There is a widespread consensus that passwords are ineffective, frustrating, and terrible in every way.1 There are 300 billion of them in use today2, and that number is growing. What are we to do?
Haven't we tried everything?
Make them more complex
From 1992-2018, NIST guidance said passwords should meet an increasingly complex convention. The result: passwords became harder to remember, harder to type, and less sticky. Password cracking software got smarter, with precise rules of construction to follow even as computing power dropped in price and increased in scale. Eventually, even Bill Burr, the NIST scientist who authored this guidance concluded that complex rules are not the answer3.
Outsource managing them
The first password manager to achieve widespread usage was RoboForm, which grew out of its “form-filling” function to become a full-fledged password manager. Since then, this class of software has proliferated to include dozens of companies emphasizing ease-of-use, convenience, and reduced friction. None of them competes openly on the basis of security. In fact, at least five of them have shown serious bugs that expose the passwords4 of up to 60 million users, and many have publicly acknowledged breaches. They also bring a host of challenges around safe and secure resets.
On the consumer side, federated identity managers like Google, Facebook, LinkedIn, and others started taking on this responsibility, and browsers added “Remember password?” functions to keep things safe and local. In both instances, the convenience comes with risk. Having your linked account confirm your identity doesn't confirm that it is actually you – it confirms that you are willing to accept the account offered. And having your browser remember the password confirms that the browser previously accessed the account, not that you are actually the person who should be sitting at that browser. It's fairly trivial for someone else to view or use those saved passwords, if they can gain remote access to your computer.5
On the corporate side, the desire for better administration led to the advent of single sign-on solutions and password management infrastructure, as well as related categories of products and services that offer to reduce user frustration. To do this, they take on the responsibility for creating, storing, encrypting, deploying, and protecting passwords. These come at significant cost in licensing, training, and maintenance. But rather than fix the problem, they just try to manage it.
Call for backup
In the early 1980's, Security Dynamics Technologies (now called RSA) introduced the first 2-factor authentication solution. Deemed innovative at the time, this approach required that the user not only type the right password for the account, but also that the user properly enter a code for the sole purpose of confirming identity. 2-factor evolved into multi-factor, and the options became ever more secure and complex: hard tokens followed by soft tokens, text messages, specialized apps, etc.
The challenge with MFA is that each new advance creates a new attack surface. Texted codes are great, but they are useless if SIM pirating allowed the imposter to redirect the code and gain access to your account.
These are all great stopgap measures to stem the tide, but the tide keeps rising.
What's the real answer?
Didn't biometrics already do this? We've got faces67, DNA, irises, retinas, fingerprints and heaven knows what else, right? Of course, but these are all static and irrevocable. You can't change them, which means once they are compromised, copied, or spoofed, they lose all value as a unique identifier.
User Entity Behavioral Authentication (UEBA) must surely be the answer then. Except, it's not. UEBA is great for spotting potential fraudsters trying to open up a credit card account in your name, or for identifying the anomaly when you normally spend Tuesdays in St. Petersburg, Florida and suddenly one Tuesday you log in from St. Petersburg, Russia. But they don't identify you – they just spot when you look different.
Right now, my recommendation is to...
Fortify them, immediately!
Fortify passwords with physical behavioral authentication based on how each person types, uniquely, under normal circumstances. This idea is as old as the telegraph, and dozens of companies have tried to do it over the past 100 years. Today, with new technology and approaches it is a reality that can be implemented on virtually any system for as little as pennies per user per month.
It works by simply capturing and interpreting the cadence and rhythm associated with keystrokes – how your fingers move across the keyboard as you type. And the top solutions don't require knowing the password – just knowing if it is being typed consistently with past efforts.
This simple solution prevents roughly 80% of breaches, fits seamlessly into almost every current cybersecurity schema, and requires no change whatsoever to the user experience.
What about a password-less future?
The same technology holds the key to a truly password-free future. How? By capturing and building a model of the effort associated with the way a person types, this technology can also attribute typing to the right person at any time regardless what characters are being entered. It works in the background, constantly and in real-time, to spot changes. It is the true enablement of zero-trust and provides a completely new paradigm for account security not only at login but throughout each session.
Jonathan Nystrom is the Interim CEO of Intensity Analytics, a company that enables any system to recognize users based on how they type normally.
* apologies to Gene Roddenberry, creator of original Star Trek series and David Gerrold, writer of “The Trouble with Tribbles” episode which first aired on December 27, 1967 and remains one of my all-time favorite television experiences.
1. Urbina, Ian. "The Secret Life of Passwords" The New York Times Magazine, November 19, 2014. Accessed January 09,2020.
2. Steinberg, Joseph. "300 Billion: That's How Many Passwords May Be In Use By 2020" Inc. Magazine, February 13, 2017. Accessed January 07,2020.
3. McMillan, Robert. "The Man Who Wrote Those Password Rules Has a New Tip: N3v$r M1-d!" The Wall Street Journal, August 07, 2017. Accessed January 08,2020.
4. Fowler, Geoffrey A. "Password managers have a security flaw. But you should still use one." The Washington Post, February 19, 2019. Accessed January 09, 2020.
5. Wallen, Jack. "Why you should never allow your web browser to save your passwords." TechRepublic/Security, March 28, 2019. Accessed December 19, 2021.
6. We have faces, for the moment. See Harwell, Drew. "Federal study confirms racial bias of many facial-recognition systems, casts doubt on their expanding use: The Washington Post, December 19, 2019. Accessed January 09, 2020.
7. Samsel, Hayley. "California Becomes Third State to Ban Facial Recognition Software in Police Body Cameras." Security Today Magazine, October 10, 2019. Accessed January 09, 2020.