Posted by Matt Egan 16 April 2014
Passwords don't work: here's four ways to fix them
The wave of destruction left behind by the Heartbleed Bug brings in to sharp focus the requirement for robust and unique passwords. But I imagine very few people create unique and unguessable passwords for every online account they use, fewer still can remember them all without storing them on a Post-It or some even less secure digital medium. Given that we seem to spend our lives constantly authenticating ourselves online, it strikes me that the day of the password is coming to a close. Fortunately there are alternatives.
The problem with online authentication is that it needs to be unique to you, but the things that are difficult to change once they become compromised. Your email address, physical address, date of birth, name, sex and mother's maiden name are unlikely to change any time soon. And if a determined hacker targets you they can find or guess that information.
What is required is data unique to you that cannot be copied, changed or stolen. Here are four new password alternatives that are already starting to happen, plus their strengths and weaknesses. I think that we will end up using at least two-factor identification, as you currently have to do to access online banking. And it is likely that a combination of some or all of the following will make for good future passwords. (See also: are we too lazy to be safe?)
Passworld alternatives: Picture passwords
You can already create a picture password to log in to your Windows 8 PC or laptop. Set it up and you can sign in to your PC by touching a sequence of points on your favourite photo, instead of typing in a hard-to-remember password. This is immediately more secure - the complexity of a multi-touch photo gesture is much greater than guessing even a string of unrelated letters and numbers. You can remember it without writing it down, and keyloggers won't be able to do much with an apparently random sequence of touches. Expect to see many more picture passwords.
This isn't a panacea, however. For one thing if someone sees you logging in by tracing the outline of an image they can probably replicate it. But mainly it is practical in only certain situations... right now. Logging in to a Windows account is one thing, but without a bit of work from the vendor's side a picture password wouldn't necessarily work for - say - your online bank account.
Indisputably picture passwords are better than the current crop of memorable words and digits, however. They are easy to change, and relatively easy to implement. So expect them to become a big part of your life. (See also: Best security apps for tablets and smartphones.)
Passworld alternatives: Fingerprint scanners
The latest thing in smartphone tech, shared by such flagships as the iPhone 5s and the Samsung Galaxy s5 - because there is nothing more unique than your fingerprint, right?
The thing about fingerprint scanners is that not all are made equal. When the police ID a suspect because they have unique fingerprint, it is very diferent from the iPhone's scanner that matches your digit against the image it captured when first you set up the scanner. Indeed, both the iPhone 5s and the Galaxy s5 scanners have been hacked, according to reports.
It's also not always practical to use your fingerprint to gain access to an account. It doesn't help much if you are attempting to access something remotely, after all. And what if you share a device or account with your spouse? Hacking off your finger is beyond even the marriage vows.
As with many of the options for future passwords, fingerprint scanners are a good part of an eventual solution. But it is unlikely that they will be whole picture.
Password alternatives: Facial/iris/stride pattern recognition
A bit more tangential, but there are other bits of your body that can be used as unique identifiers. Facial recognition is a known- and used thing. Intel builds in facial-recognition tech to some of its hardware, you can buy facial-recognition software and the likes of the FBI routinely use FR to block access to sensitive areas of building.
Iris recognition is a bit more futuristic, but it is in use within the security services and the more paranoid corners of the business world.
Ultimately, any kind of 'recognition' security requires only a camera of sufficiently high quality to map your face or eye in the correct amount of detail.
If you can fold in other unique identifiers so much the better, and so much the harder to spoof via an image. We've read recently about some tech that measures stride patterns or heartbeats to uniquely ID you as the correct individual.
As with everything we have discussed before, none of these is a silver bullet for security. And they would be difficult to use in many circumstances - you'll struggle to get the cashpoint to recognise your stride pattern. But mixed in with other types of identification they could offer a big step forward from alpha numerical passwords. And there are other types of ID already in use to add to the mix...
Password alternatives: Digital keys
Use online banking? You already use a digital key. We're all getting used to the multi-factor authentication required to access our bank accounts online. Those little keypad devices that generate random numbers are not in and of themselves making your banking sufficiently secure. But with the addition of personal information, your unique ID code and a password it all adds up to a more secure than insecure set up. And that should be enough to keep you ahead of all but the most determined theives.