This is the fifth story in a multi-part series on the future of digital security.
Filled with numbers, symbols and letter combinations that mean nothing, passwords in today's security-conscious Internet environment have become harder to remember and less uniform than ever.
But in a few years, that may no longer be the case. A number of advances in password technology, some of which have already reached consumers, will make accessing protected data fast and easy for the first time in decades.
Today's passwords fail on many fronts. Users can't remember them, yet hackers can easily crack them. William Cheswick, a password researcher at AT&T, says there are better ways to verify identity. Call-and-response systems, clever use of common words or even smartphone-style locking mechanisms could block intruders while relieving users from having to remember 10 nonsensical alphanumeric passwords.
"Typing in a password is a problem, especially if it is one of those wretched 'eye-of-newt' passwords that are so popular today," Cheswick said. "These passwords have requirements for upper- and lower- case [letters], numeric and special characters to increase the search space of brute-force attacks. They are hard to remember unless trivial variations are chosen, and hard to type. This doesn't have to be this way."
Today, passwords aim to defeat three main kinds of attacks. Dictionary attacks start with words, phrases and number sequences commonly used in passwords, such as "password," "letmein" and "123456." Brute-force attacks methodically try every possible alphanumeric combination until one works. Keystroke logging attacks actually record the typing on the keyboard itself to steal passwords.
The incomprehensible, sometimes automatically generated passwords currently in vogue, such as "4$sdfFKL2," are designed to defeat dictionary attacks and make brute-force attacks more difficult, Cheswick said.
However, 25 or so letters assembled from randomly generated words, such as "correct battle sellers jumper," actually provides a passphrase with more resistance to brute-force attacks than shorter gibberish passwords or number-letter-substitution passwords such as "P@22w0rd$," Cheswick said.
"If the passphrase is simply words chosen from a dictionary at random, the entry is easy for a good typist," Cheswick told SecurityNewsDaily.
To defeat keystroke loggers, some banks already ask customers to use computer mice to select letters on an on-screen keyboard rather than type them in. Combine that method with a long but easy-to-remember passphrase and you'll be ahead of the game.
Another possible future for passwords lies in the spreading use of multitouch interfaces for a wide range of tasks. Currently, most people use a mouse and keyboard with their main computers. But when touchscreens migrate to the desktop, the very secure swiping motions, or pattern locks, currently used to lock smartphones could also become the passwords for websites and other secure files.
"I do have hopes for smartphones in all this," Cheswick said. "We carry them around with us always. They are a bit tougher to attack than traditional client computers. And they have plenty of compute power. Some of my current explorations in authentication are implemented on my iPhone."
Beyond the password
And that may just be the beginning. Rather than passwords, call-and-response question sets may regulate access to data a few years from now. Users would first select a set of 10 or 20 questions whose answers they would never forget, such as "Where did you go to high school?" or "What's your favorite movie?"
Then, during each login, the user would be randomly asked one of the questions, the correct answer for which would provide access. Since the questions would change every time, and since the questions and answers would differ for each person, automated attacks would have a very low chance of breaking through.
"The best authentication systems involve challenge/response, in which you or your proxy computes a unique answer to a challenge: different login, different challenge and an eavesdropper learns little or nothing unless a challenge is repeated," Cheswick said. "This whole process can be done under the hood, providing the endpoints are secure. The user just needs to enable this through a trusted path."
Unfortunately, all these advances still have one important weak link: the user. As the recent rise in spear-phishing attacks have shown, the best way to defeat a password doesn't involve complex math or spying.
Instead, successful hackers simply ask unsuspecting users to give up their passwords willingly. Preventing user errors such as that may prove out of reach of even the most futuristic security systems.
Previous stories in this series:
- The End of Malware? Cybersecurity Predictions for 2022
- Hacking in a World Without Windows XP
- Password Overload: How Can Anyone Remember Them All?
- Will Windows 8's Security Suite Kill the Anti-Virus Industry?