Is there life after passwords?
I enlisted my family to find out.
Passwords are a problem, we all know that. But we see those exciting headlines claiming the death of the password, a new password-killing product, or how those pesky passwords will be so passé.
Because everyone hates passwords, right? To be fair, it’s not the passwords we hate, it’s the password policies that kill us. These policies seem to be the IT admin equivalent to monster trucks: some of these policies are simply huge. We can’t help but wonder if these admins hang out at bars after work trying to one-up each other because “Joe doesn’t let his users have the names of planets in their passwords.”
If you ever do get to the point where the system accepts your password and when you finally memorize it well enough to throw away that sticky note, the system notifies you that it has now expired and prompts you to start the process all over again. And even with all this craziness we still get hacked. Clearly these passwords need to die.
Based on all the headlines, killing the password does seem to be the mandate for the IT security industry. But can we really get rid of all those passwords or is this some futuristic pipe dream like flying cars or dog walking treadmills? I decided to find this out for myself (the passwords part not the dog treadmills but that would be cool too).
To start this experiment; I needed some subjects: my wife, sons, and father-in-law. Next I set out to find all those password killers we have heard so much about.
It turns out that many of those headlines were more than a bit misleading. Betteridge’s law of headlines seems to be doubly true for password killers. Will that new technology be the death of all passwords? No.
Most of those over-hyped articles refer to academic research, vaporware, companies now out of business, or costly implementations for huge enterprises. There are a few products out there for consumers but many of them are highly proprietary, need custom software, and limited in their usefulness. I was a little disappointed.
Wearable Authentication
Because there weren’t as many password killers out there as I hoped, I had to do some piecemeal hardware and software implementations. My wife uses a Windows computer and Android phone all day long, but she really doesn’t like disruptions to her routine. To make this all as transparent as possible for her, I went with a Striiv Fusion Bio activity tracker and a Jakcom NFC smart ring.
The Striiv Bio has Bluetooth and I could set it up to automatically unlock her computer when she was near it. The NFC ring would be perfect for her phone because she could unlock the phone just by holding it in her hand; the NFC sensor is right where the ring sits on her finger. And although she did resist some at first, the benefits of the activity tracker was enough to get her to go along with it. For the most part she doesn’t even realize she’s logging in (she really doesn’t like disruptions to her routine).
Setting up the NFC ring to unlock her phone was pretty easy — it comes with an app to do that for you. The ring itself has two NFC chips in it so you can also have it perform other functions, depending on which side you tap it on. In fact, NFC can be fun. A couple of years ago I bought some NFC stickers and put them all over the place: in my car, on my night stand, even one on the toilet to launch my favorite reading material.
But NFC has a problem, basic chips have little security. Anyone with a reader can wave it near your hand and scan the code to make a clone for themselves. NFC can be secure with more advanced, costlier chips capable of cryptographic operations; the only other option is to wrap your hand in aluminum foil. For the security requirements of my wife’s phone, NFC would do just fine.
Bluetooth was more tricky setting up. I ended up having to install several pieces of software and writing some custom scripts to get it to lock and unlock her computer. The problem with Bluetooth is the range, having your computer unlock when you are as far as 30 feet (over 9 meters) or more away isn’t exactly secure. Like NFC, Bluetooth is also somewhat vulnerable to cloning, although with properly-written software developers can make it fairly secure.
Although few wearables have any built-in support for authentication, the potential here is huge. Not only are they strapped on to you, but they contain an array of sensors — GPS, microphones, even heart monitors — that could make for interesting advances in authentication.
Wearables verdict:
- Seamless way to unlock devices, but not always easy to set up
- Not useful for web site logins
- Software still required setting backup PINs
- Security level: Medium
- Total cost: $116
- Did it kill the password? It killed a few device passwords, but that hardly made a dent.
YubiKeys
I have to admit that YubiKeys, by Yubico, are one of my own personal favorites so I though I’d set up my 16-year-old son Alec with some of these. He has a bad habit of reusing the same password everywhere but, on the other hand, he’s organized and never loses stuff. The YubiKey is perfect for him.
