Passwords are the most common form of authentication and the current de-facto standard. In fact, passwords have existed in tech since the early 1960’s when they were implemented at MIT for the time sharing system on their computer systems for researchers. In order to allow multiple researchers to have their own personal “profile” when logging in each user was given a login name and password. This allowed each registered user to access the system for their weekly time allotment.
From it’s very inception, the password authentication model is inherently flawed. This is due to reasons ranging from the systems they are stored and secured on, as well as the fact that many end users make their passwords easy to remember by default. The latter allows for easy discovery via social engineering, or even finding these “easy passwords” stored on a post-it on the end-user’s desk. The former poses other problems.
In current times, passwords are stored as hashed values in a database. The hash, a value which is generated via the cryptographic method chosen by the organization to transform the plain-text data into an unreadable value, is extremely difficult to decrypt. Difficult, but not impossible. More often high-profile organizations are being hacked, and effectively what happens is the attackers obtain a dump of the databases containing the hashes. In turn, the attackers can then spend the time and effort necessary to decrypt the hashes, gaining access to the end-user passwords.
The question stands, how do we avoid this? How can we better secure user data? The answer seems to be moving more and more into the realm of biometrics. From fingerprint readers to voice and full facial recognition these technologies are the forefront of the movement in security. In fact, these technologies are finally moving out of their infancy due to their own inherent insecurities.
Basic fingerprint scans can be faked relatively easily. An episode of Myth Busters showed how a fingerprint scanner on a door can be fooled with a photocopy. Facial recognition on mobile devices have been circumvented with a photograph. Voice recognition can be fooled with a good-quality recording. As such, the companies that produce these security measures have expanded their scope. Something as simple as adding aspects like touch pressure sensitivity to fingerprint scans, or tracking slight facial movements like blinking to facial recognition can increase security tenfold.
Even further, security firms are working on authentication methods that combine various biometric aspects to form more secure, encompassing multi-factor authentication for services and devices. As this segment of the security industry grows the future of the password is not very bright, but it will be quite some time before the password is finally dead.