This blog is a short version of the article at wired.com.
The author makes a strong claim that text based passwords are no more a safe way to authenticate no matter how complicated or unique the password is.
He highlights the fact that hackers are increasingly being capable of harvesting password dumps and releasing lists after breaking into the computer systems. The password system becomes even weaker because of the fact that a lot of our personal data is stored on the cloud and the mechanisms to password retrieval are weak.
A real life example for the above fact is listed in my previous blog “A new kind of hack”. Because most of the password recovery mechanisms are linked to your email, it becomes a single point of failure. The author gives an example of how AOL password recovery mechanism asks for the city you were born in, which can be easily extracted from your Google profile.
Before we think of better ways to secure, lets look at the main requirements of any security system. Convenience and privacy are two main factors. An authentication mechanism needs to be convenient to be used in our day-to-day lives. Privacy plays an important role too. You would not feel comfortable to allow a third person to watch your every move. Decades of research have been done in developing systems that adhere to both the requirements. The research finally concluded on having stronger passwords.
So what are the common ways of password failure?
1) Guessing: Simple and common passwords are easy to guess. “password” and “123456” were listed among the top 10,000 most common passwords.
2) Reusing passwords: A common and a real threat is due to reusing passwords among different accounts.
3) Trickery: Phishing is a commonly employed technique in which users are tricked into entering their credentials on a fake site.
4) Malware: Key loggers, screen shot capture and other techniques are employed by malware writers to extract confidential information.
Finally what we are looking for is ways to identify someone. Jumping into conclusions like using biometrics could also be disastrous since unlike passwords, fingerprints cannot be changed. Mission impossible movies have shown us that it is easy to lift off your fingerprint using a simple glass.
Multifactor authentication systems are going to be the only solution for better security. Google already employs a two-factor authentication mechanism and it’s just the starting point. Metrics like voice, location and probably DNA could be added to the list of factors.
Does anyone see a possible research paper on this?