Two things have happened recently which have increased my dislike of passwords to levels that are approaching pathological. Firstly a number of the services I use (mostly associated with my blog) have forced me to make my password more secure by including more numbers and avoiding common words. Moreover, different services have different rules about what is and isn’t acceptable, and I now have more passwords to remember than ever before. In fact I now have too many to remember and so I keep lists of passwords all over the place. I know that security experts advise that we use different passwords for all our services and change them regularly, but that is too much for me (and I suspect their fears are overblown). I do an ok job staying secure for a small number of services that I’m worried about, but for the rest I choose to keep it simple.
The second thing that’s happened is that Eira, my eldest child, is reaching an age where she needs accounts for a whole bunch of services – email, MoshiMonsters, Mathletics and more every month – and I have to keep track of these as well. Some of them she forgets and gets locked out of services and others she updates herself. It’s a nightmare.
With this going on in my life you can imagine I was pleased to see this article on Wired which describes a USB key approach that Google is promoting. Here’s the key passage:
Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be.
Google agrees. “Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in their paper.
Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.
They see a future where you authenticate one device — your smartphone or something like a Yubico key — and then use that almost like a car key, to fire up your web mail and online accounts.
For this initiative to be in any way useful Google will need to persuade large numbers of other website owners to adopt their technology for sign in. They have made it independent of Google, but whether website owners will trust them enough to hand over their sign up process is a big open question.
The password problem isn’t new. I always thought that biometrics, especially fingerprints, offered a good solution, but they have been around for a while now and haven’t caught on, probably because of hardware costs. Maybe smartphone based fingerprint scanners will prove a cheaper and more viable alternative. Identifying users by the individual pattern of their keystrokes is another exciting idea, largely because it doesn’t require any extra hardware.
Hopefully someone will find a solution soon. Ideally before Stanley, my six year old, starts opening up online accounts like his sister does today.