Time to Replace Passwords

It's time to replace passwords with something else.  We're being asked to remember more and more of them (yes, I know you can use something like OpenID, but that's less secure, if someone were to crack it they have access to many more services, though in practice most people use the same one for everything anyway) and users are reaching saturation point.

I know this because I'm an IT Manager.  I have hundreds of passwords, far more than I could ever keep track of in my head (especially as some are used so rarely), so I use a piece of software (the excellent KeePass) to help me.  Most people don't though.  I can tell you what a problem passwords are for the average user because I have to support them.

Having recently changed to a new system for our hosted email my users are forced to pick an eight-character password with various requirements to mix it up.  This then needs to be changed every 90 days (I didn't set these rules).  Generally what happens is they tick the box for the email client to save the password and after 90 days they can't remember it, so I have to walk them through a reset.  Most of those I stood beside when they reset it simply wrote their password down on a handy post-it, scrap of paper or notebook.  And most of them had only altered their password by changing the number at the end of it.

My users aren't any different to those in most organisations.  I worked for the MOD at one point and one of my jobs was to upgrade the printers at our sites.  While installing the new printer drivers we would often find people's passwords stuck to their monitors or on a piece of paper pinned to the wall.

You could argue that people need to be taught better password control, but what's the point?  The typical password length has been creeping up as we try to combat Moore's law.  The problem is that passwords under nine characters in length can be broken in minutes using relatively cheap graphics cards (as their processors are better at number crunching).  And that's nine random characters using letters, numbers and symbols, if you happen to pick a word or phrase then a dictionary attack would happily cope with longer.  That's today, with one GPU, processing power marches on and GPUs can be used in tandem.  Now imagine forcing everyone to use nine character (or longer) passwords for everything.

So I think we're at the point where passwords need to be consigned to the bin, or at least passwords alone.  It's time for biometrics to step in.  Biometrics are physical or behavioral traits that can be used to identify an individual, your fingerprints, for example.  The systems have been around for some time, indeed some laptops come with fingerprint scanners, but no one really seems to use them.  But imagine being able to simply swipe your finger to gain entry to a system, every system, it could be used to generate a huge password that would take millenia to break.

That's not to say biometrics are infallible, take Google's implementation of face recognition in the latest version of Android.  It appears to be beatable using a picture of someone's face as it can't distinguish between paper and person.  Fingerprint scanners can also be beaten.

The other fear is that if someone worked out the hash for your fingerprint (or face, or retina or whatever) they have access to something you can't change.  So maybe they would need to be combined with something else (the width of your eyes, fingerprints from multiple fingers, your voice print).  Or you could simply make it variable, so you have some software that generates the hash but asks you to pick whichever method you like (so for one service you may pick iris recognition, for another fingerprint, for another voice).

There's a long way to go and certainly many hurdles yet to overcome, but the password has long shown its vulnerabilities and it's time to move on.

1 Comment

  1. Charlie

    Totally agree Lee. I also think that until biometrics really come into play IT and HR departments need to clamp down on employees writing down passwords. Make it a disciplinary offence and follow through with a warning. Of course we'd (as IT) need to inform users as to tools that could help them remember all their passwords e.g keepass (or provide a corporate equivalent linked into AD) in order to make this workable given all the reasons you mentioned above but assuming we did so users would have to remember one, two passwords maximum.

Post a Comment