Menu

Passwords of the future

Passwords-of-the-future

As passwords keep getting longer with stricter requirements (“your password must contain a minimum of 14 characters, a lower case letter, an upper case letter, a number, a punctuation mark, and a hieroglyph”) I can’t help but think “surely, there’s got to be an easier way!”

Ideally, each account should have a different password, and that password should change every few months (we’ve covered how to pick a password on the iiNet blog previously, as well as how long your password would take to hack).

There are a lot of options on the horizon to improve or even replace passwords. Over the next few years we’re going to see the existing technologies refined and new ideas cropping up. In fact, we’ve recently been evaluating a new Call Centre innovation to enhance security for our customers.

Voice recognition

In true geek-style, we’re looking at voice recognition for customers. This will increase account security and we won’t have to play 20 questions with our customers every time they call. Because let’s face it – that game gets old fast!

So how exactly does voice recognition work? If you choose to enrol in the voice ID-check, we’ll ask you to repeat a phrase and this recording will become your “voice-print”. It’s like a fingerprint of your voice using unique characteristics to match the voice-print to the caller. The technology is so smart it can verify your identity by voice match even if you have a cold or if you’re standing in the middle of noisy Flinders St train station. Now that’s pretty cool.

But what will passwords of the future look like? Here are some alternatives that could make all our lives easier.

Physical security devices

Chinese company Geak has already designed a ring that will unlock your smartphone, simply by picking it up while you wear the ring.

Google is also looking at using hardware to replace your passwords, starting with a small USB key containing a contactless chip, similar to the NEO already available from YubiKey.

An increasing number of banks now offer “security tokens” to use with online banking – either as a physical piece of hardware, or through a smartphone app. My own bank uses the app version – each time I make a transaction through my internet banking, I open up the app which has been linked to my account with its own identification number, and it generates a one-time code that works for thirty seconds. Without a token code, no money can be transferred out of my account, keeping my account secure.

Password in a pill? Or electronic tattoo?

Regina Dugan, head of research for Motorola, has unveiled a “password pill,” powered by stomach acid. When the “authentication vitamin” is swallowed, the acid in your stomach activates a miniscule chip, which emits an authentication signal that can be used in place of a password.

Motorola has also shown off an “electronic tattoo” (more like a sticker than the traditional ink tattoo) which includes sensors and an antenna to detect your devices send a signal to them in place of a password.

Biometrics – using our unique features

Back in 2004, IBM introduced fingerprint readers into laptops. I remember when my mum first got a laptop with a fingerprint reader – it felt like the future had arrived. It seemed like something straight out of a sci-fi movie. She never ended up using it and I don’t recall a lot of other people who did either. But biometrics is an interesting area that holds a lot of potential.

Some Android phones already offer face recognition as a method of unlocking, and it’s rumoured that Apple is looking into similar technology. Voice recognition is also an interesting idea – a passphrase or sentence can be spoken using a computer microphone for online authentication or over the phone as part of an IVR.

Two-factor authentication

Two-factor authentication is becoming increasingly popular – Google, Twitter and Facebook now all offer it. The standard password still exists, but you can add a second layer of security as a backup if your password is ever compromised. If an unknown browser tries to access my Facebook account, for example, a page is presented asking for a randomly generated code, which has been sent to my phone via a text message. They can’t get in without physical access to my mobile phone, and I can immediately change my password.

What would be the ideal password replacement for you?

14 comments

  1. Aaron says:

    Just a general question aroun iiNet and passwords.

    Does Support still ask for your password when you ring up for support?

    I always found that extremely odd and not in line with the principals of what passwords were designed for.

    Cheers
    Aaron

    • Tal Waterhouse says:

      Hey Aaron,

      Asking for a service’s password can be used as a method in identifying someone on the account as part of our 9-point ID check if required.

      However, should you not wish to disclose the service’s password for personal reasons such as preference or location the call is being placed from, you can always identify yourself sufficiently with alternative information such as your billing address, date of birth and contact number.

