Passwords, P@55w0rD$, Schmasswords

March 19, 2013

I have too many passwords.  I admit that I don’t always use a unique password on websites that I rate low on my ‘do I care if I get hacked’ radar.  And, unless forced, I’m terrible at remembering to change them from time to time.  On the plus side, I don’t keep passwords on post-it notes by my screen but because I never write them down, that also means I forget them, a lot.  Can’t ‘they’ take a blood sample to prove it’s me (and check my blood glucose levels while they’re at it?)  I think I saw a Doctor Who episode that had something about chips being implanted into brains and interfacing the human with the computer, seems like that would work too.

Here are a few alternatives of the now and the future:

Picture Passwords (gesture passwords).
Choose one of your own images, come up with a unique way to make easily-remembered series of gestures on it (such as drawing a pair of glasses and eyebrows on the sun).  The gestures become your password.  Read more here.
Pros: Gestures might be easier to remember. Many more permutations than PINs or character set passwords.
Cons: Smudges on your touch screen might give away your gestures.  Easy for someone to shoulder-surf as you make your gestures.  You still have to remember at least three movements, in order.

Retina scans, palm scans, fingerprint scans, scans, voice recognition, signatures.
Pros: It’s unique. Biometric data is a lot more complex than a regular character set password.  Nothing to remember, just be you.
Cons: Uniqueness is also a weakness, if your data is hacked, if somebody else has stolen your fingerprint, for example, you can’t just change it.  There are some scary lengths that some people might go to to get a hold of your biometric password.

Tokens (dongles/certificates/device authentication)
Biometrics without the ‘bio’.  A piece of software that is attached to your device that provides physical, unique credentials.
Pros: It’s unique, hard to hack – and, unlike biometrics, if it ever does get compromised, you can change it.
Cons: You have to remember the dongle, or install the certificate, or register your device – and never lose any of them.

Behavioral Biometrics
The way you type, write, swipe, scan the page with your eyes, the tone of your voice, the sound of your sneeze, background noise, the programs you frequently use and how you use them.  Behavioral biometrics are constantly checking (and learning more about) your identity.
Pros: Non-stop authentication.  Extremely complex to mimic.  Effortless for the user.
Cons: Extremely complex to implement. Big brother.

These are just some of the current options.  Recent news is that Google is aiming for token-based two-factor authentication using something like a Yubico key.  By combining a physical authentication device with another type of password, the danger of losing that device becomes minimal (think of how you can lock your smart phone remotely if it gets lost).  The more I think about it, the more it seems to make sense – especially if they can incorporate the key into common objects that you normally carry around, minimizing the burden of having to remember something.  I’m looking forward to watching passwords evolve and having better ways to protect our data from rogue attacks.