YubiKeys certainly aren’t marketed as password killers. In fact, you typically use them along with a regular password to further strengthen your logins. When it comes to authentication there are different factors: something you know, something you have, and something you are. The password is something you know and the USB YubiKey token is something you have (a fingerprint or other physical feature is something you are). The more factors you combine the stronger it gets. Most consider two factors — referred to as two-factor authentication or 2FA — to be secure enough.
The YubiKey normally uses a one-time password, meaning that it generates a different password every time you use it. After logging in, a system can prompt you for your YubiKey, after which you touch the small metal sensor and it sends the one-time password. If this password authenticates with the Yubico central servers, the system lets you in. This, along with a traditional password, is a very secure login system.
One convenient thing you can do with YubiKeys is have it hold up to two different static passwords that never change. In this case, you tap the metal sensor and it enters your password as if you typed it on your keyboard. If you touch the sensor a little longer, it will enter the second password you saved to the key.
I created strong, unique passwords for all Alec’s most important logins and saved them on the YubiKeys. I also configured his computer to require his YubiKey when logging in to Windows. For him, the YubiKeys were convenient and quite usable.
The problem with the YubiKeys is that no sites support them as a replacement for passwords. Although a growing number of services — such as Gmail — allow you to use YubiKeys as a second factor of authentication, you still have to remember that password. The workaround we used of storing static passwords isn’t a great solution either. Anyone who can gain access to the keys can get your password — you better keep that keychain with you at all times. Because physical keys like YubiKeys can so easily be lost, stolen, or damaged, they probably aren’t going to replace passwords any time soon.
YubiKeys verdict:
- Excellent security for two-factor authentication, not a great way to replace passwords
- Don’t lose them
- Security level: Medium to High
- Total cost: $190 for a Nano, two Neos, and a YubiKey 4
- Did it kill the password? No, but they are a great way to strengthen your current passwords.
Password Managers
One of the reasons I didn’t include myself in this study is that I simply have too many passwords; I have to use a password manager. As even the most casual internet users have discovered, it is easy get overwhelmed with passwords and the only solution is to have a tool to save them for you. Once unlocked with a single master password, password managers automatically fill in login forms in your browser so you don’t have to remember any other passwords.
Using a password manager to create and store your passwords means you can easily follow two key security tips: use very strong passwords and never reuse the same password across multiple systems. Although password managers don’t eliminate passwords, they can make them more secure and more manageable.
My 19-year-old son Ryan doesn’t have that many passwords. He has maybe a dozen and uses strong, unique passwords that he remembers just fine. Still, he uses his Android tablet regularly — it’s always a pain typing long passwords on mobile devices. Because he tends to lose things, I knew a hardware device wasn’t the best idea, so I went with Intel’s True Key password manager [Disclosure: Intel Security is a sponsor of this article and the Practically Unhackable publication].
True Key strength is logging in with multiple factors—the first is a device you designate as trusted such as your phone or home computer. Depending on your device capabilities the second factor can be a password, your face, or a thumbprint. In the application you can enable multiple login methods to be available for the device.
One feature that particularly caught my attention was their facial recognition. In the early days of security, we easily fooled facial recognition by holding up a picture of the user. The technology got smarter, using 3D cameras and other techniques to sense a live person, but this usually requires purchasing additional hardware. The result was either weak authentication or buying an additional 3D camera.
True Key works with Intel’s RealSense 3D camera but will also work with an existing 2D camera on your device. Intel got around the limitations of 2D cameras with a clever trick: having you turn your head from side-to-side, to simulate a 3D scan of your face.
The facial recognition isn’t perfect, but that is always a problem with this and other biometric authentication factors. First, lighting conditions are rarely ideal and always changing. Second, our faces also change: beards, glasses, makeup, and hair styles might vary significantly from day to day.
True Key get’s around the facial and lighting changes by using each login to learn more about your face. Theoretically, recognition will improve over time and be able to identify you in just about any condition.
Still, there’s one problem they can’t overcome: you need light for facial recognition to function. My son got frustrated moving his head around trying to get it to work in bed with the lights off before he realized that just wasn’t going to work out. For those times he had to log in with his master password — or stop using his tablet in the dark.
True Key verdict:
- Seamless cross-device support.
- Facial recognition can be a bit cumbersome but improves as it learns your face.
