Heartbleed Proves the Password Is Dead. This Is What You Need Now
R.I.P., password. You were a good idea, and damned useful, in your time, but your time has passed.
The Heartbleed bug has made plain what everyone in cybersecurity already knew, whether they admit it or not: Passwords are dying. All of them. Got one of those fancy pieces of software that invents a unique and un-rememberable password for every one of your accounts? It's not enough. Do you make a new password for every service, based on a phrase so that you can remember it but the dictionary can't find it? That's certainly worth doing, but it may not help you.
The Heartbleed fiasco is just the latest in a series of events that demonstrate the password's obsolescence. In the past year or so, Evernote, LivingSocial, and Drupal are just three of the high-profile online services where passwords were stolen despite having been encrypted.
Even if that weren't true, it might not matter, as computers get fast enough, and algorithms sophisticated enough to guess the passwords of many or most users by brute force--even those smart enough not to use their kids' names, birth dates, alma maters, or anything else a clever bit of software could sniff out. Anything from your bank to your social media account that you access simply by typing a password into a computer or mobile device is not as secure as it should be or could be--no matter how sophisticated that password may be.
There's a better alternative. It's called two-factor authentication. It's widely available and growing. And it virtually guarantees no hacker in a distant country will be able to break into your accounts.
Two-factor authentication depends on at least two of the following three things:
1. Something you have
There are several choices in this category including "tokens" with LED screens that generate a secret code, USB devices that carry encryption information and will automatically enter a password into a laptop or PC, and other devices. But the item most quickly gaining popularity is something you doubtless already possess: a smartphone.
Many online services such as Google, PayPal, and many banks already offer an option which asks you to type in a code sent by SMS to your phone when signing in for the first time from a computer or mobile device. The Google Authenticator app will automatically generate such a code (handy if you're in a place with no cell phone signal) and the LaunchKey app will open on your phone when you attempt to sign in, so that you can simply swipe the phone to show that you have it. The list of services and companies that offer two-factor authentication is growing daily, and will see a big spike as a result of Heartbleed.
What if you lose your phone? There's always a fallback in which the service will either phone your landline or request a special backup password supplied when you first sign up. Using something you have as authentication reduces the danger from things like Heartbleed and other remote hacks nearly to zero.
2. Something you are
This is the fun stuff, where cybersecurity wanders into the realm of science fiction. Fingerprint scanners are already commonplace on laptops and the latest iPhone, but that's just the beginning. Facial recognition technology rapidly being developed enables devices with a camera, such as a PC, tablet, or smartphone, to recognize you simply by your looks. Voice biometrics technology soon to be deployed by some banks will allow their systems to tell who you are by listening to you speak.
And--who knew?--your heartbeat is as unique as your fingerprint. One startup is taking advantage of that by offering a $79 (pre-order price) bracelet that tracks your pulse and automatically signs you in to your accounts.
3. Something you know
Which brings us back to the password. Nope, we're not abandoning it entirely. Tokens and smartphones can be stolen, or even hacked. Apple's fingerprint reader has been fooled, although the hack involved lifting the user's fingerprint and then reproducing it with latex and a special printer. And even facial recognition technology isn't completely infallible. "Liveness" checks that guard against photographs by waiting for you to blink may be hacked by digitally flashing a series of three photographs with the eyes obscured in the middle one.
No form of authentication is absolutely secure, so you're always better off using at least two. The good old password, created at a cost of $0 and easily deployed anytime anywhere is an easy choice as one of them, as long as it's not the only one. I've been using two-factor authentication myself everywhere it's an option ever since reading this account of a Gmail hack which could easily have been avoided.
What about you?
Like this post? Sign up here for Minda's weekly email and you'll never miss her columns.