Will passwords become a thing of the past?

140522_passwordsData breaches happen. A lot.

Last month alone has seen incidents affecting targets as large as the US Veterans of Foreign Wars, LaCie Hardware, and most recently 30,000 students and alumni from Iowa State University, in an interesting attack that gleaned SSNs and also hijacked the school’s servers to mine for Bitcoins.

Then there was Heartbleed, the ultra-critical-Internet-apocalypse-approaching vulnerability that potentially exposed millions of user credentials from 2/3 of all websites presently in existence and that may have been doing so for up to two years.

We’ve written on the importance of using strong passwords, but even the strongest ones are useless if they are breached in plain text. So the question remains: Will the constant onslaught of data breaches mean that passwords and other server stored credentials lose their value and become obsolete tokens of the past?

Future Password Alternatives

Strong passwords still matter. 53q)y&67cs#Me09x_oti is still much more resilient to a dictionary attack than 123456. This is largely irrelevant, however, if an attacker can simply peek into the space where 53q)y&67cs#Me09x_oti is stored in plain text and see it conveniently paired with its username and potentially other valuable credentials, such as a credit card number or an SSN. Competent service providers do put security measures in place, but none are 100% impenetrable from efforts that come from what can be highly organized and advanced groups of attackers looking to cash in big.  As Heartbleed has shown us, complex computer security systems are always vulnerable to human oversight. In response, some developers propose solutions that sidestep password credentialing entirely.

Face recognition

NEC Corporation of Japan recently announced the launch of a biometric security program called the NeoFace Monitor, which uses face recognition technology to lock and protect PCs. Reports have indicated that the technology has error rates as low as 0.3% and it has already been recognized by NIST. NeoFace uses image-processing algorithms to recognize facial features when users look into their PC’s webcam. If NeoFace finds a match, the PC is unlocked, just as is currently done with your typical password. NeoFace currently runs on Windows 7 and 8, but NEC has indicated plans to expand to the Android OS and has also already placed “Mobile Facial Recognition Appliances” in select Hong Kong stores, banks, and hotels to see how facial recognition can help proprietors enhance security and customer service.

Theoretically, NeoFace and other facial recognition technologies could also be used to grant user access to any website. Realistically, this might be technically or financially impossible for many companies, but it would indeed boost security, as a face is much harder to steal than a password.

Fingerprint scanning

Another biometric password bypass long in the works is the not-so futuristic concept of fingerprint scanning. Like facial recognition, fingerprint scans rely on a biological component unique to each individual user. Unlike facial recognition, tests have repeatedly shown that this security measure is somewhat easy to bypass. The video in this article from Ars Technica shows how white hat hackers bypassed the fingerprint lock scanner on a Samsung Galaxy 5, with a forged fingerprint they created by taking a picture of a real print they found on the phone’s glossy surface. The hackers subsequently logged on to the smartphone, accessed a Paypal app, and transferred money from one test account to another, simulating how a real attacker could act. Of course, such a bypass requires physical access of the fingerprints, which means it might actually be a solid solution for website log-ins on servers located halfway across the world.

Chromebook Easy Unlock

Know anyone who has key-less entry for their car, and is somehow able to unlock and start their vehicle without taking anything out of their pocket and at the push of a button?  Rumor has it that this is exactly the type of thing Google has in mind for the future of Chromebook security. Easy Unlock would work just like key-less entry on a car, except, instead of a specialized remote device that emits a radio signal, Chromebooks would be unlocked by the presence of a matching, registered Android device. Google has yet to release any official statements about when this sort of technology will be available, but they have already apparently produced marketing materials and user guides, and this is not the first time the company has dabbled in password alternatives.

Present Day Password Solutions

It may be some time before biometrics and other password replacement technologies reach the mainstream. In the meantime, one of the best ways to add an additional layer of security to your Internet usage is to enable two factor authentication on websites that allow it. Two factor authentication makes it so that you need to take an extra step any time you log on to a website through an unrecognized device, such as a friend’s computer. That extra step is entering a security code that gets texted to your mobile device, in addition to entering your password. Two factor authentication makes it so that if someone steals your password, they cannot log on to your account unless they somehow also steal your home computer. Being that most password theft is instigated by remote attackers, this is a powerful capability and a great feature to add to any account that will allow it – particularly email and banking.

