Hoping for an end to passwords

Two things have happened recently which have increased my dislike of passwords to levels that are approaching pathological. Firstly a number of the services I use (mostly associated with my blog) have forced me to make my password more secure by including more numbers and avoiding common words. Moreover, different services have different rules about what is and isn’t acceptable, and I now have more passwords to remember than ever before. In fact I now have too many to remember and so I keep lists of passwords all over the place. I know that security experts advise that we use different passwords for all our services and change them regularly, but that is too much for me (and I suspect their fears are overblown). I do an ok job staying secure for a small number of services that I’m worried about, but for the rest I choose to keep it simple.

The second thing that’s happened is that Eira, my eldest child, is reaching an age where she needs accounts for a whole bunch of services – email, MoshiMonsters, Mathletics and more every month – and I have to keep track of these as well. Some of them she forgets and gets locked out of services and others she updates herself. It’s a nightmare.

With this going on in my life you can imagine I was pleased to see this article on Wired which describes a USB key approach that Google is promoting. Here’s the key passage:

Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be.

Google agrees. “Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in their paper.

Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.

They see a future where you authenticate one device — your smartphone or something like a Yubico key — and then use that almost like a car key, to fire up your web mail and online accounts.

For this initiative to be in any way useful Google will need to persuade large numbers of other website owners to adopt their technology for sign in. They have made it independent of Google, but whether website owners will trust them enough to hand over their sign up process is a big open question.

The password problem isn’t new. I always thought that biometrics, especially fingerprints, offered a good solution, but they have been around for a while now and haven’t caught on, probably because of hardware costs. Maybe smartphone based fingerprint scanners will prove a cheaper and more viable alternative. Identifying users by the individual pattern of their keystrokes is another exciting idea, largely because it doesn’t require any extra hardware.

Hopefully someone will find a solution soon. Ideally before Stanley, my six year old, starts opening up online accounts like his sister does today.

  • Pingback: Passwords | Paul Miller()

  • neil_lewis

    I’m with you on this one Nic – as I have picked up the mantel of home tech support I spend too much time helping my teenagers (14 and 16) and family to manage their passwords.

    However, I think the USB key solution has another important application – and that is either end of life or ageing parents. In both cases, there is no simple or neat solution to hand control to a trusted party (either on death or failing health).

    Dementia is a serious issue that affects many people who are growing older with 1m people in the UK expected to have some form of mild dementia. Clearly, if we struggle with passwords, so will they. In effect, the password issue has the risk of locking out the silver servers from communicating or purchasing or using online services (such as online banking).

    I believe that this initiative may be most willingly adopted by those services focused on older generations and possible via some of the charities in that sector too.

  • brianfrumberg

    Nic, frustration shared, and I don’t have kids yet. I recently adopted a solution called LastPass, based upon favorable reviews from PC World and CNET, and it has worked without hassle or headache for weeks now. After a simple registration process and linking it to my Chrome browser on my PC and Mac, it now offers to save passwords to sites I log into (much the same as your browser will) and subsequently with automatically sign you in the next time you visit the site (with options beyond auto-login).

    When you are signing up for a new service, it offers to create a secure password for you and logs you in upon subsequent visits.

    If you take the time, you can also save address, credit card, and other data and LastPass will auto-fill web forms for you. I have used this feature and it has worked seamlessly.

    A premium version will allow you to install LastPass to your Android and iOS devices as well.

    If you are comfortable with a service like this, it may serve as a good solution for someone managing scores of passwords for themselves and others. Take a look and let me know what you think.


    p.s. Had a great meeting with Josh and Thatcher this morning.

  • Good point Neil. Every new technology needs to find a sweet spot for market entry

  • Cool. Thanks Brian. I made a half heated attempt to use LastPass a few months ago, but I guess I didn’t give it a proper go. I will give it another look.

  • Pingback: More musings on passwords–solution needs to be easier as well as more secure « The Equity KickerThe Equity Kicker()

  • Hi Nic, interesting article, have you heard of PixelPin? We replace passwords with pictures. PixelPin lets you choose a photograph that’s personal to you (or any image at all, for that matter – your daughter could choose a pic of her favourite Moshi Monsters) – and pick 4 points on the image, in sequence, to login. There are far more places to ‘tap’ on a picture than there are combinations of letters and numbers that make up a password, pictures are more secure as they’re not vulnerable to dictionary attacks or phishing, and finally, there is a large body of academic research suggesting that people remember images better than words (look up the Picture Superiority Effect).
    We’re aiming to solve the problems with passwords once and for all – by getting rid of them! We’d love to know what you think.

    Sarah, PixelPin

  • Thanks Sarah. I have indeed heard of PixelPin. I mentioned you in a follow up post on the subject of passwords.