The Password Crisis is NOW

We saw it coming.

As far back as several decades ago. Remember those innocent, nostalgic days when we only had to remember a few passwords? Like an email account, or maybe an online banking account?

Those days are gone. The passwords I am now expected to remember have accumulated…like barnacles on the hull of the ship of life…like warts on the frog of society…like hangnails on the fingers of ambition. Like…

You get the point.

change-all-the-passwords

All My Keys Were Locked in my Car As it Was Running

In my college years, I used to keep all my keys on a chain. This included my apartment keys, my car keys, my bike keys, my work keys…a feck-load o’ keys. It was a blustering snowy night in Syracuse, and I had started the car. I had to step out to wipe the snow off the windshield – not realizing that I had locked and closed the door. THE CAR WAS RUNNING. I couldn’t get into my car to turn off the engine. I couldn’t get into my apartment, which was across the street…I was stuck.

top-worst-passwordsI won’t get into the story of how I solved the problem. I just wanted to make a comparison. IT SUCKS.

Now that most of our keys are virtual (and require memory), we have new problems.

I HAVE TO CHANGE MY PASSWORDS FREQUENTLY (because I keep forgetting them) AND THEY ARE SUPPOSED TO BE HARD FOR OTHERS TO FIGURE OUT (which means…I keep forgetting them).

Passwords_Tattoo

Have you noticed that some web sites will rate your new password right as you are typing it? Like, it’ll say your password is STRONG or WEAK, etc? Don’t you hate it when you squeeze another password into your brain, and you strain to remember it, only to discover that you have to start all over because you forgot to include at least one number, one capital letter, at least three Chinese characters, two trigonometric symbols, and four Egyptian hieroglyphics.

Does this sound familiar? …

“I’m locked out after too many login attempts”

Many people are giving a shout-out for the new services that provide a solution by remembering all of your passwords, and reducing your need of memory to one single password that you to use for that service. It basically does the remembering for you.

I don’t know about you, but that just kinda creeps me out. A blow to the head is all it would take to knock that single password out of my memory. Then what?

WHAT’S THE SOLUTION? Multiple Biometrics

Biometrics_traits_classification[1]

It is already becoming a standard practice to use multiple assurances (like security questions) to recover accounts, so things are moving in the right direction. It may be a while though before technology for biometrics becomes commonplace. But I think it’s INEVITABLE.

Imagine that your password is 80% reliable. Now imagine that you are using a computer that has hardware to take your fingerprint. Imagine that your fingerprint is 80% reliable. If you enter both the password and the fingerprint, then you have 96% reliability.

Imagine that you can announce your name, and the microphone picks up your voice and compares that to a pre-recorded sound of you saying your name, and that is 50% reliable. Now we are up to 98% reliability.

If the threshold for entry into an account were set to some value (like 78% for a casual social media app or, 99.5%, for a sensitive financial account) then you could issue a combination of biometric data to get the % up the the necessary threshold. This would allow for more variability, and flexibility.

Just Try To Steal My EyeBall, My Voice box, My Fingers, Or My Memory

In the future, when biometrics is a common form of password protection, you might try to run off with one of my eyeballs and use that to forge my iris scan, in an attempt to hack into my bank account.

But you won’t get very far.

thumbOne reason is that my cousin Guido doesn’t take too kindly to people running off with my body parts…if you catch my meaning.

Another reason is that there’s a lot left of me that would still be needed. And one of those things just might be a password. And the whole point is that we should have many modes of identity detection. This is the way nature prefers it.

Imagine that you and I are friends. We meet on a street corner and I tell you that I am in a bad way, and I need to borrow $200 dollars, and I promise to pay you back next month. After talking this over for a few minutes, you are probably not going to stop and say…..hmmm, are you really Jeffrey Ventrella? Prove to me that you are who you say you are!” No. You will be 100% sure it is me; you will have no hesitation about who I am (although you may have some hesitation about trusting me to pay you back – but that’s another issue, which I prefer not to get into).

Why do you know it’s me? Multimodal communication: the sound of my voice, the shape of my face, the words I speak, the clothes I wear, the fact that we are in front of the local coffee shop…the list goes on. Multiple assurances are built in to natural language. Only a rich combination of multimodal identity assurances will get us past the current password crisis.

Big Bro

This is of course not all that there is to say about how to solve the password crisis. It’s a little scary to have bits of my identity flying across the internet and being processes on servers out there in the world. A corporation or a government will probably run that server. I damn-well better trust that server!

For now, I’ll just leave it at that. I’d love to hear your thoughts. Unless you are a flower child living in a remote forest and subsisting on mushrooms and larvae, you probably have experienced password anxiety.

Tell me what YOU think!

.

Advertisements

3 thoughts on “The Password Crisis is NOW

  1. What happens if hackers get into a security database? You can change a password, a credit card number etc., but it’d more difficult to change your iris or your voice.

    That’s the main problem I have with biometrics. An iris is difficult to steal, but in the end the computer doesn’t need your iris: it needs the code linked to your iris. And that is just as easily stealable as any other data…

    • Good point, Charles! That is one of the major downsides of the biometric approach.

      That makes me wonder if the real solution is indeed the multiple modalities. For instance, my iris data could be in a different security database than my voice data, and so on. If it is extremely difficult for a hacker to steal most of my modes of security, perhaps he cannot get very far.

      For instance, if he successfully forges my iris scan but fails on the voice, fingerprint, or security questions, then he’ll not get in. And a red flag could be raised of a possible hack attempt.

      Since this is not my core area of expertise, I should stop here :) But I do have a strong suspicion that the multiple modes of security will be a big part of the solution.

  2. A common concern is users using the same password across different services.

    With a biometric approach, each implementation can create a different ‘password’ or ‘authentication’ of bio-data. For example, saving different inflection points with speech or different signatures for facial or iris authentication.

    This could help secure from a hacker getting info from one system (i.e. amazon) and reduce the chances of the data points working on another system (i.e. bank account).

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s