When I say traditional passwords, most readers will know exactly what I’m discussing: the typical alphanumeric combination used to secure a login for various systems or programs. This password is generally something easy to remember or access by the user/creator, and may also include special symbols in an effort to bolster the strength against attack. There: in two sentences we’ve had as good a refresher to what a password is as you’re going to find anywhere. Just give it some time, though, and everything you think you know about password security could get tossed into the trash with the rest of the technology of yesteryear.
Of course, there is much more included in what makes a password a form of secure authentication. Take a look at my article on the Last Pass Data Breach if you need a refresher, but here is the main point: password security today is no longer just reliant on the strength of your chosen combination of characters. With the recent trend in breaches, encryption and other layers have become a major factor involved in protecting passwords for storage and transit.
That’s a good thing, right? I mean, passwords today are much harder to simply guess or break through with a brute force attack – there is simply too much going on behind the curtain.
But really, that’s kind of the issue. The password has become so layered and buffed that it has stopped becoming the traditional password that we all know and love. Don’t get me wrong: it is fantastic that we have developed stronger, more effective methods of password security, but there comes a time when enough is enough (not to mention – it seems to be only barely working).
I love the idea of a password. I do. Something that only I know that can keep an unseen entity from whatever it is that I am trying to protect. – It is utterly fantastic!
Unfortunately, I’ve been hacked before, and I’m not so naïve as all of that.
I am not alone.
Any Doctor Who Fans out there?
The Evolution of Password Security – Authentication Alternatives
If password security, as it stands today, hasn’t curbed the amount of security breaches in recent history, then where does that leave us?
In an age of password alternatives.
With every new breach or operating system comes a new method for authenticating your digital identity online. The more we leap into the digital future, the more password security alternatives are unveiled.
So today, we look at the top 3 password security alternatives that have begun beating the traditional password to death. I take a look and see which ones measures up – and which ones will leave us standing around wanting more.
Knowledge Based Authentication
Knowledge based authentication (KBA) is relatively simple to understand. The idea is to double-check the identity of a user by asking them to prove their identity via answering personal questions. It makes a certain amount of sense – similar thought to the notion behind two-factor authentication, without the hassle.
As Symantec puts it, however, these days it is not quite so simple as all of that. Social Media has since taken over almost every aspect of our lives, and the persistent attacker will have little trouble putting a name to a login and cruising through the personal data that all of us freely post online. That’s exactly what happened to Mat Honan, and we all remember how that worked out for him (if you don’t, head over to WIRED to check out a video interview with Honan describing the hack and its aftermath).
This social media craze puts a damper on KBA – but with the right questions, this particular password security alternative still holds some weight in the right situations.
Maybe it acts as a single layer in an otherwise multi-layer authentication solution.
Typical Two-factor Authentication
Two-factor authentication – most likely the most prominent and sought after password security alternative on the market today.
2FA takes the knowledge that password security is weak when it relies on just a password alone, and adds a separate, much stronger layer to bolster authentication defense. Typically, 2FA asks a user to provide something they know (generally the password itself) and combine it with something they happen to have on them, or something that they are (generally, this means a form of biometrics – but I’ll get to that in a moment).
Of course, in terms of password security, 2FA is definitely not the cheapest – most scenarios require an external hard token to be provided, which generates a One-time password to authenticate the user. These tokens can be pricey to replace, making them somewhat of a hassle in the current age.
Now, there have been many advances in both password security and Two-factor authentication in recent years, and many solutions provide various methods of enabling 2fa. Some common methods are by using the cell phone of a user as an external token, or even creating a soft token on the machine itself. For more info, check out my previous post: One-time Password: Pros and cons.
See? I told you that I would get to it.
Biometric technology is part of every science-fiction fan’s dream – it’s awesome! Whenever you think biometrics, your mind almost always goes to something like Mission Impossible – a very smoothly handled system that knows exactly who you are (or who you are looking for) with a quick scan of a face, eyeball or fingerprint.