- Only manages application and web passwords.
- Security level: Medium to very high, depending on how you configure it.
- Free for up to 15 logins, $19.99/year for unlimited logins.
- Did it kill the password? It gets rid of many of your passwords, but won’t log you into your devices unless you are using Windows 7 or 8.
Windows Hello
My 10-year-old son Evan uses his computer a lot, and that is the only computer he ever uses. He doesn’t have to worry about mobile devices or having to login from remote locations. For him, Windows Hello with biometric sensors was the way to go.
Surprisingly, his was the easiest and most effective of all the techniques I used, although probably not best suited for a high-security environment. I used an AuthenTec Eikon USB fingerprint scanner and a SteelSeries Sentry eye tracker, both of which work with Windows Hello on Windows 10. The fingerprint scanner is a discontinued product but for $25 it’s not a bad deal for my a 10-year-old’s PC. On the other hand, the eye tracker at $150 wasn’t exactly cheap, but this think senses your freaking eyeballs.
When he turns on his computer, the eye tracker immediately starts looking for his eyes. If he prefers, he can also choose to login with fingerprint, password, or PIN.
Being compatible with Windows Hello, both devices showed up automatically under the account settings and enrollment was quick and easy. Facial recognition was fast and the eye tracker even locked his PC when it no longer detected him sitting there. The fingerprint sensor seemed more error-prone and often took multiple swipes to login.
To handle his website passwords, and since he only browses the web using Google Chrome, I had him use Google Smart Lock. This way he saves all his passwords in Chrome and can also access them from the web at passwords.google.com if needed. Since he didn’t have the best Google account password, I made it more secure with a $5.99 Happlink Security KEY. After entering his password, Google prompts him for this U2F-compatible key, which he inserts into a USB port. After verification, Google logs him in to his account.
Windows Hello verdict:
- Easy to use but limited device support
- Fast login with the right hardware
- Only requires a single authentication factor, no two-factor authentication
- Security level: Medium to High
- Total cost: $180
- Did it kill the password? It killed one but it killed it spectacularly. Google Chrome took care of the rest.
My Father-In-Law
Then there’s my father-in-law. I think I need to explain my father-in-law before I go any farther. He has used computers for the last twenty years and never is more than a few feet from one. Now retired, he likes to watch TV with his notebook computer right on his lap, browsing the internet, playing online games, or arguing with people on Facebook. You’d think being such a heavy computer user he’d be quite the expert.
But if you thought that you’d be wrong. While he does know his way around his computer — he can for example install Windows from scratch — some things seem to be more of a challenge for him. One of those things is his webcam. He read somewhere that he should put tape over his webcam lens to prevent hackers from spying on him. So he did — transparent scotch tape.
Another challenge for him is passwords. I mean everyone forgets passwords, but he forgets his passwords and where he writes down his passwords. I set him up with a password manager once but he forgot the master password and forgot where he wrote it down.
And it’s not like he has that many passwords. In fact, he only has two passwords that he uses for everything and he still loses them.
So the most obvious solution for him was the cat book.
The cat book is simply a place to write down all your passwords hidden in plain view. For some people, this isn’t such a bad solution and probably the best you can hope for.
Cat book verdict:
- Easy to use, hard to get it wrong
- Great for father-in-laws
- Use pencil, sometimes those passwords change
- Security level: Low
- Total cost: $7.89
- Did it kill the password? No, but at least he won’t lose them now, geez.
The Death of the Password
Clearly, we are nowhere near killing the password. We can make dents here and there but the problem is that too many products are proprietary and no one technology works everywhere. Although some have tried to get their product to work everywhere, it usually means making compromises that end up weakening security.
The other problem is that while passwords have their weaknesses, so do other technologies. Fingerprints and faces are convenient but you usually need special hardware can’t ever change them if stolen. Smart cards and USB tokens are very secure but also costly and easy to lose.
Let’s face it, we aren’t getting rid of those passwords any time soon. You might as well learn how to make strong passwords and how to properly protect them. You should also take advantage of the many two-factor authentication options available for most major web sites. As your password collection grows, consider using a password manager to securely store them.
And if all else fails, there’s always the cat book.
