The Password Fallacy: Why Our Security System Is Broken, and How to Fix It

Our password system is broken, and it's about time we change it.

shutterstock_105164231 615.jpg
What if the idiosyncrasies of our touch-screen gestures could serve as our passwords? (shoo/Shutterstock)

For the few that haven't yet spotted technology journalist Mat Honan's story about his unfortunate hacking, here's the capsule version: What started as an attempt at his Twitter feed via an Amazon account security hole quickly escalated into several wiped devices, a gutted Gmail account, and devastating data loss, both personally and professionally. The terrifying tale ended on a cry for users to embrace Google's two-step verification, which requires a second level of authentication when accessing your Gmail. When James Fallows wrote about his wife's ordeal with a compromised account last year, he came to the same conclusion.

Sure, adding an extra lock would have spared both a fair amount of trouble, but there's a much bigger problem at hand. We're required to take downright ridiculous precautions to maintain our online security, and it's not sustainable. In fact, it never was. Our password system is broken, and it's about time we change it.

Let's take a little tally of where we've found ourselves, shall we? Studies show that we log into some 10 sites a day. Places that hold our most important data, like Gmail, Dropbox, and our bank, might ask us to jump through two tiers of password hoops in order for them to ensure our online security. Overall we're asked to hold keys to 30-40 sites in order to read the news, access our email, or book a haircut. For each of these sites, security analysts recommend using a unique string of 14-characters made up of letters, numbers, and special symbols. But remember: Computers are quick to guess dictionary words, your birth year, and numbers substituted for letters. No repeats allowed. Oh, and whatever you do, don't write anything down.

Who can possibly remember all those characters?

It's a nutty system, so we ignore it, spreading the five or six passwords that we can remember across every online interaction. But that's not a good solution. Connect our sites with shared login information, and we're risking enormous chunks of our online lives. As Steve Ragan, a journalist at The Tech Herald demonstrated in January, a free program and a $300 computer can crack more than 25,000 passwords in seven minutes. Perhaps XKCD said it best: "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."

The craziest thing is: We've known all along that our brains are not cut out for this. Researchers observed password fatigue in the earliest days of computing. In a 1979 study conducted by Bell Labs cryptologist Robert Morris and computer scientist Ken Thompson, the challenge was clear: "Human beings being what they are, there is a strong tendency for people to choose relatively short and simple passwords that they can remember. Given free choice, most people will choose their passwords from a restricted character set (e.g. all lower-case letters), and will often choose words or names."

The researchers found that 60 percent of user passwords were less than 5 characters long, and overall, 86 percent relied on dictionaries or name lists to create them. Morris and Thompson concluded, "the results were disappointing, except to the bad guy."

Sound familiar?

People have been crying, "the password is dead," for years (that one was courtesy of Bill Gates in 2004), but we're finally in a position where change is possible. When a keyboard was our only input, text passwords made sense, but now we have so many other entry points -- touch screens, cameras, microphones -- that are harder to replicate from afar. It might just be possible to create a login that doesn't sacrifice security for usability. So let's get on with it already.

The good news is, we've already started. Researchers are aiming for a new system that's not only human-compatible, but maybe even enjoyable, too. Take, for instance, the satisfying swipe. Touch-screen keyboards are annoying, but sliding your finger across a reactive surface at least initially caused a bit of a thrill. Android phones have taken this motion and applied it to a 3 x 3 grid login screen made of dots. Set up the phone with a pattern you fancy, repeat, and you're logged in.

Windows 8 has strengthened the idea by swapping the dots with a user's photo. By linking parts of the image that stand out (think: a mountain top, a sloth's nose) with lines, circles, and taps, you're actually telling the computer to remember a pattern dragged over a 10 x 10 grid. Work the same magic when you return, and you're in.

Touch-based operations get even more close to home. Nasir Memon, a professor of computer science engineering at NYU's Polytechnic Institute is taking our offline verification system, our signature, and making it an online one. His iPhone app, called iSignOn, learns your finger's path across the screen, unlocking when the shape and speed of the signature is repeated. The app is also a password manager, so once you're in, it will open the doors to a bunch of frequently used services.

The touch screen experience is breezy, but there are still problems. Android users, for instance, have expressed concern over "reverse smudge engineering." Because your finger traces a consistent pattern, the oils impart a trail that someone could follow to your data.

Memon estimates that iSignOn reaches about an 8-character password security equivalent. Still, he says, "A signature may come out differently if you're standing, sitting, or walking." So he's running trials, attempting to nail down the perfect mix of ease and rigor. "A four-digit password you enter only once. If I have to enter a gesture multiple times, I would not find that acceptable."

In his quest for a better experience, Memon is also experimenting with biometrics on tablet devices. "Biometrics of the past required special equipment, which added to the cost. And besides, it was creepy. People don't like to feel that with their fingertips, their identity is being taken," he says. "Today it's different. The camera, the accelerometer, sensors--it's all there for you to use for free." What he's devised as a potential tablet login is a simple spin of a digital dial (the underlying engineering is anything but). Placing all five fingers on the screen gives the program data on the distance between your digits, their speed and shape as they spin, and their footprint -- not their fingerprint -- as they land on the surface. The information captured should eventually create a unique enough signature (it's at about six-character strength at the moment) to offer accurate access.

One step past your physical signature is your cognitive one. The idea is this: What if just going about your business could offer continuous online security? Just as an errant charge on your credit card sets off the bank's alarm bells, software could be designed to collect the data hidden in the rhythm of our keyboard taps, our attitude on the touchpad, or even how rapidly we scan a page. It's an appealing idea, mostly because it requires no effort on our part, but also because the so-called active authentication sounds seriously secure. Earlier this year DARPA sent out a cry for software-based proposals that would find a new way to capture these tics. The hope is that eventually they'll be able to better safeguard their work stations -- without driving their employees crazy.

As new gadgets roll out, so do improved tools to fiddle with our password predicament. Pressure sensitivity on touch screens, for instance, would improve the device's ability to read biometric data. And the DARPA trickle down effect could eventually hit us like, well, the Internet did.

Are any of these approaches a panacea? Nope. Not even close. And as it stands, we've not yet nailed down a how many of these ideas measure up quantitatively. Getting them all to work together is considerably more daunting. Moreover, a system wide change will come at a staggering cost to businesses, so they'll resist it. And even once we've scaled all these hurdles, real world tests like an attack on a biometrically protected Twitter account will surely take place.

There's a reason that eight years after Gates declared the death of the password that some Microsoft researchers came out strongly on the other side: "Passwords, though unloved, deserve some words of praise. They have brought us this far: They are the means by which two billion Internet users access email, banking, social networking and other services." The idea is worthy of a nod, certainly. But amid a sea of stolen data due to a system stretched way beyond human limits, we're over it.