Understand the Problems with Passwords
Because you’re reading this book, you probably already have a problem with your passwords, such as how to come up with them or how to remember them. We’ll get to those sorts of problems shortly.
First, I want to discuss some of the overall problems with passwords. What’s wrong with simple, easy-to-remember passwords? Why do we need so many passwords, anyway? What are the common threats against passwords? And if this whole username/password system is so flawed, what can be done about it?
Simple for You, Simple for Them
The whole idea of a password is that it’s private—something known only to you and to the entity with which you have an account (a bank, website, cloud service, etc.). If someone else learns your password, that person can access your data, and that’s just the beginning.
Once access is granted, the interloper—I’ll refer to this hypothetical person as a “hacker” even though that’s not necessarily accurate—can change your password so you can’t access your own account, impersonate you online, and even change your contact data to theirs. And, if you use the same password for other sites and services, the hacker can get access just as easily to your other accounts and wreak all kinds of havoc, up to and including “stealing” your identity.
Obviously, I’m talking about a worst-case scenario. Most password breaches result in less-serious problems—comparable to someone picking the lock to your house, but not actually taking anything of value. Even so, I think most of us would prefer to avoid that icky feeling that a stranger has been poking around in our personal space, and hassles like changing the locks.
So, your goal when selecting any new password should be to reduce, as far as possible, the likelihood that someone else can discover what it is. You essentially want locks that are strong enough to ward off those unlikely worst-case scenarios, thereby protecting yourself against less-serious risks in the process.
You might be surprised at the ways in which someone could discover your password; I talk about many of these in the remainder of this chapter. But let me start with what I hope is obvious by now: The passwords that are the simplest for you to use are also the simplest for a hacker to discover. Those are the passwords to avoid at all costs.
When someone says that you should never pick a password that’s a word in a dictionary, the name of a relative or pet, the date of your anniversary, or another easy-to-remember string, they’re pointing out the insecurity of highly guessable passwords. If I wanted to break into an account belonging to someone I knew (a coworker, say), I’d certainly try as many terms like these as I could think of, hoping that what’s easy for them to remember is also easy for me to guess.
Of course, you’re not merely up against flesh-and-blood guessers. Computers can do an even better and faster job of guessing passwords. You need passwords that are unguessable by human or machine. Such passwords are often, unfortunately, hard to remember and type too, which is why they aren’t used more often. As this book progresses, I’ll explain my suggested strategy for dealing with this problem. For now, remember: a simple password is nearly as bad as no password at all.
The One and the Many
One of the recurring themes in this book—I want to repeat it until you believe—is that reusing passwords is a terrible, terrible idea. Just. Don’t. Ever. Do. It.
The basic argument is simple. If your password for one site or service is compromised (stolen, guessed, hacked) and you also used that password somewhere else, then whoever has your password might try it elsewhere and be able to do that much more damage. If you use the same password everywhere, you’re essentially handing over all your personal data and access to the first person who learns your password.
Even if you make every effort to keep your password safe, you can’t count on every provider where you use that password doing the same. Websites are hacked and passwords stolen or leaked all the time. Because you can’t trust every organization that has your password to protect it, your best and safest defense is never to use the same password twice. This doesn’t have to be hard at all, honest. (I explain how you can pull it off without going crazy in Apply Joe’s Password Strategy, a couple of chapters ahead.)
Despite having preached against reusing passwords for years, I still encounter people who insist they just can’t be bothered to come up with new ones all the time and really couldn’t remember more than a handful of them anyway. And you know what? There are a few topics—religion, politics, computing platforms, and reusing passwords—that are futile to argue about. I’m sure that you are sensible enough to have seen the light and you wouldn’t even consider reusing passwords. But what about your cranky uncle who’s more set in his ways? Don’t sweat it. Read Appendix B: Help Your Uncle with His Passwords for some compromises that still leave your uncle reasonably secure.
The Major Threats
Someone has asked you to create a password, and you’ve done it. At that moment, only you and the entity (person, software, website, whatever) on the other end know your password, so it should be entirely secure, right? What could possibly go wrong?
Well, lots of things can and do go wrong. To help you understand what you’re facing and create a smart strategy to deal with it, allow me to mention five of the most significant threats to password security. As you’ll see, some of these threats are highly unlikely to affect the average person, but the steps that protect you against the more prevalent threats will also protect you against the more obscure ones.
Threat #1: You
You, gentle reader, are undoubtedly a trustworthy and trusting person, and I applaud those virtuous qualities. But I’ve seen many kind souls get scammed, hoodwinked, robbed, and otherwise mistreated precisely because they didn’t cultivate an appropriate level of cynicism.
