Our Favourite “Password Killers” And Why They Won’t Actually Kill The Password
This new technology will KILL THE PASSWORD. If only we had a dollar every time we heard this phrase…Every time a new technology in the security space crops up, it tends to be the first thing we hear.
Let’s take a look at some of the bigger “password killers” and see where they might fall short.
- “On-Demand” Passwords…
Services such as Yahoo recently introduced “on-demand” features which send one-time codes each time you need to log in to your email account. One issue here is that if a phone is stolen, then the person in possession of the phone could access an email account by requesting a password be sent to the phone. Even if other security is in place on that phone it’s still common for text messages to be displayed as notifications even when the phone is locked, so anyone who sees this can then access your email at that time.
Furthermore, the system relies on having access to phone signal to receive a message on your phone through SMS, which could prove difficult if in a remote area or if your phone runs out of battery.
- Look into my eyes…Biometrics are (not) the Answer!
This year’s Mobile World Congress, saw a flurry of announcements in the biometric space, including Fujitsu’s new smart eye tracker that can recognize each user’s unique iris. This process is a very clever piece of tech, which no doubt has use, however it’s not full-proof. In fact, you don’t even have to be as far-fetched as the movie, Minority Report, for your eye-scan to be stolen.
Jan Krissler, from Chaos Computer Club, has used both high-resolution photography and even Google Images to hack iris scanners. “I did tests with different people and can say that an iris image with a diameter down to 75 pixels worked on our tests,” he told Forbes. The printout required a resolution of 1200 dots per inch (dpi), and at least 75 per cent of the iris to be visible. On Google Images, he found suitable images for iris hacking that included Russian president Vladimir Putin, UK Prime Minister David Cameron, US president Barack Obama and 2016 presidential candidate, Hillary Clinton.
- Passwords are Stronger Without the Gift of Touch
On paper, fingerprint authorization is a great way to prevent identity theft and various kinds of fraud. The argument goes that your passwords can be stolen, but not your fingerprints. However, biometric authentication can be hacked. We saw this when hackers from the Chaos Computer Club managed to reproduce fingerprints of the German Defense Minister from high resolution public photos and used them on consumer phones biometric sensors.
The real issue however is not that they can be hacked, it’s that once hacked they cannot be changed. You cannot change your fingerprint, retina scan. On the other hand, a password can be changed and also be unique to other identification policies.
- Brain Waves as a Password…
Researchers at Bingham University discovered that your computer can identify you based on the way your brain reacts to certain words. Sounds like pretty cool science-fiction stuff, however with the need for a brain scanner on you at all times and only a 94% success rate, we can’t see this catching on too soon.
- Sorry, Your Password is on Mute
Banking is one example of a sector flirting with the idea of voice biometrics (also called Interactive Voice Response, or IVR). Customers telephoning certain services either recite a passphrase or enter into a 30-second conversation with the operator which analyses their natural speech pattern and verifies it against a stored file. Barclays reported 95% accuracy. But that’s still a lot of customers relying on passwords or other “traditional” verification methods. And what if you’re under the weather and lose your voice…?
- Bill Gates…
Don’t get us wrong. We love Bill Gates! The man is a genius and one of the greatest philanthropists of all time. However he did get one thing wrong one back in 2004 when we rather bullishly declared that that the “Password was dead” at the annual RSA Security Conference. We’re still waiting on this one…
- When YOU Become the Password…and the Victim of an ACTUAL Brute-Force Attack…
Consider PayPal and its headline-grabbing work on a new generation of embeddable, injectable and ingestible devices to replace passwords. This “natural body identification” may mean that hackers no longer have to hack a system; they just need your actual body. “Brute force attacks” could take on a whole new, sinister meaning…
The Password Is Dead…Long Live the Password!
The password has been the de facto standard for decades. Similar to the QUERTY Keyboard, which was invented in 1873, it has withstood new technologies over time. After all, passwords are cheap to implement, they are not patentable, they can be anonymized and are appropriate for the vast majority of daily security checks. To replace password as an industry standard, new technologies have to offer additional benefits and offset the switching cost. It’s not the case yet and it will take a lot of time before it changes.
The issue with Passwords is not the passwords themselves, but the way we interact with them. To make sure there are truly protective assets, we must simply remove human memory from the loop. We need come to the realization that convenience and security need not be contradictory. Software solutions like password managers, which create complex, secure passwords for you while also remembering them, are the answer.
This, of course, is not to say that new developments cannot be useful. Additional layers of authentication can provide another useful layer of security, particularly when using services which are especially sensitive like our bank accounts. However, one thing for sure is the use of strong passwords as the main foundation will build up a stronger defense against breaches than anything else available today and most likely in the years to come.