indi.ca

---

Wired has a great piece on how insecure passwords are, written by @mat, a fellow who got hacked quite thoroughly. Passwords have two constraints, they have to be hard to crack and easy to remember. The problem is that there’s an inevitable tension between the two, since the latter is based on human memory and the former is powered by brute computing power. People can’t remember passwords, and thus people are able to hack you through password recovery tools and the fact that you probably use the same password on many sites. It’s madness, and there needs to be a better way soon.

So how do passwords get better. One alternative is something like the Judge Dredd Lawgiver gun, which explodes if the users palm-print doesn’t match. ie, biometrics. I’ve often wondered why my computer can’t just sniff me to know it’s me. Dogs can, but humans have never put much store in smell technology.

But that’s still one point of weakness, and criminals can be very creative if there’s only one thing they need to focus on. The answer is probably having multiple clues to verify identity, much like an 8-character password is more secure than a single letter.

Two factors should be a bare minimum. Think about it: When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.Two factors should be a bare minimum. Think about it: When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked. (Wired)

This, of course, has privacy implications. As in, you won’t have much privacy.

The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity. We are not going to retreat from the cloud—to bring our photos and email back onto our hard drives. We live there now. So we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think. (ibid)

All sounds rather mark-o-the-beast. The only problem I see here is that it makes the consequences all the more dire if you do get hacked, though that possibility seems vanishingly slim. That said, you’ll have even more super computers and even weirder 14 year olds focused on that goal, that being to simulate you almost completely, rather than just a few characters you’re supposed to remember.