Anyone who's spent any amount of time thinking about IT security - whether as an admin, or as a long time user of a corporate IT system - has encountered same problems, which can be summarised by the following decree that a password should:
- Be longer than 8 characters
- Not contain dictionary words
- Contain non-alphanumeric characters
- Not be the same password you’ve used in another system
- Not contain sequences or patterns
Now let’s be honest: very few humans have the memory and discipline to be able to cope with those rules in a single system - much less the dozens of different systems we all need to interact with.
Forget that complexity for a second and think about some of the high profile ‘hacks’ of online systems that have occurred in the last few years. Specifically let’s think about the ones where someone's account was broken into via the password reset function using knowledge about the victim - how many people know your mother's maiden name?
So what’s the solution to these problems?
Well I could suggest a program like LastPass, PassPack, or Password Safe to package your passwords into a nice encrypted bundle, but that’s what anyone would tell you to do, and here at Diversus we’re all about finding the solution to the problem - so let’s pause for a moment and think about what the real problem is.
The root problem here is the same problem that we have passports and driver's licences for - to prove to a system that we really are who we say we are, and since a computer can’t reliably read our passport and identify us, although that could change in the coming years - so we can look for the next best thing.
In 1991 an anti-nuclear activist Phil Zimmerman devised a means of authentication and encryption using personal encryption keys which he dubbed ‘Pretty Good Privacy’ to store and share encrypted information in public bulletin boards - you could say it was the first secure cloud storage. At the time computers weren’t common, and neither was Internet access - so the idea was never adopted widely.
In 1995 Tatu Ylönen, a researcher at Helsinki University of Technology in Finland used a similar method to authenticate users to a secure shell login. This was later known as SSH which has gradually gained popularity - even to the point where Microsoft adopted it as a means of authentication for Microsoft Team Foundation Server in July 2016.
At the present time none of the cost of physical restrictions still apply. Every single one of us is carrying around a computer in our pocket powerful enough to perform the cryptographic functions to authenticate us as an individual.
What about logging into online services you might ask? We’re already halfway there in the sense that we’ve got Open Authentication providers in the form LinkedIn, Google+, Windows Live, and similar; but none of them offer you a system where you can upload your public key and have them simply always recognise you.
These aren’t the only alternatives to passwords. There’s various types of biometrics such as fingerprint scanners and facial recognition, physical smart cards, NFC, and RFID chips.
Since I’m a believer in using the right tool for the job - I’d conclude that the only reason we’re still using passwords to log is that we simply haven’t taken the time to consider alternatives.
[As written by one of our Technical Consultants]