The most popular passwords, infamously, are “password” and “123456,” according to Mark Burnett, whose 2005 book “Perfect Password: Selection, Protection, Authentication” was among the first on the topic.
Carl Windsor, director of product management at California-based network security firm Fortinet, said he once ran John the Ripper, a free program to crack passwords, through an employer’s Unix system with its consent.
Within seconds, Windsor had one-third of its passwords. Within minutes, he had another third. “I also won a bet by finding the ‘super secure’ password of a colleague in less than five minutes,” he told AFP by email.
Password alternatives are in the pipeline.
Google is toying with the idea of users tapping their devices with personalized coded finger rings or inserting unique ID cards called Yubikeys into the USB ports of their computers.
The FIDO Alliance, a consortium that includes PayPal, is pushing an open-source system in which, for instance, websites would ask smartphone users to identify themselves by placing their fingertips on their touchscreens.
“These (biometric) technologies are coming to a place where they are highly mature, cost effective and in a position to roll out into the consumer market today,” FIDO’s vice president Ramesh Kesanupalli told AFP.
Kesanupalli said FIDO technology could be available as early as this year, bettering IBM fellow David Nahamoo’s prediction in 2011 that biometrics would replace passwords within five years.
In Washington, the US Patent and Trademark Office has recently published several patent applications from Apple that envision facial recognition and fingerprint scanning.
Motorola’s head of research Regina Dugan has gone further, proposing a “password pill” with a microchip and a battery that would be activated by stomach acid. The resulting signal would emit an unique ID radio signal.
“I take a vitamin every morning. What if I take vitamin authentication?” said Dugan at the D11 tech conference in California last month, quoted by TechWeekEurope.co.uk.
For now, many Internet services are embracing two-factor authentication, that challenges users with a bonus security question — like “What is your dog’s name?” — or emits a one-use-only numeric code via SMS messaging.
Online password managers with names like Lastpass, KeePass, 1Password, Dashlane and Apple’s just-announced iCloud Keychain have also been popping up like mushrooms.
They pledge to securely stash an individual’s entire password collection, accessible via one master password. Some experts, however, consider the idea a Band-Aid solution pending the definitive password replacement.
Until then, security experts widely agree on two core principles: make your passwords as long as possible, mixing up words with some numbers and symbols, and never ever use the same password for more than one website.
Beyond that, just cross your fingers and pray that the website you’re using is doing all it can at its end to protect the mental keys to your virtual world.