The Heartbleed security bug causing havoc online earlier in April has allowed criminals to access our passwords for common websites for more than two years. Is it time to give up the idea of passwords? Various technologies are poised to replace the password – including an edible, electronic capsule.
The days of storing passwords in your brain are numbered. In a few years’ time you may be able to log into your online bank account using an edible capsule that, once swallowed, broadcasts a password through the wall of your stomach. It then uses a special tattoo that has bendy and stretchy components – sensors and an aerial that lie flat on your skin. It works by the aerial transmitting your password to an electronic reader when you pick up your phone or sit at a computer. Stomach acid in place of battery acid powers the pill. This tiny device is being designed to pulse a code that would be picked up by a sensor in a laptop, shortly after it exits the oesophagus.
The motivation for developing such bizarre technologies comes from a widespread and growing problem: the existing authentication systems that log you into online services rely on passwords, and passwords aren’t really up to the job.
There are many reasons why. When criminals hack into an online storeroom of passwords – a service provider’s encrypted list of all of its users’ entry codes – they can crack potentially many thousands of passwords at once with the aid of special software.
Passwords can also be ‘phished’, which happens when users are tricked into revealing them to fake sites made to look like legitimate ones. People also tend to choose passwords that are easy to remember. This means they are easy to guess. Of 32 million passwords revealed during one security breach, more than 290,000 turned out to be ‘123456’!
A password containing six lower case letters takes just a fraction of a second to crack. But a longer and more complex one with 11 random upper and lowercase letters, numbers and special characters could take hundreds of years. The rule with passwords is simple: the more complex it is, the better the level of security it provides. But expecting people to remember long, nonsensical combinations is unrealistic.
Often, users pick the same password for many different services, which is ill-advised, although something I am guilty of. If you sign up for an account on an unimportant website and that website gets hacked, your password could find its way into the hands of criminals who would then be able to access your online bank account. The problem is that people simply have too many passwords to remember, as a typical adult between 25 and 34 years of age has 40 online accounts!
One way around these drawbacks is to beef up existing password-based authentication systems by providing more than one kind of hoop for users to jump through. This already happens when you use a number-generating security token, or have to input a random number that was sent via SMS to your phone as used by many Thai banks. Some companies are trying biometrics as a second authentication factor, taking advantage of the cameras and microphones in smartphones to carry out face or voice recognition—or even for iris scans. But many users worry that biometric data brings its own suite of concerns. Unlike passwords, which can be changed, voice prints and faces cannot. The worriers say that if cybercriminals were to hack a website and steal biometric information, the same information could forevermore be used to break into other accounts that rely on biometric authentication. This is unlikely, however, because fingerprint data is typically combined with random data to create a biometric based on your fingerprint. So any hacker that gained access to a scan of your fingerprint would not be able to break into a biometrically secured site.
Ultimately, authentication is a problem that is unique to computers. Humans generally have no difficulty recognising other people with whom they already have a relationship, which is why no one demands a password from their spouse or children before letting them in the house. It is also why researchers are unlikely to develop easy, reliable authentication systems for online services until computers can be programmed to learn like people. Until that day, if you want to log into your online accounts quickly and safely, you may be asked to pop a password pill.
