It’s been a while since we’ve heard from Petition Against Passwords, the group that formed this summer with the goal of garnering support for a password-less internet. However, it may be time to bring them back into the spotlight.
Ars Technica recently ran an article detailing how password crackers are now cracking once-unbreachable passwords — the long strings of memorable phrases such as “givemelibertyorgivemedeath” — by simply uploading the internet’s vast data on song lyrics, movie quotes, and historical texts into its database. Password security researcher Kevin Young simply uploaded the entirety of Wikipedia into his password cracker, making formerly-secure, non-dictionary-word passwords, such as “crotalus atrox,” fall in seconds.
The message is clear. Not even the scientific name of your favorite rattlesnake will protect you from password crackers, not when they essentially have access to every combination of words ever written.
It’s time to find a new solution.
That brings us back to Petition Against Passwords. The brainchild of Silicon Valley startup Clef, which allows users to use their smartphone as a physical identification system instead of using passwords (literally, they hold their smartphone in front of the computer screen and it syncs a digital signature), Petition Against Passwords has gained two teammates: the groups behind OneID and LaunchKey, both startups promoting password alternatives. Its website lists a number of startup supporters, including Nudata Security and Certivox.
It is unclear yet what type of password-alternative Petition Against Passwords is going to create, but it will probably look similar the various alternatives currently on the market: the fingerprint scan, the retina scan, the smartphone digital signature. (Of these, we predict it will be closer to a digital signature than a retina scan — after all, one of them can be programmed into a mobile app, and the other requires significant investment in hardware.)
Of course, any single-entry security system is not enough. Passwords, and whatever comes after passwords, are only as secure as the systems they protect. This means companies still need to be responsible for risk management software, especially to protect against advanced persistent threats that work to infiltrate networks with or without password access.
Passwords as a first line of defense against hackers is no longer an effective tool, and in fact hasn’t been that type of tool for years; personal computer users and companies both need to recognize that a password is simply an identification measure, the same way a key is used to identify someone as the owner of a home. Of course, anyone who has the key can claim they’re the owner, which is why homeowners add on additional home security systems — and computer owners should do the same.
It’s unfortunate that we have to rely on such an easily-hacked method of entry into our computers, servers, and favorite websites. Of course, that’s what you get when you switch from a world where the bank teller knows your name to a world where you never interact with a bank teller in person. Petition Against Passwords’ website includes a quote from Bill Gates, from his argument calling for the end of passwords: simply, that “Passwords are the weak link.” Well put, Mr. Gates.
At present, Petition Against Passwords does not list how many signatures it has collected, nor how many are required in order for it and its supporters to take further action on a world without passwords. Let’s hope that this bright idea doesn’t fade away, and that we see Petition Against Passwords develop into a more thorough startup model.
On the other hand, if they aren’t the group that prompts the next revolution in login security, someone else is sure to step up to fill the space, as it’s clear that even the safest passwords won’t be secure much longer.