Rejoice! The End of ‘User Name and Password’ May Be Nigh

Tech companies, including PayPal and Google, have joined together to dream up the future of passwords. And the future is to have no passwords at all

  • Share
  • Read Later
Gallerystock

What’s the absolute worst part of the Internet? Reasonable folks may disagree, but most would say keeping track of an endless string of passwords ranks somewhere at the top.

Nobody, of course, can remember a unique password for the dozens of sites we each sign into each day, so we end up using the same one over and over again. But as recent breaches of high-profile websites like LinkedIn and Gawker show, this practice makes us increasingly vulnerable to hackers who can find valuable passwords for our bank accounts and e-mail by breaking into other less secure sites.

(VIDEO: How Silicon Valley Is Hollowing Out the Economy and Stealing From You to Boot)

This is why a consortium of tech companies, including PayPal and Google, have joined together to dream up the future of passwords. And the future, according to this FIDO Alliance (which stands for Fast Identity Online) is to have no passwords at all. “Passwords are just not working terribly well anymore,” says Michael Barrett, chief information-security officer of PayPal and president of FIDO. “And they’re starting to impede the development of the Internet ecosystem.”

A recent study released by Nok Nok shows just how bad many of us are at protecting our online identities. On average, it says, an Internet user has 6.5 passwords, and they share one password between 3.9 websites.

Furthermore, ever growing computer power is causing even safe passwords to be vulnerable. According to a report released earlier this year from consulting firm Deloitte, more than 90% of user-generated passwords are “vulnerable to hacking.” Reads the report:

“Most organizations keep usernames and passwords in a master file. That file is hashed: a piece of software encrypts both the username and password together. Nobody in the organization can see a password in its unencrypted form … So far, so secure. However, master files are often stolen or leaked. A hashed file is not immediately useful to a hacker, but various kinds of software and hardware …  can decrypt the master file and at least some of the usernames and passwords. Decrypted files are then sold, shared or exploited by hackers.”

Barrett says that the failure of the password system isn’t an immediate crisis for Silicon Valley, especially for companies that have the wherewithal to invest in robust security systems. But if the problem keeps getting worse, it will begin to erode people’s confidence in online commerce, hurting the industry all around. FIDO is an effort by the industry to get ahead of this problem and dream up a replacement to the password system before its too late.

So what is FIDO’s solution? As a consortium of companies, FIDO isn’t interested in coming up with a single alternative to passwords, but rather wants to create a technological framework through which different companies can offer various solutions. While FIDO is agnostic about what method or methods of authentication ultimately replace the password, Barrett explained that the technology exists for devices like computers and smartphones to recognize who you are through your unique physical qualities.

(MORE: Why YouTube Is Launching a Music Service)

For instance, camera resolution on computers and phones is advanced enough that your computer could verify who you are by scanning your face or eyes. And Barrett expects that within a year smartphones with fingerprint scanners will hit the market. Other examples of authentication methods include touchscreens that can read your signature and voice-recognition software.

If a user has one of these devices, then websites that join the FIDO system can choose which authentication methods to accept. For instance, PayPal might decide to allow users to sign in using voice and face recognition.

But biometric methods aren’t the only way users could decide to sign into websites. They could decide instead to use a combination of a password and physical object like a USB plug that would tell your device that you are who you say you are. This combination of a password and a device that you carry around with you is much safer than a simple password, and would allow the use of easy-to-remember passwords, since the account can’t be hacked unless accompanied by the physical device as well.

Barrett claims that this process of moving away from passwords will take years but says that the technology to do it is available now. It’s just a matter of websites and devices getting together to make it work. He believes it will happen because, in the tech world at least, consumers are pretty good at getting what they want.

Says Barrett: “Consumers want something that’s easy to use and secure. Passwords are neither.”

MORE: 5 Ways to Save Money Shopping Online, Regardless of New Internet Sales-Tax Legislation

15 comments
robinxsun
robinxsun

so someone could use our photos to login our account?

