Mat Honan is, as you all know (of course), the author whose online presence as well as a large part of his private digital assets were destroyed by hackers, just because they wanted his Twitter account and wreak havoc (he wrote about this in the article “How Apple and Amazon Security Flaws Led to My Epic Hacking“).
Click the image to see the complete “joke”…
Six months later, Mat returned to the subject and asked us to “Kill the Password: Why a String of Characters Can’t Protect Us Anymore“. His conclusion then was very explicit: passwords are not a good way to protect your data.
We could ban dumb passwords and discourage reuse. We could train people to outsmart phishing attempts. (Just look closely at the URL of any site that asks for a password.) We could use antivirus software to root out malware.
But we’d be left with the weakest link of all: human memory. Passwords need to be hard in order not to be routinely cracked or guessed. So if your password is any good at all, there’s a very good chance you’ll forget it—especially if you follow the prevailing wisdom and don’t write it down. Because of that, every password-based system needs a mechanism to reset your account…
And that means:
The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know.
I’m not so sure about his conclusion. After all, the real problem isn’t the form of the password or key. The core of the problem is man and her/his “gullibility”; “social engineering” is what the hackers are using as their main weapon. So the question is: how can we avoid that reliance on human memory, as long as we have no replacement for passwords?
Should the operating systems of our devices take a (much) larger share of the memory burden? Do we need small or big applications, in combination with some kind of hardware, to help us? Or perhaps we could use a standalone “passphrase device” with a standardized interface to any relevant device, like the remote “key” that operates almost any modern car? Or are biometric solutions the way of the future?
I’m guessing here, but I have a hunch that passwords aren’t exactly going away soon.
Read Full Post »