BBC Future

In Depth

Time to forget your online passwords?

Woman with a pill in her mouth (Copyright: Thinkstock)

(Copyright: Thinkstock)

The Heartbleed security bug causing havoc online this week has allowed criminals to access our passwords for common websites for more than two years. Is it time to give up the idea of passwords? As this BBC Future article from last year highlighted, various technologies are poised to replace the password – including an edible, electronic capsule.

The days of storing passwords in your brain are numbered. In a few years' time you may be able to log into your online bank account using an electronic tattoo on your arm, or a pill that, once swallowed, broadcasts a password through the wall of your stomach.

Functional prototypes of these products already exist. The tattoo has bendy and stretchy components – sensors and an aerial that lie flat on your skin. It works by the aerial transmitting your password to an electronic reader when you pick up your phone or sit at a computer. Stomach acid in place of battery acid powers the pill. This tiny device is being designed to pulse a code that would be picked up by a sensor in a laptop, shortly after it exits the oesophagus.

The motivation for developing such bizarre technologies comes from a widespread and growing problem: the existing authentication systems that log you into online services rely on passwords, and passwords aren't really up to the job.

‘Nonsensical and unrealistic’

There are many reasons why. When criminals hack into an online storeroom of passwords – a service provider’s encrypted list of all of its users’ entry codes - they can crack potentially many thousands of passwords at once with the aid of special software.

The Heartbleed security flaw has thrust the problem of password insecurity into the spotlight once again this week. For the past two years, the flaw has made it possible for criminals to grab little chunks of data from many of the common sites we use – some of it potentially containing password information. Several tech firms are now urging people to change all their passwords, particularly for email, file storage and banking.

Passwords can also be ‘phished’, which happens when users are tricked into revealing them to fake sites made to look like legitimate ones. About 50,000 unique sites get phished each month, which leads to online thefts totalling an estimated $1.5 billion each year. People also tend to choose passwords that are easy to remember. This means they are easy to guess. Of 32 million passwords revealed during one security breach, more than 290,000 turned out to be ‘123456’, according to Imperva, a Californian security company.

A password containing six lower case letters takes just a fraction of a second to crack. But a longer and more complex one with 11 random upper and lowercase letters, numbers and special characters could take hundreds of years. It presents many orders of magnitude more combinations for the software to work through. The rule with passwords is simple: the more complex it is, the better the level of security it provides. But expecting people to remember long, nonsensical combinations is unrealistic.

Often, users pick the same password for many different services, which is ill-advised. If you sign up for an account on an unimportant website and that website gets hacked, your password could find its way into the hands of criminals who would then be able to access your online bank account. The problem is that people simply have too many passwords to remember, says Michael Barrett, Paypal's chief information security officer. "When I talked to consumers ten years ago, they would tell me that they had four or five usernames and passwords to remember. Now they give me a glazed look, and tell me they have 35 of the damned things." A typical adult between 25 and 34 years of age has 40 online accounts, according to a 2012 study by credit-checking firm Experian.

Random data

One way around these drawbacks is to beef up existing password-based authentication systems by providing more than one kind of hoop for users to jump through. This already happens when you use a number-generating security token, or have to input a random number that was sent via SMS to your phone. Paypal has offered this ‘two-factor authentication’ for some years. And recently, many other high profile internet companies such as Google, Apple, Facebook, LinkedIn and Twitter have included it for those who choose it.

Some companies are trying biometrics as a second authentication factor, taking advantage of the cameras and microphones in smartphones to carry out face or voice recognition—or even for iris scans. But many users worry that biometric data brings its own suite of concerns. Unlike passwords, which can be changed, voice prints and faces cannot. The worriers say that if cybercriminals were to hack a website and steal biometric information, the same information could forevermore be used to break into other accounts that rely on biometric authentication. This is unlikely, however, because fingerprint data is typically combined with random data to create a biometric based on your fingerprint. So any hacker that gained access to a scan of your fingerprint would not be able to break into a biometrically secured site.

But there’s a problem, even with two-factor authentication. While is makes life harder for criminals, users don’t like the extra hassle. "What we have found at PayPal with our security key is that if you market it hard you get a take-up rate of about 1-2%. If you don't market it then only about 0.1% will take it up," says Barrett. "Consumers just want to go out and buy things and they expect you to take care of security."

