Will passwords become a thing of the past?

140522_passwordsData breaches happen. A lot.

Last month alone has seen incidents affecting targets as large as the US Veterans of Foreign Wars, LaCie Hardware, and most recently 30,000 students and alumni from Iowa State University, in an interesting attack that gleaned SSNs and also hijacked the school’s servers to mine for Bitcoins.

Then there was Heartbleed, the ultra-critical-Internet-apocalypse-approaching vulnerability that potentially exposed millions of user credentials from 2/3 of all websites presently in existence and that may have been doing so for up to two years.

We’ve written on the importance of using strong passwords, but even the strongest ones are useless if they are breached in plain text. So the question remains: Will the constant onslaught of data breaches mean that passwords and other server stored credentials lose their value and become obsolete tokens of the past?

Future Password Alternatives

Strong passwords still matter. 53q)y&67cs#Me09x_oti is still much more resilient to a dictionary attack than 123456. This is largely irrelevant, however, if an attacker can simply peek into the space where 53q)y&67cs#Me09x_oti is stored in plain text and see it conveniently paired with its username and potentially other valuable credentials, such as a credit card number or an SSN. Competent service providers do put security measures in place, but none are 100% impenetrable from efforts that come from what can be highly organized and advanced groups of attackers looking to cash in big.  As Heartbleed has shown us, complex computer security systems are always vulnerable to human oversight. In response, some developers propose solutions that sidestep password credentialing entirely.

Face recognition

NEC Corporation of Japan recently announced the launch of a biometric security program called the NeoFace Monitor, which uses face recognition technology to lock and protect PCs. Reports have indicated that the technology has error rates as low as 0.3% and it has already been recognized by NIST. NeoFace uses image-processing algorithms to recognize facial features when users look into their PC’s webcam. If NeoFace finds a match, the PC is unlocked, just as is currently done with your typical password. NeoFace currently runs on Windows 7 and 8, but NEC has indicated plans to expand to the Android OS and has also already placed “Mobile Facial Recognition Appliances” in select Hong Kong stores, banks, and hotels to see how facial recognition can help proprietors enhance security and customer service.

Theoretically, NeoFace and other facial recognition technologies could also be used to grant user access to any website. Realistically, this might be technically or financially impossible for many companies, but it would indeed boost security, as a face is much harder to steal than a password.

Fingerprint scanning

Another biometric password bypass long in the works is the not-so futuristic concept of fingerprint scanning. Like facial recognition, fingerprint scans rely on a biological component unique to each individual user. Unlike facial recognition, tests have repeatedly shown that this security measure is somewhat easy to bypass. The video in this article from Ars Technica shows how white hat hackers bypassed the fingerprint lock scanner on a Samsung Galaxy 5, with a forged fingerprint they created by taking a picture of a real print they found on the phone’s glossy surface. The hackers subsequently logged on to the smartphone, accessed a Paypal app, and transferred money from one test account to another, simulating how a real attacker could act. Of course, such a bypass requires physical access of the fingerprints, which means it might actually be a solid solution for website log-ins on servers located halfway across the world.

Chromebook Easy Unlock

Know anyone who has key-less entry for their car, and is somehow able to unlock and start their vehicle without taking anything out of their pocket and at the push of a button?  Rumor has it that this is exactly the type of thing Google has in mind for the future of Chromebook security. Easy Unlock would work just like key-less entry on a car, except, instead of a specialized remote device that emits a radio signal, Chromebooks would be unlocked by the presence of a matching, registered Android device. Google has yet to release any official statements about when this sort of technology will be available, but they have already apparently produced marketing materials and user guides, and this is not the first time the company has dabbled in password alternatives.

Present Day Password Solutions

It may be some time before biometrics and other password replacement technologies reach the mainstream. In the meantime, one of the best ways to add an additional layer of security to your Internet usage is to enable two factor authentication on websites that allow it. Two factor authentication makes it so that you need to take an extra step any time you log on to a website through an unrecognized device, such as a friend’s computer. That extra step is entering a security code that gets texted to your mobile device, in addition to entering your password. Two factor authentication makes it so that if someone steals your password, they cannot log on to your account unless they somehow also steal your home computer. Being that most password theft is instigated by remote attackers, this is a powerful capability and a great feature to add to any account that will allow it – particularly email and banking.

Unfortunately, two factor authentication is not completely immune to malware. Attackers have actually designed some malware to infect mobile devices and intercept real two factor authentication codes sent by real service providers. This is exactly what is currently being done with the iBanking Rogue, and this is exactly why we have taken the effort to create Emsisoft Mobile Security.

Aside from two factor authentication, your best bet for the time being is to utilize strong, un-memorizable passwords and a password management system of your choosing – be it commercialized or manual. In almost all cases, service providers do store your password as a cryptographic hash, but if this hash is associated with a common password and breached it can easily be cracked by a brute force, dictionary attack. This same method can be utilized by malware that directly targets your home computer. This is why we create low impact anti-malware, made with the PC environment in mind.

At the end of the day malware makers are interested in making money, and presently the key to the safe that guards your digital bankroll is the password. In a perfect world, this key would be complemented by retina scanners, laser sensors, and possibly also a rabid Rottweiler armed with a machine gun – but for consumers the technology just hasn’t gotten there yet. Perhaps one day we will all be walking around with implanted chips and bar codes and use biometrics that utilize DNA, but in the meantime the best approach is to combine what is currently available to create a multi-layered, digital fortress. In other words, create living cryptography.

Have a great (password-protected) day!