The age of the password is over?

You have a secret that can ruin your life. It’s not usually a well-kept secret. Kill the Password: Why a String of Characters Can’t Protect Us Anymore article tells that just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you: Your email. Your bank account. Your address and credit card number. Photos of your kids. The precise location where you’re sitting right now.

No matter how complex, no matter how unique, your passwords can no longer protect you. And the way we daisy-chain accounts (our email address doubling as a universal username) creates a single point of failure that can be exploited with devastating results.

Access to our data can no longer hinge on secret word. The age of the password is over. Look around. Leaks and dumps are now regular occurrences. Everyone is a few clicks away from knowing everything.

We just haven’t realized it yet. And no one has figured out what will take its place.

There have been several options on trial but none of them have become enough widely used and easy to use. For example smart cards for authentication fall short on lack of smart card readers on all computers (and problems related to reader software). For SSH connections I have tried to use SSH keys and certificates instead of passwords where I can, but that is not practical everywhere. And in many web services there is no possibility to use other authentication than old fashioned username and password.

In the short time I expect that you see more and more two or multi factor authentication schemes to be used where password is one factor and then there are other factors to add the security. Combining two or more factors increases security considerably (none of the factors need not to be 100% secure for this to work well).

2 Comments

  1. Tomi Engdahl says:

    Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”
    For Ars, three crackers have at 16,000+ hashed passcodes—with 90 percent success.
    http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

    The list contained 16,449 passwords converted into hashes using the MD5 cryptographic hash function. Security-conscious websites never store passwords in plaintext. Instead, they work only with these so-called one-way hashes

    While Anderson’s 47-percent success rate is impressive, it’s miniscule when compared to what real crackers can do, as Anderson himself made clear.

    Reply
  2. Tomi Engdahl says:

    Goodbye passwords! Motorola wants to secure your identity with pills and tattoos
    http://www.electronicproducts.com/Sensors_and_Transducers/Sensors/Goodbye_passwords_Motorola_wants_to_secure_your_identity_with_pills_and_tattoos.aspx

    Do you ever worry about your passwords? Are your devices and accounts secure enough?

    Even if your password seems to be strong, you are still susceptible to a hack. Companies are trying all sorts of methods for simplifying and securing our authentication processes: fingerprint scanning, eyeball scanning, and facial recognition, just to name a few.

    Forget all that. What about swallowing a pill or getting a tattoo that will solve your password problem and keep you secure?

    Regina Dugan, former DARPA director and current Senior Vice President of Advanced Technology Projects at Motorola, discussed these two identification solutions in the works at D11, All Things Digital Conference in Rancho Palos Verdes, CA, last week.

    So, how can a tattoo keep you secure?
    Dugan describes it as a kind of identification you can wear on your skin, possibly for a week at a time.
    Despite challenges, Motorola has gotten together with MC10, a company that has made strides in the wearable electronics department to create an electronic tattoo equipped with antennae and sensors. MC10 will be working on a tattoo that can be used for authentication.

    What about pills?
    In this case, a person would swallow a pill that has a small chip inside of it. That chip would contain a switch that is powered by way of an “inside-out potato battery,” Dugan explained. Once the pill is swallowed, stomach acids power it on and off.
    “This creates an 18-bit ECG-like signal in your body and essentially your entire body becomes your authentication token,” said Dugan.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*