Here, Fido

In the hope of making life easier for users, a few companies have created a consortium called the Fast Identity Online (Fido) Alliance. PayPal, Google, and PC-maker Lenovo, are among its founders. First and foremost, Fido aims to reduce reliance on passwords.

The Fido system’s specifications are still being developed, but what is clear is that it will work using a piece of hardware called an authenticator. Users will be able to enrol this at each website that they wish to log into. The enrolment process will involve the Fido authenticator and the website exchanging digital keys that will allow each to recognize the other.

As the user, when you visit a site from a PC with an authenticator connected—or perhaps a mobile device with an authenticator built in—you will still have to identify yourself. What's different is that you will do so to your Fido authenticator, not to the website that you wish to visit. Once that is done, the Fido authenticator can vouch for you. Effectively, the device will tell the site “you know me because I can present a digital signature that proves who I am, and I can vouch for who is using me because I have authenticated them at my end”.

The researchers developing Fido authenticators intend them to work with all kinds of authentication: a simple PIN number, a fingerprint reader on a USB stick, or the camera on a mobile phone. The major benefit of this system is that no information will be stored remotely: the biometric data, or the PIN number, will remain on the Fido authenticator. And because it won’t be transmitted over the internet, this data won’t be stored on a remote site from which it could be hacked. The arrangement also avoids the need for a long and complex password to provide good security. If the wrong PIN is entered more than a handful of times on a Fido authenticator, the device would simply lock itself, as an ATM at a high street bank does today. Crucially, phishing could become a thing of the past because no one will ever need to enter a password on a website again.

Or would it? There are, of course, weaknesses in any system. In Fido’s case, the most obvious vulnerability is during the set up. To work properly, the Fido system will rely on you enrolling your authenticator at a genuine site. But what if you mistakenly enrolled it on a phishing site? "You have to go home or somewhere you trust when you register, and you need to be paying attention," says Mayank Upadhyay, a security engineer at Google. "When you are fixated on another task and not paying attention, that's when you end up getting phished.”

A second drawback of Fido is that it provides no easy means of revoking an authentication device that gets lost or stolen. A user would have to contact each site separately to cancel it, Upadhyay says, which would lead to the possibility of a hacker locking you out of your own accounts by impersonating you and revoking your device.

Creatures of habit

Perhaps Fido’s biggest criticism is that it still doesn’t achieve what PayPal's Michael Barrett says users really want: for websites like PayPal to take care of security for them. For this to happen, online services may have to more frequently employ behavioural analysis. This kind of security can help verify that a password is being typed by the appropriate person, explains Kevin Bailey, a security analyst at IDC. Such systems examine vast amounts of data about people to recognise them based on their usage habits.

Your location, the internet address of the computer you tend to connect from, and even the time of day that you normally sign in, are all details that could be fed into an authentication analysis. Even your click stream – how quickly you type and how long you stay on different web pages for – could become a telling detail about you. If any of these factors gave a website reason to doubt that you are who you claim to be, it could block you from doing anything sensitive, like withdrawing large amounts of money from a bank account.

Bailey predicts that this approach, which he calls persona-based authentication, will take off. "The angle you hold a mobile phone, the way you key things in, the tone you use when you speak – even the ear you put the phone to and the height of that ear above ground,” could be used to add authenticating evidence, he says.

Ultimately, authentication is a problem that is unique to computers. Humans generally have no difficulty recognising other people with whom they already have a relationship, which is why no one demands a password from their spouse or children before letting them in the house. It is also why researchers are unlikely to develop easy, reliable authentication systems for online services until computers can be programmed to learn like people, Bailey says. "Self-learning and artificial intelligence are the things that will allow computers to recognize individuals and authenticate them without them having to do anything," he concludes.

Before that day, if you want to log into your online accounts quickly and safely, you may be asked to pop a password pill. 

Update: An earlier version of this article was published 3 July 2013

If you would like to comment on this video or anything else you have seen on Future, head over to our Facebook page or message us on Twitter.