Security

Petition Against Passwords pushes next-gen security

With no practical alternative, a small tech group has launched a campaign to rally consumers against the use of passwords for logging into websites and services.

The Petition Against Passwords, launched earlier this month, is the brainchild of think-tank TechFreedom and rivals Clef and LaunchKey, which sell password-less technology. The group quickly gathered several hundred signees.

The idea is to put aside the technology debate in finding a password replacement and use the power of the people against the widely used method for logging into websites.

"If we can combine all the voices of the people who in the past have been silent about their issues with passwords and bring them together and be like, 'Hey, this is an issue that we need to be talking about,' then as a group, we can enact a lot more change than we would be able to individually," said Jesse Pollak, co-founder of startup Clef.

The security weaknesses of passwords are well known. Hackers regularly break into website databases, steal passwords and then use them to access user accounts. Even when passwords are encrypted, criminals often can find ways to crack them.

On its website, the Petition Against Passwords lists victims of some of this year's high-profile password breaches, including Living Social, Evernote, Twitter and Drupal.

It's still best method

Nevertheless, passwords continue to be used because no practical alternative exists, said Matthew Green, assistant research professor and cryptography expert at Johns Hopkins University.

"We'd would all love to come up with something better than passwords," Green said. "The reason we haven't done it in the last 10 years or so—or 20 years maybe—is just that nobody can agree on something that is better than passwords."

While there are more secure alternatives, they are often more difficult or more expensive for the user. Biometrics, such as a fingerprint or facial scanner, is often touted as an alternative, but it has not been built into most smartphones and tablets and usually requires separate hardware on a personal computer. Other possibilities, such as electronic tattoos and measuring brainwaves, are still in the experimental stage.

In the case of password-less alternatives from vendors such as Clef, LaunchKey and OneID, the technology is proprietary, so getting widespread adoption by websites is difficult.

For example, Clef only has about 250 websites supporting its technology. "On the grand scheme of things, that's not that many," Pollak said.

The Fast Identity Online (FIDO) Alliance is a nonprofit organization that has been working for more than two years on replacing passwords with standards-based technology. The system would enable a website to authenticate a visitor through the connecting device.

FIDO, which Google joined in April, expects to have production-ready specifications available for building technology into devices and website servers by early next year.

FIDO's success will depend on many major Internet companies, not just Google, adopting the technology, as well as smaller sites and hardware manufacturers.

Whether FIDO is successful or some other password alternative, the bottom line for consumers is that the level of security will likely be higher, but never bulletproof.

"Everything has a weakness," Green said. "Anytime anybody says it's impossible to hack, your alarm bells should go off."

While passwords remain the primary means of authentication, most experts would recommend using a password manager, such as LastPass, IronKey, or Kaspersky Password Manager, for safe storage and to avoid having to remember more than one.

Subscribe to the Security Watch Newsletter

Comments