Computers

Three alternatives to using passwords

The Heartbleed Bug has shown how fragile passwords can be as a means of secure authentication
The Heartbleed Bug has shown how fragile passwords can be as a means of secure authentication

As a result of the Heartbleed bug that has made data on two-thirds of the world's servers potentially accessible to hackers, users have been told to change their passwords. It goes to show that not only is the security of passwords fragile, but they are impractical too. So what are the alternatives?

Passwords have been around as long as the Web. In short, they are the quickest and simplest means of securing user accounts. They do, however, have a number of drawbacks. If they are too simple they can be cracked by computer programs. If a server is hacked they can be uncovered. If the same password is used for more than one account, then an uncovered password can compromise a user's whole Web presence. It is inconvenient to remember lots of different passwords, but they can be easily forgotten.

In short, we use passwords online because they were a "good enough" means of security at the dawn of the Web and because they are now the status quo. Experts have been predicting for some time that passwords will be superseded, though. Indeed, Bill Gates declared them "dead" in 2004. Premature that may have been, but vulnerabilities in the architecture of the Web, such as Heartbleed, serve to demonstrate quite explicitly that they do need to be killed off – at least in their current form.

One problem with replacing passwords on the Web is that, not only do alternatives need to be more secure, but they need to be comparatively convenient in order to gain traction. We're so used to rattling through passwords on our keyboards or having them saved by our browsers that people are unlikely to accept alternatives that add a great deal of time or inconvenience to their login processes. Below are a few areas in which potential alternatives being developed.

Biometrics

Biometric authentication is the most well-known alternative to passwords. Everyone knows that fingerprints can be used to identify people, and devices like the Samsung Galaxy S5 and Apple's iPhone 5S have fingerprint scanners built in. Other methods of biometric authentication include iris scanning, as used by the Myris Eyelock, and using a person's heartbeat, like the Nymi wristband.

However, Chester Wisniewski, Senior Security Advisor at Sophos, warns us that although biometric information may be more secure than passwords, the consequences of such data being uncovered is far more severe. "Can you imagine if you used a fingerprint or iris scan instead?" says Wisniewski. "Now we would be leaking your biometric data to crooks. Time to change your fingerprints?".

Tokens

For token authentication, users are provided with a unique piece of data that allows them to login to a website. Illiri, for example, sends a sound to smartphones that users play to their computer as a means of authenticating login. Similarly, Clef sends an image to smartphones that is shown to the computer's webcam. Such smartphone apps add an extra layer of security to your authentication as they themselves can be protected by one or more passwords, but they suffer from being less convenient that just using a password and require contingencies if a phone is lost or out of charge.

Two-factor

The added layer of authentication used by Illiri and Clef, however, is the key to our future security, Wisniewski tells Gizmag. "Clearly passwords alone are not an adequate security measure," he argues. "When combined with other factors though, they can be a part of the solution."

"A single factor is not enough. Passwords are certainly the best option we have for one of the two factors we should be using in two-factor authentication. I think I would stick with a password plus a dynamic second factor like a token or an SMS message."

Two factor authentication is not a new idea. Banks use it routinely and users can set it up on their Google, Facebook and Twitter accounts, as well as on other sites. It's not as quick or convenient as a simple password, but there has been a lot of talk about it since Heartbleed, as the most immediate means by which security can be improved on websites. Authy and Duo are just two providers that are pushing the uptake of two-factor authentication.

Where do we go from here?

As a means of authentication, there is a widespread consensus that passwords alone are not enough. The technology may already be out there and we may just be waiting for a simple and convenient enough implementation of it.

"Momentum is certainly part of it, but I have yet to see a replacement that is as affordable, ubiquitous and easy to use," says Wisniewski.

"It is all about being simple. The mad genius who solves this problem will become very famous. The problem is that it needs to make sense to random individuals and be free to use and implement. That is how we got here and it is how we will get out."

