Is the Password coming to an end?

We all know we shouldn’t reveal our passwords, as much as we shouldn’t reveal our most embarrassing favourite film.

Mine’s Frozen. For the singing.

Damn.

See, it’s easy to make a mistake.

To add to the trouble, we now need so many passwords for each of our online accounts (I counted and I have over 150…) that it’s virtually impossible to remember a strong password for each.

There are some ways round this, but each come with problems of their own

1. Use the same very complex password for all your accounts

Risky. If someone were to get your password from one site with low security, they could potentially raid your bank account, or even worse reveal to the world that you own all 3 books in the Fifty Shades of Gray trilogy on your Facebook page. What would your mum think…?

2. Use a common base password, but tag on a site specific ending to it

For example C0mP13xP455W0rDTwitter for your Twitter account or C0mP13xP455W0rDAmazon for Amazon (no, that’s not my password so don’t try it :)). This negates some of the issues from the example above, but only really protects you if the person with your password isn’t paying much attention.

3. Write down your absolutely unique complex passwords

Yes I know, you’ve been told forever that writing passwords down is a bad idea, but it’s far more important that you have unique complex passwords. What’s more likely, your PC being infected with password staling malware (about 1 in 3 home PCs are infected and 1 in 8 Work PCs), or someone breaking into your house (about 2 in 100 households in 2012) and stealing a black book filled with random letters and numbers?

Then again, what happens if your black book is stolen, or lost, or you just leave it at home?

4. Use a password manager

A slight improvement on the above. I currently use KeePass to manage all of my usernames and passwords, I need to remember one 32 character password to give me access to all 150+ usernames and passwords for my online accounts.

But, there is still the same problem of access. I have mine synced with OneDrive so it is available anywhere, but it still relies on me having my PC, tablet or phone to access my passwords as the OneDrive password is in my Keepass database in OneDrive. Chicken and Egg?

5. A single complex password combined with a secure trusted online password directory

I’m talking something like the Microsoft Active Directory, used in most businesses, which allows you to log on to your PC with one password, and then grants access to files, emails, SharePoint and Dynamics CRM.

However, instead of being limited to the corporate network, it links into the wider internet, using individual passwords for each online service/site. Google and Facebook are attempting to do this, just like Microsoft did with its Live ID a few years ago.

This all revolves around trust. Do you trust the online store to protect your passwords and online identities?

What if we go back to the basics of what a password is for? “A word or string of characters used for user authentication to prove identity”, according to the fountain of all knowledge that is Wikipedia.

But, just knowing a password doesn’t really prove your identity; it just shows you know the password. Wouldn’t it be wonderful if there was something unique to each person that we could measure…?

Has anybody seen Gattaca? Set in near future, everybody is identified by their DNA profile. On their way into the office they give a tiny blood sample from a finger prick to prove who they are, and this is probably the only way to prove that you are who you say you are* (fingerprint and retina scanners are easily tricked).

This isn’t possible with current technology, so what about if we add something to you that is unique and measureable with current technology? A barcode tattoo? I doubt it’ll catch on, it’s not always very aesthetic and easily copy-able, if they can steal the German Defense ministers thumbprint using a photo, a tattoo would be no problem.

What about an implant? Hard to steal, easy to hide, multiple uses (door keyfob replacement, password replacement, card number storage), and with current technology you could have one that contains a 64 character password implanted in your hand that will last for years with no batteries required.

Combine this in an online world with a central authentication database (Something like Azure Active Directory) and I may never again feel the need to bang my head against the table when someone tells me their password…

So as any self-respecting geek would do, I’ve found somewhere to buy an implant, lined up a couple of uses (unlock your phone just by picking it up, replace my Windows password, an electronic business card passed on by touching someone’s phone), now all I need is permission from the wife…

Whilst I wait for that, hopefully the announcement from Microsoft last week picks up some speed. Part of the work they are doing on Windows 10 is trying to get away from password authentication, and they’re currently exploring ‘FIDO (or, ‘Fast Identity Online’) Alliance’ as an option, which will be much more closely tied into who you are as a user. You can read more about FIDO here.

Here’s the official word from Microsoft:

“We are working alongside major industry partners to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to more securely authenticate users of online services.” Read the full press release.

In English, the password (essentially the portal through which online fraudsters and phishing scams all try to get through in order to reach your data) could be on the verge of extinction. That would make me very happy indeed.

We’ll keep a close eye on Microsoft’s progress and let you know how FIDO authentication might affect you.

 

* Yes I know in the film they tricked the DNA scanners, but I’m trying to make a point…