Darwin

Charles Darwin Would Not Be Using Passwords Today

DarwinWhen Charles Darwin said “It is not the strongest of the species that survives but those who can best manage change,” I don’t think he was referring to website passwords. However, I thought this quote was appropriate to where we are now, and how useful passwords are to our lives.

Things evolve, and we replace useless items with different things that fill the need better than the old stuff. I don’t use a Walkman or portable CD player any more because I’ve got an MP3 player or a smartphone which does the same thing, only better. I stopped using a TomTom in my car because I now have a navigation system built in. And my VCR has been replaced by on-demand movies and Netflix streaming, allowing me to watch anything I want almost anywhere I want.

So why on earth am I, along with billions of other people, relying on passwords to secure our lives? Sure, passwords were useful when we worked on systems such as mainframes and client-server solutions, but those compute platforms weren’t globally accessible like today’s web platforms are. Also, in the past we did a few things with computers but the majority of our life didn’t revolve around them; today that’s obviously not the case. We shop online, we bank on the web, we post everything about our lives on social platforms, and our mobile devices have become the centerpieces of our lives. Are we secure with an authentication scheme created decades ago?

There are many problems with passwords, but I think one of the most challenging issues for people is password management. Everyone has a favorite one or two, but every site or application is different. Some require a minimum of six characters, some require a minimum of eight, some require capital letters, some require special symbols, some require numbers… the list goes on. Then you need to change them when the provider or company tells you to or you’ll be locked out. One of my apps, — I believe it’s Paypal — doesn’t let you use any of your previous eight passwords. EIGHT? Seriously? Who has eight passwords memorized? So now we have password managers on our phones where we input every password into every system — and if we lose the device someone has access to everything! Brilliant! Of course, we don’t need to really worry about this because as we found out recently, Russian hackers can just go ahead and steal 1.2 billion passwords with the snap of a finger. Clearly, it’s time for this authentication scheme to change, and, as Darwin says, survival is dependent on managing change.

So now that I’ve railed on passwords enough, here are a few options that we’ll likely see over the next few years:

  • Biometric authentication. There are a number of options here, including voice, fingerprint, heartbeat, or retina scans. Personally, I like voice authentication the best as it requires no additional hardware (like a fingerprint reader would). Iris scanners may be great at airports, but this seems a bit pricey to mass market. Mobile phone scanners could change that though, where you could use the camera on your smart phone to take a picture of your eye. However this plays out, biometric authentication is coming and I’m sure we’ll see it in broader scale soon.
  • Two-factor authentication. There are some sites that offer this today including Google’s Gmail service. The idea is that when you try and log in it sends a message to the users e-mail or mobile phone with a code in it. The user must then enter this code to log in. Hackers would need access to not only someone’s user name and password, but would physically need to have the user’s mobile phone as well.
  • Token authentication. With tokens, users are provided with a unique bit of information that enables to them to log into a site. For example, a sound could be sent to smartphone that users would need to play into the computers microphone in order to log in. Alternatively, an image or QR code could use used to add another layer of security.

Personally, I like the idea of voice recognition the most. It’s easy, low cost and can be used on any device. Whatever the outcome though, the important issue is that we start to use an alternative form of security. Username/password theft is appealing to hackers because millions or even billions as we’ve seen recently can be stolen quickly. The shift to another type of security scheme would limit the scale to maybe 10 a day or so. I’m sure there will be great resistance to moving away from passwords but, as Darwin said, the ones most willing to change are the ones that survive.

About the author
Zeus Kerravala
Zeus Kerravala
Zeus Kerravala is the founder and principal analyst with ZK Research. He provides a mix of tactical advice to help his clients in the current business climate and with long term strategic advice. Kerravala provides research and advice to the following constituents: End user IT and network managers, vendors of IT hardware, software and services and the financial community looking to invest in the companies that he covers.