Passwords are a pain to remember. What if a quick wiggle of five fingers on a screen could log you in instead? Or speaking a simple phrase? Y Neither idea is far-fetched. Computer scientists in New York are training their iPads to recognize their owners by the touch of their fingers as they make a caressing gesture with their hand. Banks are already using software that recognizes your voice, supplementing the standard PIN.
Security researchers are renewing their efforts to supplement and perhaps one day obliterate the password.
"If you ask me what is the biggest nuisance today, I would say it's the 40 different passwords I have to create and change," said Nasir Memon, a computer science professor at the Polytechnic Institute of New York University in Brooklyn who is leading the iPad project.
Many people would agree. The password has become an essential key to our many devices and accounts but increasingly a source of exasperation and insecurity. Its demise has been predicted for years.
The research arm of the Defense Department is looking for ways to use cues like a person's typing quirks to continuously verify identity — in case, say, a soldier's laptop ends up in enemy hands on the battlefield.
In a more ordinary example, Google recently began nudging users to consider a two-step log-in system, combining a password with a code sent to their phones. Google's latest Android software can unlock a phone when it recognizes the owner's face or, unfortunately, when it is tricked by someone holding up a photograph of the owner's face.
Still, it may be premature to announce the end of passwords, as Bill Gates famously did in 2004.
"The spectacularly incorrect assumption 'passwords are dead' has been harmful, discouraging research on how to improve the lot of close to 2 billion people who use them," wrote Cormac Herley, a researcher at Microsoft, the company that Gates founded.
Herley's recent paper suggested instead that developers try "to better support the use of passwords" — for example, by helping people protect their wireless connections from eavesdroppers. "Passwords," Herley continued, "have proved themselves a worthy opponent: All those who have attempted to replace them have failed."
The touch-screen approach of Memon works because each person makes the same gesture uniquely. Their fingers are different, they move at different speeds, they have what he calls a different "flair."
He wants logging in to be easy; besides, he said, some people find biometric measures like an iris scan to be "creepy."
In his research, the most popular gestures turned out to be the ones that feel most intuitive. One was to turn the image of a combination lock 90 degrees in one direction. Another was to sign one's name on the screen. In principle, the gesture can be used to unlock a device, or an app on the device that safely holds a variety of passwords.
Despite their resilience, passwords are weak, notably because their users have limited memories and a weakness for blurting out secrets. Most people need dozens of them, and they tend to pick ones that are so complex they need to be written down, or so simple they can be easily guessed.
Criminals have become adept at stealing passwords by sneaking malicious software onto computers or tricking users into typing them into an illegitimate site.
Companies like Facebook and Twitter have sought to address the frustration with passwords by allowing their usernames and passwords to open the door to millions of websites, a convenience that brings obvious risks. A thief with access to a master username and password can have access to a host of accounts.
Rachna Dhamija, a California computer scientist turned entrepreneur, sought to combat those weaknesses by breaking up the password. The user first logs in to the service that Dhamija built and signs in with her own partial password. Behind the scenes, the service verifies that the user is on an authorized device, and pulls the third piece from the cloud, generating a unique password for any website that the user wants to log in to — Facebook, for instance.
In other words, one piece of the password rests with the user, another is stored in her device, and a third piece is kept online.
"The password is not stored in its whole form anywhere," said Dhamija.
But even if a user has been authorized at the start of a session, what if someone else gains access to her computer an hour later? Darpa, the Defense Department's technology research arm, has invited security researchers to develop ways to verify a user every instant, based on the way the individual uses the machine — "for example, how the user handles the mouse and how the user crafts written language in an email or document," it explains on its website.
Mobile phones, too, are emerging as instruments to verify identity.
Google introduced its two-step process earlier this year. It sends a six-digit code to an application on a Google user's cellphone to be entered, along with a password, when signing onto a Google account on a computer or tablet. The code can also be sent as a text message for those who don't have smartphones, or it can be conveyed through a phone call.
The extra step is not mandatory.
"I think we'll start to see people using their mobile devices as their pervasive identifiers," said Brendon Wilson, a security researcher at Symantec. "The password will no longer be the final arbiter that you are you. You will see layers on top."
Copyright ©2012 Omaha World-Herald®. All rights reserved. This material may not be published, broadcast, rewritten, displayed or redistributed for any purpose without permission from the Omaha World-Herald.
