Bipartisan infrastructure bill moves ahead Simone Biles to compete again Google Pixel 6 and 6 Pro unveiled Mark Hamill in The Mandalorian Venom: Let There Be Carnage trailer 4th stimulus check update

The 'I hate passwords' guide

Until a safer, saner alternative is available, we're stuck with an insecure, outdated authentication technique. Here's how to make the best of a bad situation while we wait for services to get serious about verifying identities.


Passwords have joined pennies, dollar bills, "Real Housewives" television shows, and the two-party political system as things that have outlived their usefulness.

If there was any doubt, I refer you to Heartbleed, a security hole that affected a huge number of Web servers and made IDs and passwords public knowledge. Heartbleed's silver lining may be the realization among the tech cognoscenti that passwords are an inherently unsafe authentication method, as Omar Al Akkad reported on The Globe and Mail site earlier this month.

Last July, three Pomona College students initiated the Petition Against Passwords, an attempt to encourage consumers to pressure technology companies to implement more secure technologies for verifying users, as the Los Angeles Times' Paresh Dave reported.

The consensus of the experts is that password alternatives aren't ready for prime time, as ComputerWeekly's Ron Condon reported in an article from December 2011. The situation may be changing -- slowly. Earlier this year Google acquired SlickLogin, a company that makes a phone-based authentication system. Greg Kumparak explains SlickLogin's sound-based technology on TechCrunch (more on the outlook for password alternatives below).

There's no doubt that we'll be relying on passwords for secure access for years to come. As our reliance on technology increases, the number of login IDs and passwords we use proliferates. If we follow the experts' advice and use a unique password for each service we access, the burden quickly becomes unreasonable: not only do we have to remember dozens of unique, hard-to-guess passwords, we have to remember which password we entered at each site, not to mention which user ID we supplied.

Computer guru David Pogue claims there is no alternative to using a password manager such as LastPass, Roboform, or KeePass. (In fact, Pogue recommends the free DashLane, which works with Chrome, Firefox, Internet Explorer, and Safari.

Last week, Lance Whitney explained why you need a password manager in the aftermath of Heartbleed. Soon after Heartbleed came to light, LastPass added a Heartbleed vulnerability scan to its site security check, as Seth Rosenblatt reported.

The downside of online password managers is discussed in a thread on the Internet Security Stack Exchange: they create a single point of failure for all your passwords, and because they work in your browser there's a broader "attack surface." For me, the greatest downside of password managers is sharing sensitive data with a third party, which always increases risk no matter how trustworthy the third party.

In a post from December 2011, I explained how to master the art of passwords, and back in 2008 I presented the password commandments. The former article described a method for securely writing down your passwords, which for many security experts is a no-no. Timothy B. Lee examines the benefits of recording your passwords on paper in a post from last week.

An example of a secure password-creation method that requires neither a third-party service nor a paper record is to base passwords on something you have already memorized, such as a nursery rhyme, song lyric, or poem. For example, use the third and fifth letters of your school's fight song; for words shorter than three letters use the last letter. In my case, this technique generates the password "ioecoliioenure" from The Victors (Go Blue!).

Changing all your passwords is a royal pain

Whenever a service confirms that its systems have been breached, its knee-jerk advice to its customers is for them to change their password. The onus isn't that great if you have to do so at only one site or for a single app, but when a bug with the scope of Heartbleed hits, it can take half a day to sign into all your accounts and change their passwords.

One of the first problems is remembering all the accounts you've created over the years. Lifehacker's Mihir Patkar explains a simple technique for discovering the accounts you may have forgotten about: search your email archive for the term "confirm your email." Rather than change the password on your orphan accounts, it may be safer simply to delete the ones you haven't used and/or don't expect to need in the future.

You'd think that by now the services affected by the Heartbleed vulnerability would have effected repairs. Re/code's Arik Hesseldahl reported earlier this week that most of the organizations affected by Heartbleed have patched their systems, but hackers continue to take advantage of the security hole.

If you've been waiting to change your passwords until the OpenSSL systems at the heart of the Heartbleed attack have been updated, it would appear that you've waited long enough. As Zach Epstein reports on the Boy Genius Report site (quoting Halon Security CEO Jonas Falck), Heartbleed is a reminder that the Internet will never be 100 percent safe.

Improved authentication techniques on the horizon

Most alternatives to passwords for user authentication require a separate device, such as the phone used by the SlickLogin system I mentioned above. Two-factor authentication likewise relies on a phone or other system to receive the code used to verify your identity.

Many experts hold out hope for a reliable biometric authentication technique. CNN's Heather Kelly describes biometric approaches based on your heartbeat, ear shape, walk, typing speed, and facial features.

A recent NPR story reported by Steve Henn takes a close look at Nuance's voice-recognition system that several banks are using to verify customers who call their support lines. The fingerprint readers on the Samsung Galaxy S5 and iPhone 5S demonstrate the technology's promise, but researchers have managed to bypass both of the sensors, as Engadget's Jon Fingas reported last week.

You can't use the Web for long without encountering a captcha, or "completely automated public Turing test to tell computers and humans apart." Captchas can be more frustrating than trying to recover a lost password: their characters are often so distorted that you end up guessing wrong half the time.

One of the most creative authentication approaches being studied in the area of human interactive proofs (HIP) is Microsoft's Project Arissa, which requires that people distinguish cats from dogs in a series of photos. The technique is one of several novel approaches to access control described by Davey Winder on the PC Pro site.

CSO's Antone Gonsalves describes research being conducted at the University of California, Berkeley, that reads brainwaves to authenticate users, which the researchers claim is a natural fit with the increasing use of wearable computers. The researchers were 99 percent accurate in identifying 15 undergraduate students based on their unique brainwaves. The study results are available here.

Someday our personal information and activities will be protected by technologies safer than the passwords we've relied on since the dawn of networks. Whether that day comes sooner or later depends in large part on how loudly we complain about organizations not doing enough to protect their customers' data.