      Regards,
      Tal

      • Jason says:

        @Tal Waterhouse, opting out of telling the support tech your password doesn’t exactly change that they can obviously see it anyway (how do they validate it otherwise?).
        They shouldn’t have access to see it, nor be asking for it in the first place.

  2. Janice says:

    Completely agree with Tal, never, ever should you share yr password/s with anyone. Iinet are using the same protocols that the majority of Australian Banks/Credit Unions use within their call centres. Some financial institutions do have a 2nd tiered ID with a password, however this takes longer per call, affects (GOS) “Grade of Service (within the call centre), that’s offered & unfortunately there are some individuals who may not have the right morals to ensure your on line safety.

  3. Pam Bailey says:

    Yes but when is someone going to tell us how to remember so many multiple passwords . I have had advice not to use the same one for different accounts as to do so makes cracking passwords easier. And many sites only allow letters and numbers and limited characters

  4. Runkies says:

    It has been proven time and time again that forcing restrictions on passwords such as having a lowercase uppercase and neumetical chair the makes passwords hard to remember so people simplify them to make it easier. Why do you guys still force such restrictions knowing that a large portion of users will either forget them or write them down(another security issue) when it’s far better to allow users freedom in creating a password with the right Traning to make everything more secure. I hate to always fall back on this but it’s the easiest and fastest way to get my point across, http://xkcd.com/936/ but this always sums it up nicely.

  5. Aussie Meyer says:

    I agree, you tell your password to a total stranger, who obviously has a password of yours to verify it against.
    Now, I know that the odds are small, but who is to stop the phone guy from hacking your account?
    Also, when they want you to verify your dob, they then require you o state your dob, that to me isn’t verification, it’s telling them your dates and they are verifying it against their records.

    • Tal Waterhouse says:

      Hey Aussie,

      Access to a customer’s account including the retrieval of the account password for any reason is logged and retrievable. We do have various means of ensuring that our staff are adhering to our acceptable use, security and compliance policies.

      Some details including your date of birth can be used to verify you on an account when calling in addition to the password of the service. If you’d rather not provide certain information we may still be able to verify you with alternative details such as invoice numbers, dates and due amounts.

      Regards,
      Tal

  6. Michael says:

    It still worries me that iiNet store their customers passwords in plain text (Or did about 1 year ago when my Mum called up and was told her password by the support staff.)

    When I questioned them about hashed / salted passwords I get some thing about “our engineers are making other means and ways in securing the password as much as possible.”

    • Tal Waterhouse says:

      Hi Michael,

      Customer’s passwords are not stored in plain text. Staff are able to retrieve the encrypted password during a call, however the request is logged and stored accordingly should the need to investigate this arise. We feel this is the best position to take to ensure security of information with accessibility to assist which does conform with security and privacy requirements.

      Regards,
      Tal

  7. Jim Buchanan says:

    Hi Tel,
    I am over 70 and my first 12 years were in a pre-electricity society. This modern e-era is so alien there is little of it I really understand: but, how is it that if I make a mistake 3 times, while entering my password for any of the ten or so sites I need a password for, I get locked out of the site I want for 24 hours but a hacker can access my accounts by persistence over a period of time?
    (I understand the importance of security and do change my passwords periodically but it is the bane of my life.)
    Jim

  8. George says:

    New password. BTW please try and modify iinet notice about 50% usage reached. It would help if iinet could also provide data on the amount of days left. For example using 50% at 25 days into the month is not really a concern but it would be after say 4 days into the period.

  9. Farhad Master says:

    How do I go about changing my password? On the other hand why we need such a lengthy password. It should be short and easy to remember otherwise we have to write it down somewhere and would be more vulnerable.

  10. Sue McCully says:

    The idea of having a different password for each account may possibly improve security, but once the stage is reach where you need to write things down in order to remember, effective security is zero. We had a IT person at work who insisted on many passwords. Every morning the first thing that many of us did was to take out the sticky note of passwords and attach it to the front of the computer! What price security!

Menu

Search