[thedoc]

What is the future of passwords?
Asked by Stuart Coulson


                                        Visit the webpage for the podcast in which this question is answered.

 

[thedoc]

We answered this question on the show...



 Steven -   I think it would be great if there was some replacement for passwords because they have so many problems, but so far, all of the solutions that have come out have been problematic in some way or another because you really need to have something that is linked to that person because they want to be able to use the same security credentials regardless of where they're going.  So probably, the best way of trying to manage passwords nowadays is to use different passwords for every website and then have some software maybe running on your phone, maybe running on your PC that tries to manage all of those and stop you having to remember them all.

[CliffordK]

One can, of course, program one's computer to remember many of one's passwords, but I think that is a major security risk, so I tend to turn those functions off.

There have been a few advanced security schemes tested.  For example, some banks track the password, and the PC where the login attempt was made.  If a login attempt is made at a "unique" PC, then the bank will send a confirmation message to one's cell phone, at which point one must type in the confirmation code into the login.  Of course, invariably my cell messages didn't come through, and I ended up standing outside in the cold hoping to get my confirmation numbers.

Another method used is a "bingo card".  It is quite a simple concept.  One has a list of probe codes, and answer codes written on a card that the person keeps.  So, when one attempts to log in, one must look up the probe question and answer on the card.  If the card is lost, a new one is issued.

No doubt the future will bring more sophisticated online identity verification.  My IBM/Lenovo laptop had a fingerprint scanner, but I don't think that concept really caught on.

[imatfaal]

To follow up Clifford's post: Google now have double identification via text message to mobile phone if you wish to enable it for gmail (every 30 days and any new computer).  Our banks in the UK now issue number generators - when I log on to my bank I punch a pass code into my number generator and it spits out an 8 digit number which I must put into the bank website to access my accounts - this gets around the key-logger or sniffer problems. 

More and more companies are only sanctioning new pc.s if they include a decent finger-print scanner.  I have my laptop locked on my fingerprint - it is super convenient, but I am not sure how secure it is.  It does however give security against casual "borrowers" and family members who just need to check emails!

[syhprum]

I have one of the small quasi random number machines supplied by Barclays bank but it is a small poorly built device powered by two three volt cells and a great inconvenience, could the same thing not be done by software on the computer.

[CliffordK]

I have one of the small quasi random number machines supplied by Barclays bank but it is a small poorly built device powered by two three volt cells and a great inconvenience, could the same thing not be done by software on the computer.

Probably.
However, it is much harder to "hack" a credit card sized number generator with no internet connection than a computer. 

Perhaps more should be done with hardware keys on a computer.  IP addresses change frequently.  But, a computer's network card identity doesn't (although it could probably be spoofed).

[syhprum]

For use on a set top PC it should be possible to incorperate these devices into a special keyboard which I would purchase if someone would manufcture one you can of course glue the device onto a regular keyboard and power it from the computer but a properly integrated device with a back lit display would be better.

[RD]

... glue the device onto a regular keyboard ...

Keeping the pseudorandom number generating device, (or a computer simulation of it), on your computer defeats the purpose of the exercise : anyone who has access to your computer, with the device attached, would then only require your password to empty your bank account.

A password could be obtained by eavesdropping (electronic or shoulder-surfing), or phishing, but the pseudorandom number generator will protect your account even if the bad-guys know your password, provided they don't have the device (or know the algorithm it uses to generate the numbers).

Keeping the pseudorandom number generator separate from the computer is required for security, otherwise it’s like leaving a key in the door.

[syhprum]

I can see the logic of the argument that the PRNG should be kept seperated from the computer but I wonder if they are all unique as the villains could easily aquire one.
The bank never warned me to keep them seperate.

[RD]

... I wonder if they are all unique as the villains could easily aquire one.

Each device has  a unique serial number which is used to generate the pseudo-random number sequence.
So your device wouldn't be any help in getting access to someone else's account at the same bank , and vice versa.

[nicephotog]

Java smart-card technology (Java card) is something may be relevant here, such systems beat losing your password and are less copyable and require a machine to get the information from(warning - may require a passsword or card), passwords are akin to unique ID's and unique serial number stamps. Great example is CPUID of the central processing unit chips.