As passwords keep getting longer with stricter requirements (“your password must contain a minimum of 14 characters, a lower case letter, an upper case letter, a number, a punctuation mark, and a hieroglyph”) I can’t help but think “surely, there’s got to be an easier way!”
Ideally, each account should have a different password, and that password should change every few months (we’ve covered how to pick a password on the iiNet blog previously, as well as how long your password would take to hack).
There are a lot of options on the horizon to improve or even replace passwords. Over the next few years we’re going to see the existing technologies refined and new ideas cropping up. In fact, we’ve recently been evaluating a new Call Centre innovation to enhance security for our customers.
Voice recognition
In true geek-style, we’re looking at voice recognition for customers. This will increase account security and we won’t have to play 20 questions with our customers every time they call. Because let’s face it – that game gets old fast!
So how exactly does voice recognition work? If you choose to enrol in the voice ID-check, we’ll ask you to repeat a phrase and this recording will become your “voice-print”. It’s like a fingerprint of your voice using unique characteristics to match the voice-print to the caller. The technology is so smart it can verify your identity by voice match even if you have a cold or if you’re standing in the middle of noisy Flinders St train station. Now that’s pretty cool.
But what will passwords of the future look like? Here are some alternatives that could make all our lives easier.
Physical security devices
Chinese company Geak has already designed a ring that will unlock your smartphone, simply by picking it up while you wear the ring.
Google is also looking at using hardware to replace your passwords, starting with a small USB key containing a contactless chip, similar to the NEO already available from YubiKey.
An increasing number of banks now offer “security tokens” to use with online banking – either as a physical piece of hardware, or through a smartphone app. My own bank uses the app version – each time I make a transaction through my internet banking, I open up the app which has been linked to my account with its own identification number, and it generates a one-time code that works for thirty seconds. Without a token code, no money can be transferred out of my account, keeping my account secure.
Password in a pill? Or electronic tattoo?
Regina Dugan, head of research for Motorola, has unveiled a “password pill,” powered by stomach acid. When the “authentication vitamin” is swallowed, the acid in your stomach activates a miniscule chip, which emits an authentication signal that can be used in place of a password.
Motorola has also shown off an “electronic tattoo” (more like a sticker than the traditional ink tattoo) which includes sensors and an antenna to detect your devices send a signal to them in place of a password.
Biometrics – using our unique features
Back in 2004, IBM introduced fingerprint readers into laptops. I remember when my mum first got a laptop with a fingerprint reader – it felt like the future had arrived. It seemed like something straight out of a sci-fi movie. She never ended up using it and I don’t recall a lot of other people who did either. But biometrics is an interesting area that holds a lot of potential.
Some Android phones already offer face recognition as a method of unlocking, and it’s rumoured that Apple is looking into similar technology. Voice recognition is also an interesting idea – a passphrase or sentence can be spoken using a computer microphone for online authentication or over the phone as part of an IVR.
Two-factor authentication
Two-factor authentication is becoming increasingly popular – Google, Twitter and Facebook now all offer it. The standard password still exists, but you can add a second layer of security as a backup if your password is ever compromised. If an unknown browser tries to access my Facebook account, for example, a page is presented asking for a randomly generated code, which has been sent to my phone via a text message. They can’t get in without physical access to my mobile phone, and I can immediately change my password.
What would be the ideal password replacement for you?
Completely agree with Tal, never, ever should you share yr password/s with anyone. Iinet are using the same protocols that the majority of Australian Banks/Credit Unions use within their call centres. Some financial institutions do have a 2nd tiered ID with a password, however this takes longer per call, affects (GOS) “Grade of Service (within the call centre), that’s offered & unfortunately there are some individuals who may not have the right morals to ensure your on line safety.
Yes but when is someone going to tell us how to remember so many multiple passwords . I have had advice not to use the same one for different accounts as to do so makes cracking passwords easier. And many sites only allow letters and numbers and limited characters
It has been proven time and time again that forcing restrictions on passwords such as having a lowercase uppercase and neumetical chair the makes passwords hard to remember so people simplify them to make it easier. Why do you guys still force such restrictions knowing that a large portion of users will either forget them or write them down(another security issue) when it’s far better to allow users freedom in creating a password with the right Traning to make everything more secure. I hate to always fall back on this but it’s the easiest and fastest way to get my point across, http://xkcd.com/936/ but this always sums it up nicely.
I agree, you tell your password to a total stranger, who obviously has a password of yours to verify it against.
Now, I know that the odds are small, but who is to stop the phone guy from hacking your account?
Also, when they want you to verify your dob, they then require you o state your dob, that to me isn’t verification, it’s telling them your dates and they are verifying it against their records.
It still worries me that iiNet store their customers passwords in plain text (Or did about 1 year ago when my Mum called up and was told her password by the support staff.)
When I questioned them about hashed / salted passwords I get some thing about “our engineers are making other means and ways in securing the password as much as possible.”
…
Hi Tel,
I am over 70 and my first 12 years were in a pre-electricity society. This modern e-era is so alien there is little of it I really understand: but, how is it that if I make a mistake 3 times, while entering my password for any of the ten or so sites I need a password for, I get locked out of the site I want for 24 hours but a hacker can access my accounts by persistence over a period of time?
(I understand the importance of security and do change my passwords periodically but it is the bane of my life.)
Jim
New password. BTW please try and modify iinet notice about 50% usage reached. It would help if iinet could also provide data on the amount of days left. For example using 50% at 25 days into the month is not really a concern but it would be after say 4 days into the period.
How do I go about changing my password? On the other hand why we need such a lengthy password. It should be short and easy to remember otherwise we have to write it down somewhere and would be more vulnerable.
The idea of having a different password for each account may possibly improve security, but once the stage is reach where you need to write things down in order to remember, effective security is zero. We had a IT person at work who insisted on many passwords. Every morning the first thing that many of us did was to take out the sticky note of passwords and attach it to the front of the computer! What price security!
Just a general question aroun iiNet and passwords.
Does Support still ask for your password when you ring up for support?
I always found that extremely odd and not in line with the principals of what passwords were designed for.
Cheers
Aaron