Replacing passwords with jewelry

Wired writes about Google's effort to eliminate the password as a means of authenticating your identity online.  Passwords are incredibly insecure, and only becoming more so.  They will never again be a good way to protect your data.

Passwords are a cheap and easy way to authenticate web surfers, but they’re not secure enough for today’s internet, and they never will be. 

Google agrees. “Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe,” Grosse and Upadhyay write in their paper.

Fortunately, Google is working on a solution.

Thus, they’re experimenting with new ways to replace the password, including a tiny Yubico cryptographic card that — when slid into a USB (Universal Serial Bus) reader — can automatically log a web surfer into Google. They’ve had to modify Google’s web browser to work with these cards, but there’s no software download and once the browser support is there, they’re easy to use. You log into the website, plug in the USB stick and then register it with a single mouse click.

They see a future where you authenticate one device — your smartphone or something like a Yubico key — and then use that almost like a car key, to fire up your web mail and online accounts.

In the future, they’d like things to get even easier, perhaps connecting to the computer via wireless technology.

“We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity,” the Googlers write.

The future may not exactly be password-free, but it will at be least free of those complex, hard-to-remember passwords, says Grosse. “We’ll have to have some form of screen unlock, maybe passwords but maybe something else,” he says, “but the primary authenticator will be a token like this or some equivalent piece of hardware.”

Personally, I can't wait until this technology comes out.  I like jewelry, but I've never been able to come up with anything I would be particularly motivated to wear, or to make work with my outfit.  But having a ring that was my key to the internet would be perfect.

Also: security and stuff.

EDIT 7:58pm -- I actually think a bracelet would be a lot cooler.   Would that work?

Wired illuminates the dark truth about password security

(via Boing Boing) ...It turns out, it's not there.

Well, that's not totally fair.  Some password-y methods for securing your information are less awful than others, for now.  But in an article he posted yesterday on Wired, Mat Honan (victim of teenage Twitter identity theft) outlines the many horrible ways that passwords fail us as a security measure.

During the formative years of the web, [...] Because almost no personal information was in the cloud—the cloud was barely a wisp at that point—there was little payoff for breaking into an individual’s accounts; the serious hackers were still going after big corporate systems.

So we were lulled into complacency. Email addresses morphed into a sort of universal login, serving as our username just about everywhere. This practice persisted even as the number of accounts—the number of failure points—grew exponentially. Web-based email was the gateway to a new slate of cloud apps. We began banking in the cloud, tracking our finances in the cloud, and doing our taxes in the cloud. We stashed our photos, our documents, our data in the cloud.

Eventually, as the number of epic hacks increased, we started to lean on a curious psychological crutch: the notion of the “strong” password.

The major point is that a lot of security experts from companies that rely on seeming secure (banks, stores, email) are happy to give an explanation of best-possible-practices, but those practices are a massive pain in the ass.  And because they're a massive pain in the ass, nobody follows those instructions.  Because that result is predictable -- it happens every time -- the companies can be held accountable for their failure to compensate.  Rather than keeping people secure, they let them put themselves into a position where they feel at fault if their account with that company is compromised.

Mat doesn't have a hugely easy to swallow answer to the password problem -- basically, as computers get smarter, we need to start relying on them just being able to figure out whether it's really us -- but the lack of a clear solution isn't an excuse not to worry about the problem.

Here's Mat's article, Kill the Password: Why a String of Characters Can't Protect Us Anymore, again.

This next article is an older one, from last month, called Fighting Hackers: Everything You've Been Told About Passwords Is Wrong, by Markus Jakobsson.

He underlines the same points about a system not being secure if the users won't use it securely, and proposes methods for creating stronger passwords.  Essential to his approach is memorability -- a password is best if it's easy for you to remember, but not at all reasonable for someone else to guess.

So how do we select strong and memorable passwords? Here’s how: Think of a story, something weird and memorable that happened to you. Like that time you went jogging and stepped on a rat (ugh). Your password? “JogStepRat”: Your personal story boiled down to three words. If this really happened to you, you won’t forget. And no one else can guess it – unless you’ve told everyone that story, but then you’d just pick another, more embarrassing source story you’d never share!

This approach isn’t just conjecture: It works. It’s been tested at a large scale, and this type of password has twice the bit security of an average password. I kid you not.

Take a look at your security online, and try to tighten up your weak points, like matching usernames and passwords across platforms.  And read those articles, there's a lot of good stuff in them apart from the excerpts I posted.

Kill the Password: Why a String of Characters Can't Protect Us Anymore, by Mat Honan Fighting Hackers: Everything You've Been Told About Passwords Is Wrong, by Markus Jakobsson