No fuss, just instant access.
Unfortunately, we aren’t quite there yet. But as a whole, we are definitely trying!
No matter how awesome the idea of biometric authentication is, there is one big flaw in the system that makes it butt up against typical password security: There is no right answer. In an article for TechRadar, Jamie Carter quotes Garrett Bekker, the Senior Analyst for Information Security at 451 Research who said, “With biometrics, there is no ‘right’ answer – it’s impossible to be 100% accurate…there are only degrees of accuracy.” Furthermore, the additional worry, “How do you define the acceptable threshold of accuracy?”
See, password security has one strong foundation over biometrics: there is no such thing as an ‘iffy’ answer. You are either right or you are wrong. Sure, that doesn’t exactly take into account the notion of a hacker who stole your password, but neither does biometric authentication.
While not only extremely expensive, biometric technology as it exists today is still susceptible to various forms of deception. As put by Minh Duc in an article over at Computerworld, facial recognition algorithms are essential processing digital information sent via a camera – making them unable to tell the difference between a true face and an HD image of one!
It’s not limited to facial recognition either; Jamie Carter actually notes an incident when Jan Krissler was able to reverse-engineer an individual’s fingerprints from a series of photos. That walks us right into the bigger issue –Biometrics can’t be changed once they get compromised. At least, not yet.
That’s not to say that there are no working biometric systems in place to enhance password security today. On the contrary, Apple has that area on lock right now with their fingerprint ID on the iPhone six.
I’m notoriously against Apple for the most part (what can I say, I’m an Android guy myself), but they definitely know how to properly integrate biometric authentication in today’s technological environment. Even still, Apple’s fingerprint ID is still only a part of password security, with the passcode still enabled as failsafe.
*BONUS* The PasswordCard
We’ve talked a lot about the future of the password and password security, but is there any wiggle room to strengthen something more akin to the traditional password? It might by dying, but surely there must be a way to breathe new life into traditional password security.
I present to you: The PasswordCard!
Forget all of those fancy gadgets or software methods for increasing your password security – the PasswordCard gives you a truly random password of your choosing without the difficulty of having to remember it. All you need access to is a piece of paper, a printer, and a working pair of eyes(one, at least).
Of course, if you check out the link above, you’ll quickly realize one thing: the PasswordCard can still be stolen and used to guess the pass code to whatever system you are using it for. Even still, putting together the 8 rows of 29 characters in each row, that is a huge number of different possibilities (especially considering you can start wherever you want). All things considered, that is going to take a little bit of extra work to crack!
There are no dictionary words, no personal information to weigh against the potential word – just a jumble of characters based on wherever you start on your own unique card. For a more traditional password made of just alphanumeric characters, the PasswordCard is a pretty strong option for password security.
I mean, let’s face it – you guard your wallet with a lot more persistence than you guard almost anything else!
The Lowdown on Password Security
Okay, so there are definitely options to improve your password security – but why didn’t I include anything on this list that could replace the password (or passphrase, if you prefer) altogether?
That’s quite simple really – it is because most experts agree the password is here to stay.
For now, at least.
The fact remains: the use of the traditional password alone is dead. We have replaced it with a new amalgamation of encryption, complexity and secondary or tertiary layers to improve our password security while authenticating online. Why? Because in the modern digital world, the password is still something that we cannot live without. Even biometric technology, which was hoped to completely replace the need for traditional password security altogether, is being used with the addition of a password, pin, or code of some sort.
Authentication has changed, but we still have a need to hold on to the past.
Like I said, I love passwords. The idea is sound, but like many things, it is officially out of date. We are better off searching for a new replacement altogether, as a society as a whole, then finding new ways to hopefully secure the same old dog. Password security is an important feature of authentication – but every step brings with it attackers who will find a way through.
It’s time to set password security aside and look to a new solution for the future.