  • Facebook
  • Twitter
  • Flipboard
  • LinkedIn
15 comments
Daishi
Hopefully Heartbleed is an exception but I think this XKCD comic needs to be a prerequisite for any discussion on the topic: http://xkcd.com/936/
There are multiple issues but one of them is computing has advanced and 6-8 digit passwords containing any combination of letters/numbers simply will no longer do if someone gets access to stored hashes.
Nearly every website on the Internet has a password policy that is simply wrong. Full sentence passwords are both easier for people to remember and harder to crack than passwords like qDF#@1^*m and most people use one or 2 word passwords that are not even random. I have seen the XKCD topic debated multiple times at multiple places and everyone always brings up the same handful of debunked arguments against it.
Full sentence passwords don't have to be limited to only lower case letters and they are a good next step in security that more websites need to take. Its as simple as websites relaxing some of the password requirements for passwords that are a sufficient enough length but convincing companies to adjust their long held incorrect views on password policies is an impossible task.
I agree that if biometric data does end up compromised its much harder to change.
Another point I want to mention is credit cards and tokens. I don't understand why eCommerce sites I use need to store my credit card credentials that could be copied by hackers and programmed onto a new card. I actually had this happen where after one of the many famous credit card database hacks some random person in an Atlanta Walmart used a clone of my credit card for about $500 in purchases. To my knowledge they were not caught.
A simple method to avoid this that should probably be used is after a first transaction between say Amazon and my credit card company, my credit card company should issue them a permanent token to be used by them for all future transactions and they would save only that token. This way if someone compromises their credit card database the token they obtain would be useless to them. Considering how much money it would save in fraud I can't imagine why the technical limitations wouldn't be worth it.
Another measure that the US may see is a PIN number for the card at a physical point of sale instead of only a signature. I could literally sign my name as "Stolen Card" and nobody would notice.
Robert Walther
WOW! I have my new password!
WereCatf
"warns us that although biometric information may be more secure than passwords" -- No. It's terribly easy to get your fingerprints by e.g. lifting them off a glass, smartscreen display or similar shiny surfaces. And once your fingerprints have been lifted there is no way of fixing that other than physically mutilating your fingers themselves. All the smartphones with fingerprint readers have already been provably compromised, there's an episode of Mythbusters where they compromise fingerprint - systems and so on. Passwords, at least, cannot be lifted from your mind.
Ralf Biernacki
I agree completely with Diachi. I've been attempting to use a technique similar to the xkcd idea---stringing together several random words. I had to run them together into a single long word without spaces, because 99% of sites will refuse spaces in passwords for no sensible reason.
But I've been frustrated at every turn. Most sites have this silly "one digit, one cap" and sometimes "one dash"* requirement. This just makes it more difficult for me to remember, but it's still less secure than a longer word. But guess what, most of them will simply not accept long passwords. This is frustrating and idiotic, as a long password is the best password.
Capitalization and digits hardly matter anyway. 99.9% of users, when forced to use a cap letter, will capitalize the first letter. I do it myself; it's marginally less secure, but the consistency makes it possible to remember the password. And adding a digit is actually less effective than adding another letter. Nobody in his right mind will mix digits randomly with letters, because that password will be illegible and unmemorizable to the user, and only marginally harder for the hacker. The alternative to memorization is of course writing the password down; I don't need to tell you how self-defeating this is.
Let us suppose that a user comes up with "trolololo" as a password (not my actual password, duh). When a site requires a cap and a digit what's that user gonna do? That's right. He'll write "Trolololo1". It's extremely unlikely that he'd write anything else. So what good does the "cap and digit" requirement do? Absolutely no good. It just wastes your time and annoys the pig, as the saying goes.
____________________________ *They say "a punctuation character" but in truth many login scripts will choke on most punctuation characters. Just forget about quotes, slashes or asterisks; about the only consistently acceptable "punctuation characters" are the dash and the underline. Again, what's the point?
Gadgeteer
"Passwords have been around as long as the Web."
They've been around a lot longer than that. Computers have used passwords for as long as there have been user accounts. And even before that, passwords have been used to control access to facilities or information for as long as anyone can remember.
Marco C
Biometrics could still be a good option if we remember that we have 10 fingers and we could use them in combination and add some additional modifier to scramble the encrypted biometric validation.
Of course, it's still not ideal, but lifting all 10 digits from someone's glass and inputting them in the precise combination of scans and keywords for instance would make it a lot harder for hackers and still fairly easy for the user. Certainly better than biometric or passwords alone.
I also agree that keyphrases need to be accepted more readily by more websites. Especially banks and e-commerce. There are plenty of websites where I don't use my real name, nor I use my main email and where I don't give a crap if anyone cracks it. They would get meningless data and a bunch of posts I made in 2008. Big deal.
The real risk is sites that have your address, a portion of your credit card and so forth.
Credit cards should have a fob built in to them anyway for validation AND a passphrase.
Synchro
I saw a recent example that suggested what amounts to a conventional password reset mechanism as the auth system. It's essentially a token system where it sends you a password or similar unique identifier via a separate channel (e.g. email or SMS) and you then use that token to log in, the idea being that your access to that channel is secured.
There's also Mozilla's Persona system which externalises a process similar to that: https://developer.mozilla.org/en-US/Persona
I'm also reminded of the Scott Pilgrim password scene: https://www.youtube.com/watch?v=rX_F2YYUUMQ
Tuppe
What about SQRL? I think it's pretty neat, although not optimal because it requires a camera phone.
"Biometrics could still be a good option if we remember that we have 10 fingers and we could use them in combination and add some additional modifier to scramble the encrypted biometric validation." This sounds like a cool idea. If the scanner is fast and accurate enough to read 10-100ms taps. Password could be like index, index, middle, index tap code. But it still requires extra hardware, so it's impossible to put everywhere.
Nat1987
I use the password manager RoboForm to keep my information secure. It helps me to create unique passwords, so I don't have just one password opening the doors to all of my information on the web in a case like this. It also made it super easy to change any passwords to sites that were vulnerable to the Heartbleed bug, which could have otherwise taken hours for me to do. I recommend buying RoboForm to anyone who uses the internet for anything.
Daishi
@Nat1987 LastPass and KeePass are free alternatives. They both use an encrypted password file but LastPass syncs the file to the cloud and I think KeePass doesn't. LastPass is probably better for using multiple computers simply but you can still sync the local pass file with KeePass by storing it on Dropbox. Dropbox doesn't encrypt your data natively (although the pass file still would be) but you can run nCrypted on top of it to encrypt your dropbox data.