Take, for example, 12-year-old me. After years of pleading and nagging my parents, I finally got that shiny new 10-speed bike I’d always wanted. It was my favorite thing in the world. Then someone opened our unlocked garage in our safe, friendly, suburban neighborhood and stole that bike. It had never occurred to me that such a thing could happen. I was crushed by the loss, but I also learned the importance of using good locks—all the time, even in “safe” surroundings.
When it comes to your passwords, you mustn’t ignore the fact that a great many people and machines are constantly probing the world’s computers and networks for weak passwords. They probably aren’t after you personally, but because they don’t discriminate, it’s in everyone’s best interest to take appropriate actions.
Just as you always (I hope) lock your home or your car when you’re not in it—just in case—you should always take measures to prevent others from learning or guessing your passwords. Don’t assume that you couldn’t possibly be a target, or that you can get away with unsafe practices in the future because you did in the past. Like bikes in unlocked garages in safe neighborhoods, passwords are hacked all the time because their owners didn’t take reasonable precautions.
But not all precautions are equally wise. Be skeptical when someone says, “I have this easy but foolproof way to create and remember passwords without any software. Just ___.” As I discuss shortly, in Timeworn Tricks, hackers know all these little tricks, too.
Threat #2: Guessing
I already mentioned that someone who knows you (or can learn your personal details, perhaps with a few web searches) has a leg up in guessing your passwords. But even a hacker probing random accounts for password vulnerabilities can often guess your password. That makes guessing a significant threat to just about everyone.
Every few weeks or so, a major security breach occurs somewhere, and thousands or even millions of passwords are made public. These lists reveal a great deal about people’s password habits, and the results are both interesting and disturbingly consistent. Time and time again, the same passwords are the most frequently used. Although the positions vary by list, the top 25 virtually always include such favorites as password, 123456, football, dragon, letmein, and qwerty.
Two sample lists of common passwords are 100 Worst Passwords of 2018 from SplashData and Top 100 Worst Passwords of All Time (as of 2014) from Easy Mac Tips.
Needless to say, hackers who want to break into people’s accounts without any personal knowledge of their targets try all these passwords first. And I don’t mean only the top 100 passwords. They’ll run through millions of the most common passwords—in seconds. A scary percentage of accounts are vulnerable to such attacks.
Hackers have lists of not only common passwords but also words in the dictionaries of virtually every language, names, and other strings from history, literature, and popular culture (WarOf1812, Psalm23, NCC1701, and so on). All these terms—millions of them—can be tested rapidly against most password systems in an automated procedure known as a dictionary attack. Modern dictionary attacks don’t stop there; if they’re unsuccessful after running through the passwords in their list, they try common variants such as reversed order and unusual capitalization. These sophisticated cracking (that is, guessing) algorithms can uncover most passwords with shocking speed. And hackers are constantly improving their tools and techniques.
Threat #3: Brute-Force Attacks
If simpler methods fail—and a password is deemed valuable enough—a hacker may resort to a brute-force attack, in which a computer program systematically tries every possible string of characters as a password until it finds a match.
Brute-force searches are guaranteed to succeed, given enough time. If the password is long enough and complex enough (see the next chapter, Learn About Password Security), that time might be centuries or millennia—long enough that your password is safe for all practical purposes. But progress marches on, as do the technologies available for brute-force attacks, so a password deemed “safe for all practical purposes” a few years ago might seem laughably insecure today.
I’ve made the mistake of overestimating password security against brute-force attacks myself. In an earlier book on passwords (originally published in 2006 and last updated in 2010), I wrote:
If the thief used a very fast desktop computer that could check ten million passwords per second, and if your eight-character password contained alphanumeric and punctuation characters…it could take up to 21 years for the computer to guess it…. If the thief had a large supercomputer (or a thousand fast desktop computers networked together), this time would drop to a little more than a week. But if you added just one more character to the password, even a supercomputer would need nearly 4,000 years to figure it out! … So for all practical purposes, a nine-character password with alphanumeric and punctuation characters is effectively uncrackable—but only if it’s random, because thieves are likely to try more predictable passwords before deploying a brute-force attack.
Today, my earlier claim seems downright quaint. As far back as 2012, 8-character passwords containing upper- and lowercase letters, digits, and symbols could in some cases be cracked by brute force in five and a half hours—a wee bit faster than my previous estimate of 21 years—and by now, that figure has dropped even further. By some estimates, an 8-character random password can now be cracked in just over one minute, given sufficient computing resources. Using the same calculation, that means a 9-character password could take less than two hours to crack. That’s much better than a minute, to be sure, but still several orders of magnitude shorter than the 4,000 years I thought that such a password would withstand an attack just a few years ago.
