Password fatigue begets digital generators, biometric exploration

Thursday, June 26, 2014 | 5:49 p.m. CDT
On March 14, 2013, Alexis Maldonado works in a fifth-grade computer lab at Van Buren Elementary School in Cedar Rapids, Iowa. Frustration over passwords is as common among all ages.

CHICAGO — Good thing she doesn't need a password to get into heaven. That's what Donna Spinner often mutters when she tries to remember the growing list of letter-number-and-symbol codes she's had to create to access her various online accounts.

"At my age, it just gets too confusing," said the 72-year-old who lives outside Decatur, Ill.

Frustration over passwords is as common across the age brackets as the little reminder notes on which people often write them.

"We are in the midst of an era I call the 'tyranny of the password,'" said Thomas Way, a computer science professor at Villanova University. "We're due for a revolution."

That the revolution is already underway.

Already, there are multiple services that generate and store passwords. And beyond that, biometric technology is emerging: People use thumbprints and face recognition to get into accounts and devices. Some new iPhones use the technology, and a few retailers can log employees into work computers with a touch of the hand.

Still, many people cling to the password, even if they often aren't very secure. Look at any list of  common passwords, and you'll find anything from "abc123," ''letmein" and "iloveyou" to the word "password."

Bill Lidinsky, director of security and forensics at the School of Applied Technology at the Illinois Institute of Technology, has seen it all — and often demonstrates in his college classes just how easy it is to use readily available software to figure out many passwords.

"I crack my students' passwords all the time," Lidinsky said, "sometimes in seconds."

Even so, a good password doesn't necessarily have to be maddeningly complicated, said Keith Palmgren, a cybersecurity expert in Texas.

"Whoever coined the phrase 'complex password' did us a disservice," said Palmgren, an instructor at the SANS Institute, a research and education organization that focuses on high-tech security.

He's teaching a course on passwords to other tech professionals later this summer and plans to tell them the focus should be on unpredictability and length — the more characters, the better.

But it doesn't have to be something you can't remember. If a site allows long passwords and special characters, Palmgren said to use an entire sentence as a password, including spaces and punctuation, if possible: "This sentence is an example."

He also suggested plugging in various types of passwords on a website developed by California-based Gibson Research Corp. to see how long it could take to crack each type of password.

According to the site, it could take centuries to uncover some passwords, but seconds for others.

Lidinsky recommended using a simple mental algorithm, including those that use a space, if a site allows that. As an example, he said try combinations like "Ama95 zon" for an Amazon account, and "Yah95 oo" for a Yahoo! account, and so on.

There are other ways around the password headache.

Some people have taken to using password generators, which create and store passwords for various sites. Generally, all the user has to remember is a master password to unlock a generator program and then it plugs in the passwords to whichever account is being used. There are numerous password managers like this, including LastPass and Dashlane and 1Password.

Some wonder whether it's wise to trust services like this.

"But sooner or later, you have to trust somebody," said Palmgren, who uses a password manager himself.

Other solutions are surfacing, too.

Researchers at the University of York in England are developing a new authentication system called Facelock that asks you to identify familiar faces to get into an account or device.

The Canadian government, meanwhile, has partnered with a company called SecureKey Technologies, which allows citizens of that country to log onto government sites, such as the country's tax bureau, using a username and password from partner financial institutions, including TD Bank. Because SecureKey serves as the go-between, the system's developers said the bank username and password are not ultimately shared with the government site. Nor does the bank receive any information about which government site the user is accessing.

SecureKey is now working with the U.S. Postal Service to provide citizens with similar access to federal health benefits, student loan information and retirement benefit information.

Ultimately, experts said, reducing the stress of online security — and decreasing reliance on passwords — will rest on what's known as "multi-factor identification."

Those factors are often based on three things:

1. "What you know": a password, security question or some sort of information that only you would know (but that doesn't have to be difficult to remember, just exclusive to you);

2. "What you have": a phone, tablet or laptop — or even a card or token — that an online site or tech-based retail outlet would recognize as yours;

3. "What you are": biometric information, such as face recognition or a thumb print.

Banks could use cameras already in ATMs to implement this authentication process, said Paul Donfried, chief technology officer for LaserLock Technologies Inc., a Washington, D.C.-based company that develops fraud prevention technology for retailers, governments and electronics manufacturers.

"We now have the ability to shift complexity away from the human being," Donfried said. And that, he added, should make the pain of the password disappear.

Back in Decatur, Spinner thinks about the technological future of passwords for a moment. It sounds rather daunting, she said.

For one, the issue of privacy is still being debated when it comes to biometrics.

But then Spinner considers the piece of paper that contains all her passwords — the one she typed that's gotten difficult to read because she's crossed them out and created new ones.

"Anything to make it easier for those of us who are technology-challenged, I would be in favor of," she said.


Like what you see here? Become a member.

Show Me the Errors (What's this?)

Report corrections or additions here. Leave comments below here.

You must be logged in to participate in the Show Me the Errors contest.


Leave a comment

Speak up and join the conversation! Make sure to follow the guidelines outlined below and register with our site. You must be logged in to comment. (Our full comment policy is here.)

  • Don't use obscene, profane or vulgar language.
  • Don't use language that makes personal attacks on fellow commenters or discriminates based on race, religion, gender or ethnicity.
  • Use your real first and last name when registering on the website. It will be published with every comment. (Read why we ask for that here.)
  • Don’t solicit or promote businesses.

We are not able to monitor every comment that comes through. If you see something objectionable, please click the "Report comment" link.

You must be logged in to comment.

Forget your password?

Don't have an account? Register here.