Whenever I talk about passwords these days, or rather the need to end the use of passwords, I really feel I should call myself Cassandra.
In Greek mythology, Cassandra was the daughter of King Priam and Queen Hecuba of Troy. Her beauty caused Apollo to grant her the gift of prophecy. When Cassandra refused Apollo’s attempted seduction, he placed a curse on her so that her predictions and those of all her descendants would not be believed. In the understanding of some modernists, Cassandra’s prophecies were flawed and incapable of coming true. But to the ancients (and in the sense I use it) the prophecies were accurate, amazingly so, but disbelieved because of flawed understanding by the listeners. My listeners frequently site the cost of replacing passwords, or the ease-of-use of passwords for users or even the (unfounded) insecurity of other authentication methods. All of that is true, but also irrelevant. The cost of a data breach, the even easier to use alternative authentication methods and the incorporation of context sensitive risk-based access controls (with the authentication step as simply one factor) all support my thesis.
Fortunately, I’m not a Jeremiah. This Biblical prophet (he’s credited with writing the Book of Jeremiah, 1 Kings, 2 Kings and the Book of Lamentations) was attacked by his own brothers, beaten and put into the stocks by a priest and false prophet, imprisoned by the king, threatened with death, and thrown into a cistern by Judah’s officials. These people didn’t like what he had to say! No one would speak up in Jeremiah’s defense, but a number of people, publications and organizations have taken up the cry to banish passwords as the sole method of authentication for user accounts.
One of the people is Google’s Tim Bray. He’s a developer evangelist for the Mountain View company, often speaking to developers, programmers and coders on best practices. Formerly the Director of Web Technologies at Sun Microsystems, Bray was also one of the main authors of the original XML specification. Speaking at the recent Glue Conference (the foremost independent gathering of developers), Tim was vehement in denouncing passwords. As noted by Ping Identity’s John Fontana:
“Near the beginning of his talk, Bray dropped to his knees, pounded the floor with his fists and sent out a plea to web sites asking that they not force him into creating another password. He implored developers to get on board with emerging identity protocols, namely OAuth 2 and OpenID Connect.”
Bray went on to talk about all of the non-password possibilities for authentication that can be built-in to apps. Fontana reports that Bray told the crowd: “If you go into the password business, you are peeing in the swimming pool,” that is, you’re being anti-social and deserve the scorn of your peers.
One publication that presented stark evidence of the vulnerability of passwords was Ars Technica. In an article called “Anatomy of a hack: How crackers ransack passwords like ‘qeadzcwrsfxv1331’,” they presented the story of three hackers – a developer of cracking software, a security consultant, and an anonymous cracker – given relatively standard PCs, readily available cracking software and 16,449 passwords converted into hashes using the MD5 cryptographic hash function. The person with the most underpowered computer took 20 hours and cracked 14,734 of the hashes, a 90-percent success rate. Another person unscrambled 13,486 hashes (82 percent) in a little more than one hour, using a slightly more powerful machine. The story even cites Ars Technica deputy editor Nate Anderson, never known as a cracker, who deciphered almost half of the passwords in just a couple of hours. Go read the whole article, it’s fascinating – and very scary if you still use passwords, but feel that by hashing and encrypting them that you and your users are safe.
The organization who’s taken a step away from passwords is Amazon.com, specifically Amazon Web Services (AWS), the cloud provider arm of the retailing giant. With a newly released API (didn’t we tell you that the API economy was the coming thing?), developers can use Facebook or Google credentials for authentication as well as the newly released Login with Amazon, a free service that lets third party apps and websites use the online retail giant’s system for authenticating users. If you are interested (and any AWS developer should be), Amazon has published an article including examples of use on it’s AWS web site.
Finally, The UK’s Daily Mail (in the Mail Online) revealed what’s coming on the authentication horizon. Motorola has shown not one, but two very different authentication schemes which may – or may not – ever see the light of day. The first is called the “Biostamp,” an electronic tattoo made of silicon and containing an electrical circuit, antennae and sensors that bend and move with the wearer’s body. The tattoos, designed by Massachusetts-based firm MC10, are intended for medical purposes to track a patient’s health, but Motorola thinks the technology can be used for authentication purposes, as an alternative to traditional passwords.
The second is even stranger – it’s called a ‘vitamin authentication pill,’ and when swallowed it’s powered by acid in the ingestor’s stomach and creates an 18-bit signal picked up by mobile phone. The Proteus Digital Health pill has already been approved by the U.S. Food and Drug Administration and was given European regulatory approval in 2010. It contains a computer chip that can be powered like a battery using the acid in the wearer’s stomach. Once swallowed the ‘vitamin authentication pill’ creates an 18-bit ECG-like signal inside the person’s body that can be picked up by mobile devices and authentication hardware outside the body which could be used verify the wearer is the correct owner of the device or account. It’s claimed that the pill could be taken every day for 30 days, if necessary, without any problems.
So there you have it – more evidence that passwords are bad, more experts exhorting developers to stop using them and more major hardware and software firms offering valid alternatives. Still using passwords? What’s your excuse?