The era of passwords is coming to a close. Researchers at Google are exploring new authentication technologies for email, and for other password-requiring media. Perhaps for those of us who have had our emails hacked in the past, this stirs more interest. Regardless, companies are working towards employing better technologies for protecting our data, until one day the password will become as archaic as the Blackberry.
At the same time, security experts and analysts believe that the future beyond password technology won’t be completely devoid of passwords. The password will continue; it just won’t be the sole means of security. According to Jeremy Grant, the head of the National Strategy for Trusted Identities in Cyberspace, a government organization, “Most people will move away from relying on passwords as the only means of authentication.” In the future, analysts predict, emails will require a two-step authentication system, which combines a password and a constantly changing code sent via-text. Possibly though, authentication might contain a more personalized component, depending on the type of information we’re trying to protect. But the password will still be present.
The question is how fast this new system will spread. It may be more tedious for the average user to remember extra codes and figures. It will definitely be more time consuming; although for some, the hassle is worth the protection it provides. Because of the perceived annoyance, it might take longer for the multi-step authentication to be accepted. Phone verification via text doesn’t sound too far off though. Most people always have their cell at hand, and smartphones are pretty secure with touch screen codes of their own. The possibilities, however, extend beyond texting. Google, for example, has an Authenticator app that generates the code needed for the second part of authentication, changing the password every 10 seconds. Other companies are working with push notification technology, the alerts that pop up on smartphones. “You enter a username, the app pops up on your phone, asking you to push the green button or to push the red button,” Grant explained. “Suddenly instead of having to carry an extra card, it’s just an app on your smartphone.”
Another possibility revolves around the computer’s ability to recognize its user. “The system to just be able to recognize that you’re exhibiting behavior that is you,” said Grant. Banks already have a similar system in place, alerting the account owner and blocking the credit card if a transaction was made from an unfamiliar location.
“There are companies that have been out there for years, looking at things like key strokes as biometrics,” mentions Grant. For example, the Defense Advanced Research Projects Agency is researching that “keystroke dynamics” idea, an idea that relies upon an individual’s unique manner and rhythm for typing. Measurements available from virtually every keyboard can be recorded to determine Dwell time (the time a key pressed) and Flight time (the time between “key up” and the next “key down”); and the recorded keystroke timing data is then processed to determine a primary pattern for future comparison. “Or with touch screens, you might have a certain pattern that you tend to use,” Grant adds. Instead of an app, companies might require a voice, facial, or eye-scan recognition.
Just like we carry keys to our house, we may begin to need something more tangible – like a card – to access our online data. At least that’s the future that the Google inventors foresee; “The primary authenticator will be a token like this or some equivalent piece of hardware.” Of course the idea isn’t too radical; these types of authentication already exist. For government jobs, employees are often required to use a card to sign-in. The major problem would naturally be, what would happen if you lose it? That might mean being temporarily cut-off from accessing any online data.
In any case, passwords are still the first step. So even in what seems like a promising “password-less future,” there is still no complete escape from the password. Now that that’s established, here are some important tips on selecting the “right password” and protecting your data from professional hackers. These tips are brought to you by Alex Horan, a product manager for CORE Security:
1) Choose unique passwords for the important stuff, like bank accounts. Choose a different password for each account, and compartmentalize them so they’re easier to remember.
2) Forget about choosing a password, come up with a passphrase. A password may seem hard to guess, because it combines a well-thought out series of letters, numbers and symbols. The truth is, such passwords aren’t impenetrable, especially if a computer program does hyper speed password guessing in a “brute force attack.” A passphrase, on the other hand, consists of a string of words, like song lyrics or book titles. For longer passphrases, “brute force attacks” are much less of an issue, since each additional character makes it exponentially more difficult for a computer to crack. For example, on average, it takes 306 days for an eleven character password to be cracked but 18,976.5 days for a twelve character password to be cracked. Longer may be better, but harder to remember if you’re using a nonsensical code. That’s why passphrases work- because they’re more memorable.
3) Rethink usernames. Hackers don’t generally search for multiple email addresses that have the same password, but hope the username-password combo match elsewhere. So don’t think passwords, but rethink usernames. For example, for LinkedIn, have linkedin.Yourname@gmail.com, instead of the standard YourName@gmail.com.
4) Use Gmail because it allows it to appear as if you have multiple email addresses when you don’t. For example, the email address YourName@gmail.com can also use the following logins: YourName+LinkedIn@gmail.com and YourName+facebook@gmail.com and YourName+Twitter@gmail.com, etc. All those email address will work, and they will all come to your inbox.
5) Don’t trust random websites; it’s like locking important stuff up behind something that’s about as secure as childproof medicine caps. If you’re not sure about the authenticity of a website, don’t enter your valuable information in it. No coupon or free movie download is worth identity theft. Better to be safe than to have your info hacked.