TechViews News …..
Because of the major data breaches of the past couple of years, methods for securing our login credentials have become a hot topic.
Traditionally, passwords have been used, and they are quite effective. But with new technology, some ‘experts’ are calling for a switch to biometric authentication.
Every couple of months we see tech articles proclaiming “the death of the password.” Most of the computing magazines will have advertisements from companies promising to “make passwords obsolete.” I can’t count how many times I’ve read that a new technology, usually biometric, will “replace the password.” But the truth is, all the ‘new technologies’ have failed.
And it’s not that passwords are bad, or obsolete, it’s simply that we’ve been using them wrong.
And we are now learning that passwords that look like gibberish to us make perfect sense to a computer. That means a basic password decoder can crack open your password relatively easy. It’s not the jumble of caps/lower case, numbers, and symbols that’s important; it’s the length of the password itself. Essentially, change your ‘password’, to a ‘passphrase’. Each added character increases the difficulty that is required to crack a password – exponentially.
The truth is that passwords are certainly not going away anytime soon. Here are some reasons why.
Passwords are typed either completely right or completely wrong.
“Bsdo#du()q1” looks a lot like “Bsd0#du()1” to us mortals. But to a computer, they’re completely different. There’s no fudge factor, and no machine will ever mistake one for the other.
By contrast, biometric technologies such as fingerprint readers, iris scanners and typing analyzers always have to accept a certain margin of error, because biology is fuzzy. Voices, faces and lighting all change, and a biometric reader has to take that into account.
But get close enough to the real thing, and you can fool a biometric identification system, as has been demonstrated many times. Reduce the margin of error, and you’ll get false negatives and angry users. Passwords have neither of these problems.
Passwords don’t care about the technology they are used with.
They’re just a (relatively) short string of text. Every operating system made in the past half century — Windows, Mac, Unix, Android, iOS, or whatever — can handle a password.
But not all devices can see your face, read your fingerprint or analyze your gait. Yes, we’ve seen TV and movies where instant biometric information leads to instant identification. While secret development agencies are working on such techniques, they are still a looong way off from being accurate enough to rely on.
Passwords are disposable and cost nothing.
If a password gets compromised in a data breach, you simply replace it with a new one. It’s also easy and cheap to create dozens or hundreds of new passwords.
But you have only 10 fingers and only two eyes. What do you do when your fingerprints are compromised? (This happened to government employees whose information was stolen in the 2015 breach at the federal Office of Personnel Management.) Unless you’re living in movie fantasyland, you can’t replace your body parts quite so easily.
Passwords can be shared if you absolutely need.
I know you’re not supposed to share passwords, but people do it all the time, often for very good reasons. You can email passwords (though it’s not a good idea), text them (still a bad idea), write them on a piece of paper (uh…no) or just tell someone in person (well…if you must). You can’t pass along a fingerprint or an eyeball.
Passwords are anonymous.
Unless you’re using personal information for your password, there’s nothing about it that traces it back to you. By contrast, your voice, fingerprint, iris, retina and other biometric data, or even your smartphone, belong to only you — and can be used to track you as well as log you in.
Passwords are secret.
Or at least they’re supposed to be. But biometric identifiers are not. Your face is seen in public almost every day. Your fingerprint can be lifted from a wine glass. Your DNA can be retrieved from a fallen hair. But only you (in theory) know your password.
Using Passwords the Right Way
The problems with passwords arise only because they’re used by humans, and we humans are lazy. We make passwords that are too short and too easy to guess, and we reuse passwords for multiple accounts so that one service’s data breach will result in many more services being compromised.
But we can reduce the human factor by using machines. We can use password managers that generate and remember strong, unique passwords for every account we use. It’s true that a password manager is a single point of failure, but you can get around that by using more than one password manager and dividing up your accounts among them.
We can use two-factor authentication, which these days can be much stronger than just a texted code. The second factor can be a randomly generated number from an authenticator app, or a USB authentication key you keep on your keychain. You won’t have to use the second factor most of the time — only when you’re logging in to an account from a new device.
And my favorite – use a passphrase instead of a password. This method extends the length of characters needed to login. As an example, instead of using a password like: “TeXasHeaT”, try something like “TexasishotbutHoustoniscool”. Yes, it takes more effort, but it is waaay more secure.
The bottom line is that passwords are not going away, and neither are we. We simply have to use them smarter.
Be Safe – Backup Your Data Regularly!
And don’t forget to take advantage of our FREE subscription to the TechViews.org Newsletter. A must-read if you are interested in Internet Security.