By Jay Fidell
Exactly how many passwords do you have, in the 17 years of the Internet? How much time a day do you spend trying to remember them? How many times do you find you can’t remember them, and that you have no good record of them? How frustrating is that, for you and me and everyone around us?
Passwords are a pain in the apps.
You can lose your password in so many ways: you don’t write it down and you forget it; you write it down wrong; you write it down but lose it; you write it down but forget the place you wrote it down; you write it down but you later changed it and didn’t write the new one down; you have it all right, but it’s compromised somehow so you have no security even with it. I could go on.
And how many passwords do they want you to have, and with what special requirements? Do you have to have both lower and upper case? Do you have to have numbers as well as letters? Is there a minimum length? Do you have lower and upper case and also numbers and letters and a minimum length? All this makes it that much more difficult to create and remember them.
How bad is it to use the same password for multiple accounts – will someone with access to the first account figure out how to compromise another of your accounts? How often do you have to change it, and once you change it how long do you have to wait before you can use the old one again. And if you lose it, how do you remember your secret Q&A? What if you forget that too?
Who can you trust with your passwords? Should you tell technical support? Should you tell the people in your office, how about your personal secretary? Can you tell your friends, how about your good friends? Can you tell your wife, your kids? Just how paranoid do you need to be and with which ones?
Should you put passwords on everything, even the log-in on your laptop or wireless router? Should you lock your computer or cellphone? Should you keep a file of your passwords and how do you protect it? Should you encrypt it? Where do you keep the password for it? Suppose you lose that one too?
I really can’t stand it anymore. I hate passwords. It’s so time consuming to have to make, secure, remember, record and otherwise deal with them. If you don’t know what I mean, just forget one critical password and you’ll find out.
Over the years, there have been efforts to bypass passwords, to replace them with parts of the user’s anatomy, like your thumbprint or retinal scans. None of those are in general use by the public today. In fact, I don’t know anyone who uses an anatomical substitute these days, outside the movies of course.
Graphic, kinetic images or patterns are easier to retain, even if they’re not so easy to write down. So we’re starting to see passwords as a series of dots that you’re supposed to connect in a certain way. That’s easier than remembering words, but the same problems apply to disclosing and changing them.
How about something more subtle, like the way we type, assuming that no two people type exactly the same way, that we each have different keypress timing and patterns for different combinations of keypresses. This is psychological, but not consciously understood. And arguably, no two are the same.
The mission is to get unique metrics on these patterns. If you can figure that out, you could get rich. DARPA, the Defense Advanced Research Projects Agency, wants to develop a non-password system that just uses the unique user experience of each user, and it’ll pay you for your research in this area.
All the user has to do is type his name, and the software would know him. The authentication would happen in the background. They call it the “cognitive fingerprint,” “keystroke dynamics” or “keystroke biometrics,” measured by how long you hold down a key and move to the next in a word, phrase or sentence, things that take milliseconds and would be difficult or impossible to imitate.
Research is already underway, and researchers claim accuracies of up to 99.5 percent. So there’s no time to waste. DARPA wants a system to recognize the user in only a few keystrokes, and to detect the irregularities of an intruder. This assumes that the user’s personal rhythms have already been recorded.
Use of the mouse may also provide behavioral biometrics for user verification. Everyone uses the mouse differently, and you can therefore also get a person’s signature from his or her special way of using the mouse – the way the person moves the cursor across the screen or between words or objects on the page.
Surely, Hawaii has programmers with the skill and curiosity to figure this out. It’s just a matter of making a record of exactly what the user is doing and distinguishing that from what other users do, in typing and in use of the mouse. Yes, it can be done, and will be done, soon.
This is a challenge to all able-minded programmers in Hawaii. Think of the aggravation you’ll save saving us all from all those passwords. When I think of all the time and effort I spend chasing passwords every day, it can’t come soon enough. Indeed, the world is waiting for passwords to become passé.