Unfortunately, two factor authentication is not completely immune to malware. Attackers have actually designed some malware to infect mobile devices and intercept real two factor authentication codes sent by real service providers. This is exactly what is currently being done with the iBanking Rogue, and this is exactly why we have taken the effort to create Emsisoft Mobile Security.

Aside from two factor authentication, your best bet for the time being is to utilize strong, un-memorizable passwords and a password management system of your choosing – be it commercialized or manual. In almost all cases, service providers do store your password as a cryptographic hash, but if this hash is associated with a common password and breached it can easily be cracked by a brute force, dictionary attack. This same method can be utilized by malware that directly targets your home computer. This is why we create low impact anti-malware, made with the PC environment in mind.

At the end of the day malware makers are interested in making money, and presently the key to the safe that guards your digital bankroll is the password. In a perfect world, this key would be complemented by retina scanners, laser sensors, and possibly also a rabid Rottweiler armed with a machine gun – but for consumers the technology just hasn’t gotten there yet. Perhaps one day we will all be walking around with implanted chips and bar codes and use biometrics that utilize DNA, but in the meantime the best approach is to combine what is currently available to create a multi-layered, digital fortress. In other words, create living cryptography.

Have a great (password-protected) day!

 

 

 

  • Legend

    For companies holding sensitive personal or economical information should have a crystal clear responsibility/policy about instantly communicating any severe data breaches, that can inflict or bring their customers information in the wrong hands, out to those it concerns. They should always, without any doubt bear any economic consequences that an e.g. spear attack, can inflict . That may forced those who are sloppy regarding their overall security to tighten up there data defence/policy. We as a customer, or user on the net, should have access to a form of rating system, to see how well a certain company protect your personal information or ID. On the other hand, then we have as normal user of the net, a responsibility to protect our computers with a decent antimalware system with intelligent use of passwords. And for god sake don’t use passwords as your son or mothers name, or the word Password, as I have seen on some systems. :-))

    • emsisoft_steve

      Good to hear from you as always, Legend :)

      Did you hear Dashlane recently did a study on password policy strength around the web? Might be worth checking out, if you’re interested.

      • Legend

        Nope, but will Google it…..(few second….) .oh …found “Dashlane second Password Security Roundup” from may the 20 . Thanks Steve, if it was that raport you meant .(^_^) Nice article

  • equestrian_colt

    I think finger print scanning is still the best out there, cause no one has the same finger prints. However they need to fine tune what the actual scanner can read like body heat or maybe even a pulse so it can’t be tricked by a picture or copy of a finger print.

    • Legend

      Hi equestrian_colt
      Yes fingerprint scanners is basically okay, but not bulletproof unortunately,.. and as you indicate,… and as Steven writes, then we well see in the future that a singel password, will or could contain , face recognition- fingerprint and a personal pin code, to unlock e.g. your bank or pc.

  • Lestat87

    I’m curious how facial recognition could be so accurate. Mainly how it would be able to tell the difference between a person and a high quality photo of them. With fingerprints scanners they can implement temp sensors so if its a pic or someone cut their finger off then it won’t work. Personally I think facial with finger is the way to go but the cost is also significantly higher.

    • Legend

      Hi Lestat87

      Great question, I am no expert in this issue, but if you can imagine a face security recognition software, which will be able to do multiple shots, while you’re turning your head slowly,… then it would leave the software with many special unique facial features. Overall It would leave a face reconation system that would be harder to fool. :)

  • Desertratnv

    How about a smart card with a 128 bit encrypted password stored onboard, that a usb card reader could verify.
    It could be used at point of sale to password protect credit card purchases. bank identification… etc.
    It would be a second layer that is not phone dependent, or vulnerable.
    If lost or stolen it gets canceled.

  • Gregory Ryan Norris

    I still see a major problem with this: Whether we use passwords or something else we’re still sending some sort of data to a remote server that will compare said data with it’s own records. As such a hacker could still acquire this data and send it to the server. It would require a few more steps (the hacker would need a program to send the data in place of the legitimate system) but that’s more of a minor annoyance like DRM (which only hurts those of us wanting to go the legal route). The alternative data would likely be a lot more complex slowing or preventing brute force tactics (especially if there’s a delay or lock in the event of repeated failed attempts). There’s a lot of pictures on the net which could potentially reveal data (especially facial data) for individuals (especially famous ones). Perhaps some sort of biofield (weak EMF’s generated by the body) recognition could mitigate this but I’ve not done any real research on the subject myself (as in I don’t really know how viable a biofield is but am just giving an example).