Who can kill the password?
Anyone who follows computer security issues has heard (or more likely read) the phrase "the password is dead."
Indeed a a colleague on this blog has posted on the subject citing the same article I refer to; namely the cover story of the December 2012 issue of Wired magazine by Mat Honan which has now upped the death-of-the-password-ante with the title Kill the Password. Does this mean the password might actually require a concerted effort at slaying before it actually dies?
Honan has put a contract out on the password as a result of an experience he has gotten a fair bit of mileage from thus far. In short, two hackers temporarily destroyed his online life. He initially blamed Amazon and Apple (for laughable security procedures) and himself for not backing up his files and for having his online accounts connected in domino like vulnerability. Once the hackers gained access to one account they used that to reset passwords in several other accounts.
Now he has shifted his wrath to passwords as the access points to online accounts. In addition to the December cover story on Wired, He has since added another piece in response to an article on good password management by Nicole Perlroth of the New York Times.
But what struck me about Mr Honan's experience was how little passwords
themselves had to do with his woes. His passwords were strong and were never cracked. They were completely circumvented by absurdly lax security measures. The hackers phoned Apple and with nothing more than the last 4 digits of his credit card number (courtesy of Amazon!) and an educated guess at his billing address, they were able to arrange a password reset to be sent to one of their own e-mail addresses. (Apple has since modified these security practises)
Now imagine returning home from a vacation to find that someone with spurious credentials has bamboozled a gullible locksmith into changing the key cylinders in your locks. Would you argue against locks for your house? Only if there were a better idea out there.
To be fair to Mr Honan, he does explore several alternatives and compliments to passwords including Google's dual verification system, biometrics, and geolocation but falls short of wholeheartedly endorsing any single one in its current form as anything like a panacea. Perhaps this is why he wants to kill the password rather than proclaim it dead. Kashmir Hill of Forbes also discusses the possibility of creating an "identity ecosystem" which involves the use of cell phones, specialised chips or smartcards. Another interesting idea is discussed by Rachel Swaby of the Atlantic Monthly who thinks there may be a place for touchscreen authentication.
To be sure, people with smartphones are already using them to make both online and point of purchase transactions. If you can buy stuff with a smartphone, why not log in to secure sites the same way? Why not smartcards or keychain fobs? It may be costly, and tricky to implement but it may well prove to be a viable alternative for some.
But only for some. Consider what you currently need to access your free e-mail, cloud and social media accounts accounts: basically a computer and an internet connection. The former can be got in some places used for under $100, the latter is free in libraries and can be had in some places for short periods at least, for the price of a coffee.
If an "identity ecosystem" were implemented as the new norm, you would need a device of some sorts be it a keyfob, a smartcard, and/or a cell phone. For full functionality, an ordinary cellphone may well prove impractical and a smartphone may be what is actually required especially if a touchscreen is part of the equation. None of this is going to make access to your online accounts cheaper, let alone easier. Should you embrace these technologies, there may be an illusion of free service, but it will all come out in the wash in the form of higher phone bills or Internet fees. Then there is the issue of compatibility. Will all mobiles or at least smartphones be able to access all online services? Finally, while it is true that passwords can be forgotten, it is no less true that physical objects can be lost, stolen or duplicated. So given that the password system as it stands has numerous silly flaws, isn't it entirely possible that similar oversights, which in retrospect will seem mind bogglingly dumb, may be inadvertently built into an entirely new system?
Since no system is foolproof the question must be asked; is it better to fix an existing system or replace it with a new untested system with unanticipated flaws?
The password for all its flaws and detractors currently has no obvious successor, and the most likely alternatives seem to be more viable as compliments than replacements.
One thought on “Who can kill the password?”
It really is shocking how lax many companies’ policies are.
A few months ago I called my bank (one of the five Canadian ‘big banks’, which I won’t name here) regarding my credit card. To verify my identity, the agent asked for my name, credit card number, phone number, then asked me a question about my business at the bank.
The question was: ‘do you have a chequing account with us?’
After answering this question I was allowed access to my account.
I was appalled. Anyone who stole, or picked up my card, looked up my phone number based on the name on the card, and made a simple guess to a ‘yes-or-no’ question could potentially access my account. And from the information you could get from a bank, one could go on to commit further fraud.
You could choose the best passwords, keep them secret, and change them often, but it would be irrelevant. I called the bank’s customer service to complain about their policy, but as of last month it still has not changed.
Security is such a complex topic, but the smallest mistake can make it all unravel.