How did password cracking get so much faster? One reason is a common technique that uses GPUs (graphics processing units), which are much faster than CPUs at these types of computations. Even an off-the-shelf GPU in a run-of-the-mill PC combined with free software can easily check billions of passwords per second (read How a cheap graphics card could crack your password in under a second). Add more or better cards, and the rate goes up dramatically. Another reason is that modern cloud computing services let anyone assemble a virtual army of computers to unleash on any task they can imagine, without actually having to buy, house, or set up any physical equipment.
Now, I know what you’re probably thinking (because I’ve heard this counterargument many times): “You claim that a computer can check a zillion passwords per second, but whenever I log in to a computer or website, it takes several seconds even if I get the password right. If I get it wrong, the delay increases, and if I get it wrong more than a few times, it locks me out. Don’t those safeguards make the system immune to automated attacks that require many rapid guesses?”
Sorry, not so much.
For one thing, automated attacks often use a technique called credential stuffing to work around these safeguards. With readily available tools, attackers can make login attempts appear to come from a wide range of IP addresses and browsers simultaneously—bypassing safeguards triggered by repeated login failures from a single device.
For another thing, the most successful brute-force attacks don’t go through the front door, as it were. Rather than taking place online (by which I mean being used against a live system, with safeguards in place), they’re done offline (bypassing most security measures and operating directly on a data file). This story can play out in several different ways, so let me give you just one example.
Suppose there’s a site we’ll call YouFace (hat tip to 30 Rock) that stores login credentials for many users. Your password isn’t stored in a plain text file. (YouFace would never use such an unsafe practice, although utility companies or social media giants might.) It’s in an encrypted database file! (For this illustration, we’ll suppose that the passwords aren’t individually protected with hashes and salts—as they often aren’t—see the sidebar About Hashes and Salts, next.) Only a handful of system administrators at YouFace have the password to decrypt that file and see the passwords in it. The data is pretty safe.
One day, the encrypted file gets out. Someone hacks into the network, or a company laptop is stolen, or a disgruntled employee leaks the file. It doesn’t matter how, but the data gets into a hacker’s hands.
The file is still encrypted, of course. But now the person who has that file can play with it offline—avoiding the pesky delays, Captcha checks, lockouts, and other barriers that might appear on the web. A hacker can apply considerable computing power to check many passwords per second in an attempt to crack the single password that protects the file. Once that password has been discovered and the file has been decrypted, all the individual passwords inside it are there in the clear.
Offline attacks can take many other forms, and it’s not worth getting bogged down in the details. All you need to know is that there are various ways a hacker may gain direct access to encrypted data (even on your own personal computer), making all those online safeguards irrelevant. But if you make every password unique, then even if one is uncovered in an attack like this, at least the damage will be contained.
Threat #4: Theft/Hacking/Sniffing
The next group of threats involves other people being able to see and steal your password without your knowledge. Even if you have the world’s longest and most complex password, it’s worthless if someone walks up to your desk while you’re gone and reads it from a sticky note attached to your monitor. I’ll assume that you don’t have any of your passwords hanging up where other people can see them. (If you do, the paper shredder is right over there. I’ll wait until you get back.)
Someone can steal your password in all sorts of ways, such as:
Physical theft: Someone ransacks your office or steals your wallet to find a piece of paper on which you’ve written a password.
Hacking: Someone hacks into your computer (perhaps by way of malware you accidentally downloaded), finds your password there, and copies it. Or, worse, someone hacks one a site where you happen to have an account and steals your password—plus those for every other user.
Keystroke logging: If you use a public computer, there’s a chance someone might have installed a keystroke logger—a piece of hardware or software that records every key pressed. If your computer has been infected with malware, that could also log keystrokes. Later, when the bad guys examine keystroke logs, it’s easy to pick out passwords. One way to guard against keystroke loggers is to use a password manager (see Use a Password Manager for Everything Else), which eliminates the typing step altogether.
Sniffing: Someone monitors network traffic (typically public Wi-Fi networks with no password or insecure WEP passwords) and looks for username/password combinations as they’re sent from your computer to a server; this is called sniffing. (For ways to overcome this problem, see Use Wireless Networks Safely.)
Looking over your shoulder: If you’re not careful when you log in to your laptop or a secure site in a public place (a coffee shop or an airplane, say), someone nearby can watch your fingers as you type your password. (I’m not kidding! This happens all the time.) You can reduce this risk by using a password manager (see Use a Password Manager for Everything Else).
And these are just a few of many possibilities. Most of these vulnerabilities are directly related to your proximity to other people. If you work in an open office with lots of other employees, use your laptop at a library or on a plane, or live in a densely populated urban area with lots of Wi-Fi networks, you’re far more susceptible to some sort of password theft than if you use your computer only in a remote or physically secure environment. However, regardless of your location, it’s worth thinking through ways in which a stranger might be able to see a password, and take appropriate precautions (as discussed throughout this book).
