I’ve said it before, and I’ll say it again: passwords are a horribly outdated and clunky approach to security, and it’s time to consign them to history. That view has been underlined by the Federal Trade Commission’s chief technologist Lorrie Cranor, who this week told a security conference that official government advice to change passwords regularly can actually make things worse.
Her argument is based on something I’ve not only seen myself, but done myself – when I worked for a large company which required monthly password changes. When you force people to change their passwords regularly, they will use a predictable pattern – often nothing more than incrementing a number (something001, something002 and so on). This not only makes it easier to crack existing passwords, but also to predict what a future password will be …
The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.
So passwords are inherently insecure, and measures taken to try to make them less so can actually prove counterproductive.
Apple has of course gone some way toward reducing the dependence on passwords, introducing Touch ID with the iPhone 5s, and very belatedly offering Auto Unlock of Macs via the Apple Watch. I’m very much hoping this will be merely a halfway house to Touch ID on Macs also.
But as I argued before, Touch ID is only a partial solution to the problem. It doesn’t eliminate the need for passwords, and indeed one quiet iOS change earlier this year means we actually need to use our iOS passcodes more often.
Two-factor authentication improves the security of passwords, but far from perfectly. Flaws aside, the clunkiness of this approach, and lack of consumer education, means that many people simply don’t bother.
HSBC announced earlier this year that it is going all-in on biometric security, replacing both passwords and memorable questions with a combination of Touch ID and voice-recognition – with Apple tech key to the switch. Other financial institutions are also taking similar approaches.
Apple’s current form of Touch ID – the Secure Enclave requiring a passcode to enable Touch ID on device restart and regularly thereafter – means that it can never fully replace a password. But that’s not to say that a technical solution couldn’t be found in future devices that would allow passwords to be abandoned.
Fingerprints and voices aren’t the only forms of biometric security available, of course. We exclusively revealed back in 2014 that Apple was working on iris-scanning technology, and a recent report suggested Apple may be planning this for a 2018 iPhone. Samsung has already demonstrated the feasibility of including it in a mobile device, in the form of the new Galaxy Note 7.
Facial-recognition is another technology that has long been used to unlock Android devices, albeit not with the greatest of track records. But that doesn’t mean there’s anything wrong with the approach itself – early fingerprint readers were just as unreliable until Apple came along with the first technology that was truly up to the task.
In short, we’re at a stage now where passwords are way past their sell-by date, and where there’s plenty of other technology available to replace them.
Why do I think Apple should take the lead in this? For three reasons. First, Apple is all about usability. While the Apple I may have been ground-breaking, Apple’s entire business model since than has been built on taking things that already existed, and making them work the way they ought to. Passwords fail any sensible usability test, and that alone would be reason enough for Apple to be working flat out on replacing them.
Second, Apple is a massively strong advocate for privacy and security. Passwords are no longer fit for purpose when it comes to the level of security Apple aspires to offer. They are vulnerable to brute-force attacks, to phishing expeditions and more.
Third, where Apple leads, others follow. Passwords are, today, the default solution to security. Everyone uses them because everyone uses them. Apple has a demonstrated willingness to abandon legacy technology – from floppy drives to headphone sockets. To think different, if you will. The company is rarely the first to do anything, but once Apple takes a stand on something, it legitimizes it in the eyes of the mass-market. Makes it not just acceptable, but desirable.
So Apple is uniquely placed to take the lead on something that is desperately overdue: turning passwords into something our kids will read about in history lessons. And now is the time to do it.
Do you agree? Or do you think passwords should still around a while yet? Please take our poll, and share your thoughts in the comments.