Just mention the words “identity theft” and honest people cringe. We continue to hear reports like that of the millions of encrypted LinkedIn passwords that were leaked and posted on a Russian hacker’s website in 2012. But typically users won’t take the trouble to change their password even if their account is implicated! Why not? Because passwords have a really big problem. They are very difficult to remember, even if you make them simple. We all have so many user accounts (average, 25 online accounts), that trying to keep track of all the associated passwords (average, 6.5 per user) is a, well, a really big problem!
It’s so much of a problem that some well-placed and vocal proponents are trying to eliminate passwords entirely. Michael Barrett, chief information security officer at PayPal said, “Our intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole Internet—including internally in enterprises—obliterate user IDs and passwords and PINs from the face of the planet.” He said this at the May 2013 Interop Conference in Las Vegas. Barrett offers the FIDO Alliance, a recently unveiled consortium trying to create an open standard to replace passwords. FIDO? Fast ID Online.
Tattoos and Pills
Regina Dugan, working for Google as head of Motorola’s Advanced Technology and Projects group (and also the former head of DARPA), has proposed some very intriguing solutions to the problem. One is a tattoo and the other is a pill, focusing on processes that you would keep on or in your body. Although Dugan insists that these solutions are entirely optional (“Google is not going to be force-feeding us pills.”), she also pointed out, “If you want to ensure failure in your innovation, try removing the risks.” We do clearly see attached risks.
But before we detail the exciting elements of the tattoo and pill – two separate solutions, by the way – please consider the problem from the other side, from that of the hacker. If you have a simple 5-6 character dictionary word as your password you don’t even present a challenge to the hacker. But even a good six character password can still be hacked in less than a minute. Increase your password to 7 characters and the hacking challenge is 4 minutes. 8 characters? 4 hours! 9 characters takes 10 days. 10 character passwords would take 625 days, and you can imagine where it goes from there! Although it is scary that a persistent hacker could still crack a 10 digit password. If he had the motivation.
Great. Are we all going to graduate to 10 character passwords like: [bC#568Dw%0]? “Not gonna happen!” you say with exasperation. Great password, but it would need to be written down and kept next to the monitor, right? Where anyone could see it. And that’s not what we would readily call secure. Besides, it would be miserable to enter correctly. Every time! The average user enters their password from 8 to 39 times a day. Power users will do it up to 100 times a day. Forty years of technological advance hasn’t touched the password. It’s still a really big problem.
Passphrases help some. They do two things: get in the upper stratosphere of 10+ characters, yet remain memorable. A passphrase is several words, interspersed with clever use of numbers and symbols that are easy to remember. Like [iLive@91356], 11 characters. And even stronger would be to replace the “i” with “!”: [!L!ve@91356] Good one! Here’s another good passphrase with 15 letters, numbers and symbols that is strong, but memorable: [Iloves@nDwich3s]. Read that carefully and come up with a by-line for Subway sandwiches.
How about a song title? Something simple: [Justgiv3M3@r3ason].
Justin Timberlake provides us with a more complex example: [ArentyousomethingtoadmirecauseyourshineissomethinglikeaMIRROR].
Pills anyone? Tattoos?
The pill idea is really quite fascinating. But first, let’s explore the less dramatic, simpler idea of a tattoo on the arm. Not with your 25 digit random password emblazoned. Not even with a bar code
of the same, although the bar code idea has futuristic appeal. Rather, this sticker-like designer tattoo comes equipped with antennae and sensors (click picture to enlarge) which communicate with your digital device. No need to type it in and we all applaud that idea!
But the pill! It becomes like a small potato battery which is activated by stomach acid. Yes, you do need to swallow this really tiny pill. Every morning. You know nothing stays in the stomach overly long. But while it is there, this little electrolyte battery “creates a low-power ECG signal in your body, essentially turning your body into an authentication device.” Also creating a market for battery pills and new psycho-somatic symptoms.
For those who cannot stomach either the tattoo or the pill, there are finger-print sensors you carry in pocket or purse; or the proposed digital phone app that will scan your eye or thumb. Of course, you could just change your password every 6 months! The average user keeps their password for 31 months before something forces a change. But that something might be more drastic than you’d care to endure.
Best practice, until they perfect the password-less-society, is to create a passphrase of a minimum 8-10 characters that is memorable enough to not write down and then change it every 6 months. If on-line and at-work security are important to you, you’ll take the time for the creative effort to make it work on a regular basis. Think of it as developing the mental muscle to avoid the bar-code tattoo. And after all, isn’t that the real password problem?