2014: A tipping point for password authentication
Is 2014 the year the password passes away? Or will it limp along for another few years as a once-useful but increasingly inadequate identification system? Either way, the password is in critical condition, according to experts from government and industry, who are now exploring more innovative schemes, including token-based and advanced biometric devices.
It’s not surprising. Passwords as we know them are becoming less secure every day. That’s partly because they are is inherently vulnerable: Each time a database of passwords falls to a hack, it weakens passwords as a whole.
The obvious risk is that because people reuse passwords, having one network compromised can lead others to fall like dominos. “If you have 40 million passwords stolen, the hackers will then bounce them against new places,” said Fran Trentley, senior director of global security and government services for the security firm Akamai, speaking at a Cyber Playbook 2013 show.
Beyond testing stolen passwords on one database after another, hackers are putting powerful analytics tools to work on captured files to see what types of passwords are being used. Standard password creation techniques, like turning the letter O to a zero or an I to a one, are programmed into brute force attack engines.
When a government database of passwords falls, it's even more troubling because it gives hackers input on how government employees think and what terms or acronyms they use, all of which can be dropped into hacking databases.
Recently, government was the subject of a year-long hacking campaign where identification data was targeted: “Basically every piece of information you'd need to do full identity theft on any employee or contractor,” according to the indictment of those charged in the case.
And while passwords are still the most heavily used authentication tool by far, they are growing increasingly weaker, leading agencies like NIST to develop new guidelines for their use.
With all that in the background, industry players have already started to give last rites to conventional password security. “Passwords are dead,” according to Heather Adkins, Google’s manager of information security, speaking at a TechCrunch panel this fall.
However, if the government follows suit and throws in the towel on passwords, it will need alternatives. The most promising field is token-based security, especially those that rely on something other than a CAC card, which could also be stolen.
Adkins told the panel Google was exploring nontraditional approaches to password security, including the use of hardware-based tokens. One project involved a system that would require people to touch a device to a contact embedded in their clothing in order to authenticate their identity. “A hacker can’t steal that from you,” TechCrunch quoted her as saying.
Some of the most advanced work on password systems is being done in the area of biometric security. Toronto-based Bionym, has developed a wristband that contains a heartbeat sensor, which are as secure as fingerprint scanners but even more difficult to capture, since you don’t leave your heartbeat behind on everything you touch. The system, called Nymi, can be used to lock data files as well as car doors, according to a TechCrunch report.
Elsewhere, work is underway on “chemical” passwords, molecules that function as tiny keypads. The molecular keypad consists of chemicals – iron ions, acids, bases and ultraviolet light – which unlock when the right chemical passwords are used.
“It’s just like a tiny ATM machine,” according to Abrahan Shanzer of the Weizman Institute, who synthesized the molecule. Shanzer said ultimately that molecular locks could act as “the smallest ID tags, providing the ultimate defense against forgery.”
But while these exotic technologies are promising, it’s more likely the government will resort to a variant on token or biometric security that will capture the iris or fingerprint or facial recognition to authenticate a user’s identity.
With such innovation underway, it’s likely that government will soon come to the realization that standard password protection simply isn't good enough anymore. And while that may not happen in a year’s time, by the end of 2014 the days of the common password will be numbered.
John Breeden II is a freelance technology writer for GCN.