stores your key strokes), and phishing (legitimate-appearing e-mails from hackers to reset or gather your account information) are all other ways passwords can be discovered.
Service providers do usually store passwords in an encrypted format – such was the case with the Yahoo breach, and the reason the company cited for not requiring a password reset for every user. But encryption can be reverse engineered. For example, 177 million credentials were stolen from LinkedIn in 2012. They were encrypted with “unsalted” SHA1, an easily cracked algorithm. (Salting refers to adding random data to an encrypted phrase for additional security.)
Even some additional security features used alongside passwords have their issues. Security questions are often guessable, or can their answers can be found with some web sleuthing on a target. Changing them is often difficult after a security breach. They are also susceptible to the same storage and encryption problems as passwords.
It’s looking increasingly likely that physical attributes and behavior will be used as a new way to confirm your identity. With the majority of people now carrying around sensor-packed pocket computers complete with multiple cameras, fingerprint sensors, and tracking abilities, a combination of face recognition, biometric/fingerprint scanning, and other factors are taking off as password replacements.
Google is developing the Trust API, which will use those biometric factors as well as tracking how you type and use your device to attempt to thwart unauthorized users. Microsoft is planning to use fingerprints, iris scanning, and facial recognition. Apple and Android devices can already unlock by fingerprint.
Individually, a facial scan or even fingerprint can be less secure than a password, as they can be faked. But a combination of them could be more secure. And new technologies enabled by machine learning, like tracking and predicting user behavior to recognize where and when you typically log into a service, could help remove the visible authentication step entirely.
It all sounds very futuristic, but the death of the password is probably nigh. Even with the advent of smarter authentication techniques, it’s wise to take every step you can to protect your digital identity and credentials. The best security is preventative.