Passwords Must Go

Let's face it: passwords are the nightmare of the Internet era. They are out of owners' control and out of the industry control. They are the weakest link of the accelerated evolution of the information age.

Everything requires passwords. Credit cards, phones, Bluetooth headsets, computers, bank accounts, social networks, cars, travel tickets, music services, smarthome appliances... The system is collapsing. On one hand there are sites and services requiring "strong" passwords (including lowercase, uppercase, digits, special characters and more than 12 in total) and at the same time there are sites who still do not allow for special characters and their passwords have to be 6 or 8 characters long. Users give up. They give up the security, storing the passwords in their GMail messages or Evernote notes. The Web services fall one by one prey to malicious hackers armed with continuously growing power of the hacking tools. By the way, thanks to GPU arrays, brute force rainbow table attacks against complete databases of hashed passwords are now child's play. It is a jungle where everyone can eat everyone and be eaten in the end. The jungle that limits economy growth and is far more dangerous than Amazon (the jungle!) with tarantulas, piranhas and anacondas.

We need to get out of the password jungle, quickly.

Which way should we go? Smart tokens seem to be the way. A token is a physical device and it can be a form of an USB key or a phone or something that looks, well, like a token. I should authenticate (with various methods) to a token and the token should authenticate me to a service. The token in most cases will be my phone (the most personal and guarded item). The phone will use many ways to make sure I am the one it should trust. Passwords (again!), PINs, fingerprint readers (remeber: Apple bought AuthenTec in July 2012?). And then the phone will negotiate with the Internet service to let me in.

This is exactly the idea behind FIDO Alliance, led by PayPal and Google and joined by several important chip makers like NXP, Infineon and Lenovo. Michael Barrett, the CISO of PayPal claims passwords have just died (in 2013). I have to see the first sites offering FIDO authentication to believe, but for the sake of the Planet, I keep my fingers crossed someone will finally solve the problem on a system / global scale.