Passwords are a way of life now. It’s hard to imagine what the Internet would be like without any passwords, isn’t it? Yet, if we contemplated the idea of a password for even a moment, we’d realize that passwords just aren’t very secure. Indeed, most security experts already know this, yet here we are still using passwords. Why?
With every other hacked database and credit card scandal that occurs, it becomes more evident that we can’t rely on passwords for much longer. But if not passwords, what else is there?
Why We Started Using Passwords
The ancient Romans had a system of watchwords that were used to prove one’s identity and authority. By extension, watchwords were used to gain entry into secret locations or to gain access to private resources. Sounds a lot like modern passwords, right? These watchwords were changed as frequently as once per day and proved quite effective.
Eventually, watchwords evolved into passwords and counter-passwords, where a sentry would present a cryptic question or phrase and expect a predetermined response. Think of a modern website’s security question and you’ve got the right idea.
For example, in the Battle of Normandy, U.S. soldiers uttered “Flash” when encountering unknown groups out in the field. By replying with “Thunder,” soldiers could prove that they were truly allies rather than spies or imposters.
Computers have their roots in the military, so is it a surprise that we adopted the password mechanism for specialized access? We’ve made a few advancements – such as tying a password directly to a username for personal accounts – but the concept has been around for thousands of years.
Passwords: The One Huge Flaw
Passwords have served us well, there’s no doubt about that. However, they aren’t perfect. Not by a long shot. In fact, the concept of a password has one glaring flaw that can never be fixed: passwords are all or nothing.
We put a lot of effort into picking a strong password and making sure that sensitive data is encrypted, but none of that matters once somebody knows the password itself. Once they have it, game’s over. In essence, password protection is security through obscurity, a security practice that’s universally lambasted as weak and ineffective.
What if we combined passwords with security questions? That seems to be the typical solution used by banks and other places that offer secure accounts, but if you think about it, security questions are just passwords in a different wrapper and suffer from the same issue of using obscurity for security.
That being said, there are plenty of other weaknesses to using passwords in the Internet age:
- Most users don’t want to worry about memorizing a complex password and thus default to using a simplistic password that’s easily guessable.
- Most users use the same password for many accounts, resulting in one key that unlocks dozens (or hundreds) of doors.
- Most users don’t even keep their passwords in secret. Everything from Netflix accounts to bank accounts to web accounts to video game accounts are often shared between friends, family members, and even strangers.
- Encryption and secrecy are futile against keyloggers. The issue isn’t isolated to computers. Have you ever seen a compromised ATM?
What Are the Available Alternatives?
Two-factor authentication is becoming more popular these days. Unlike the password + security question combo, which basically asks for two instances of the same kind of information, two-factor authentication requires two different kinds of identity proof, such as password + mobile phone.
And that’s the direction in which security needs to move. Because passwords are intangible, they can be compromised by knowledge alone. Having some sort of physical proof of identity is a stronger measure of security.
For example, USB drives can be turned into physical keys. The practice isn’t widespread yet, but it seems like it could have many practical uses. What if USB security certificates were given out and used such that certain websites would only grant access while the USB drive was plugged in?
Biometrics – the use of human characteristics for access control – is another area that deserves more pursuit. One possible route would be to use a webcam snapshot as a password through the magic of facial recognition. Other routes include fingerprints, iris scans, and voice recognition.
There is a critical drawback, however, and that’s the possibility of losing access due to disfiguration, amputation, laryngitis, or worse. There’s also the fact that authentication would need to be strict enough not to be fooled by imposters/photos/recordings, yet lenient enough to accommodate day-to-day fluctuations in appearance, voice, etc.
Lastly, some suggest using RFID chips or NFC devices in lieu of a password, allowing you to “swipe” your way through security; in other words, a glorified keycard. But these, too, have their drawbacks. RFID can be intercepted and NFC devices are insecure.
So what’s the take away? Be sure to use strong passwords, maintain good security habits, and help educate others. Though we’re stuck using passwords for now, we wait eagerly for the day when passwords become old news.
What do you think? Do you embrace the use of passwords or would you rather we move away from them completely? What other alternatives are out there? Share with us in the comments below!