LarissaG
LarissaG

Well then people will just acquire a recording of your name (or whatever is necessary for voice recognition access code) or have photos of you at the ready for the face scan...

kemaltolan
kemaltolan

If that is true, why is PayPal security so vulnerable, just one simple password. Every bank has a better security system. I like the way that if you try to login from a new device they will send you a one-time code to your cell. That is very safe.


http://www.youtube.com/watch?v=a7s2M45pH-s

MarleyFernandes
MarleyFernandes

Oh for crying at loud... Motorola had a fingerprint scanner on their atrix 4G and maybe the HD and still nobody cared... now they think it's important?

rajeev.seths80
rajeev.seths80

Indians will screw up any software system. Just few days back there was an ATM heist case. What more can happen if the Indian managers in supposedly good companies like Accenture India are busy chalking out plans on how to knock out their US counterparts and be the Godfather of the outsourced. From day one these mangers are planning man-to-man marking on Microsoft Word or Visio and whih of the team member will replace whom from onsite. If well respected companies resort to such aggressive tactics, smaller companies like L&T Infotech send call gurls to client for client ecstasy. It has been caught by its own employees after it sent one lcall girl to Nordea Bank in Copenhagen. All the clamouring about visas and IT outsorcing will vanish in thin air. India is palanning to drag USA by the collar for stopping outsourcing what Indian call as Trade Protecionists measure. Companies like Accenture with their financial msucle and might will make OBAMA stoop and he wil be left with empty words

rajeev.seths80
rajeev.seths80

Indians will screw up any software system. Just few days back there was an ATM heist case. What more can happen if the Indian managers in supposedly good companies like Accenture India are busy chalking out plans on how to knock out their US counterparts and be the Godfather of the outsourced. From day one these mangers are planning man-to-man marking on Microsoft Word or Visio and whih of the team member will replace whom from onsite. If well respected companies resort to such aggressive tactics, smaller companies like L&T Infotech send call gurls to client for client ecstasy. It has been caught by its own employees after it sent one lcall girl to Nordea Bank in Copenhagen. All the clamouring about visas and IT outsorcing will vanish in thin air. India is palanning to drag USA by the collar for stopping outsourcing what Indian call as Trade Protecionists measure. Companies like Accenture with their financial msucle and might will make OBAMA stoop and he wil be left with empty words.  

DeweySayenoff
DeweySayenoff

Abnsolutely the worst drivel I've ever read:

"Nobody, of course, can remember a unique password for the dozens of sites we each sign into each day, so we end up using the same one over and over again." 

I can remember each and every one for each and every website, because I build the site (in some way) into my passwords.

I use part of a website URL (or company name for the shorter website URL's), a short word, a number and a couple of symbols.  Parts are capitalized.  The number can be placed in whole or in part throughout the password.  All I need to do is remember the order that things are put.

For example, a password for Time.com could be 56TIME&Pascal!23.  Let's call the first two numbers my year of birth, the next word the first four letters of the URL or company name (whichever is longer), an ampersand, my short word and my day of birth.  I only need to remember that algorithm and I can make a strong, long, hard to crack password that is unique to every site.  I can mix and match that algorithm any way I want to by changing the order of the components, or the components themselves.  And by changing the algorithm every year or so, and updating my passwords, I make it next to impossible for someone to do a simple crack, even if they learn the old algorithm.

So not only is it possible to create long, hard, secure passwords, it's also extremely easy to create ones that are a snap to remember because you create your own algorithm.  Remember one algorithm, and you know all of your passwords at a glance of the site.  As long as you don't disclose your specific algorithm to anyone, you're set.

"Nobody can remember unique passwords for each site..."

Bull...  Try using your brain with a tip from an expert.

davrus
davrus

Lotus Notes has this technology since 1989 !!!  A small heavily encrypted ID file which contains the user name and associated password. To log on, you need the physical file, and the password. Password was not stored anywhere else, not in a central database. No one has ever broken the Lotus (now IBM) Notes security.  The ID File can be on a USB stick.

TomasGonzalez
TomasGonzalez

@kemaltolan  when is the last time u heard of Paypal being hacked? I had account @pp since 2005 and never had a prob w/hackers! Maybe they dont let it be known.

MichaelHorton
MichaelHorton

@DeweySayenoff and how do you remember which short word you used? Which symbols?

Honestly though, I don't see this as much of a problem for sites you use every day, even I could remember that and my memory is terrible. Its the ones that I use once a month or once a year that I can't remember to save my life.

benmcclen
benmcclen

Still, it is very inconvenient and time-consuming to enter such long passwords with numbers and mixed-capitalization on a device lacking a physical keyboard.

saladyears
saladyears

@davrus Except that Lotus Notes makes up for it by being the worst possible software to use in almost every other possible way.

AlexDacome
AlexDacome

@benmcclen TIME consuming? It takes 10 seconds to type in a password, maybe a minute at most. Stop being lazy and deal with it or get off the internet 

markb3699
markb3699

Geez, no reason to get nasty. Everyone has different apptitudes for different things and while you might have a good memory for things like passwords, others do not.

benmcclen
benmcclen

I do deal with it, on a daily basis, actually. "maybe a minute at most" to enter a password supports the argument that current password protection is outdated. No need for name-calling, though.