Threat #5: Social Engineering
I’ve told you about some of the technological means someone can use to discover your password. But often, there’s a far easier approach: getting you (or someone else) to tell them! When someone verbally manipulates you into giving up personal information such as a password (directly or indirectly), that’s called social engineering.
Spy stories are full of this sort of thing. You’ve probably seen it on TV a hundred times: the secret agent befriends or seduces the target and then, with the most innocent-sounding motives, gradually wheedles out some top-secret information.
But spies aren’t the only people who excel at social engineering. So are 16-year-old hackers. (For a chilling example, see Mat Honan’s article in Wired about his experiences, Kill the Password: A String of Characters Won’t Protect You.) Every time you receive a “phishing” email—you know, the ones pretending to be from your bank or PayPal or Amazon asking you to verify your information so you’ll go to a fake site and enter your real password (see the sidebar Avoid Password Phishing Scams, later)—you’re being subjected to a form of social engineering. It might also come as a phone call, a casual inquiry while waiting in line at Starbucks, or in many other ways.
Don’t misunderstand: I’m not saying a hot CIA agent is going to make out with you and then say, “By the way, what’s the password to your bank account?” Social engineering is usually much more subtle and indirect. Someone might instead try to find out your first pet’s name, or the name of the street where you grew up, because those sorts of things are often used as security questions for resetting passwords (read Understanding Security Questions and Reset Procedures). And they may not even try to get that information directly from you, but from a friend, employer, data broker, or other source. (In extreme cases, someone might try using a wrench to make you reveal your password—admittedly, not exactly social engineering.)
Realistically, most of us don’t have such valuable password-protected assets that we need to worry about being personally targeted by social engineering. This is more of a worry for celebrities, politicians, and other people with considerable power, money, or influence. And what if you are such a person? Social engineering is extremely hard to guard against, because you’re unlikely to recognize it when it happens.
The best way to prevent social engineering from revealing your passwords and the answers to your security questions is not to know them (because they were randomly generated and securely stored). I cover all this later, in Apply Joe’s Password Strategy.
Timeworn Tricks
Over the years, I’ve encountered many clever techniques for manually creating and remembering seemingly strong passwords. I’ve even promoted a few myself. All sorts of little tricks are supposed to give you that fantastic combination of an unguessable, random-looking password that, thanks to a mnemonic clue, you’ll never forget.
Well, forget about them.
I’m sorry to break this to you, but people who crack passwords for a living—I’m including professional cryptographers and hackers—are smarter than you, and smarter than me. Not only do they have incredible computing power at their fingertips and serious mathematical skills, they also know how people think. That article you read in Wired or in a discussion forum about how to create great passwords? They read it too, and the first thing they did after reading it was to enhance their algorithms to accommodate it.
Let me give an example I’ve read about in a few places on the web—a technique geared mainly toward Mac users, because of how Mac keyboards handle special characters: take any ordinary word, such as football, and type it while holding the Option key. You’ll get, in this case, ƒøø†∫嬬. How’s that for random? It’s not in any dictionary, should be completely impervious to guessing, and yet is easy to type. Right? Nice try, but it would take any experienced programmer about 30 seconds to add the code to check Option-key versions of everything. Yes, that extra check would take a lot longer, so this technique might slow down an attack, but it’s not a panacea. (And, if you ever have to enter your password on a PC or iPhone keyboard, good luck!)
Here are a few of the other common tricks I urge you to forget:
Simple transformations and substitutions: Spelling a word backward? Swapping the first and last letter? Toggling the case of all the characters—or only the vowels or consonants? Adding a number at the beginning or end? These and dozens of other ways of modifying passwords are already built into freely available cracking software. The same goes for “leet” (or “1337”)—a technique in which various letters are substituted with similar-looking numbers or characters. For example, you may find the word
passwordrendered asp455\/\/0rd, but don’t be misled into thinking that’s any stronger.Keyboard patterns: Yes,
qwertyis a very common password, but so are other patterns of keys on a keyboard, such aslkjhgfdsandtgbyhnujm—even though they look random. Cracking algorithms can check hundreds of these patterns in the blink of an eye.Reusing passwords: I’ve mentioned this, but I told you I’d be repeating it, and I’m a man of my word. Some people think reusing a password is fine as long as that one password is incredibly strong, but that logic breaks down as soon as someone steals or hacks that one password! So, for maximum protection, don’t use the same password for multiple sites or services.
Padding, a.k.a. the “Haystack” method: A method popularized by Steve Gibson involves constructing passwords out of short, easy words (slightly obfuscated with uppercase characters, numbers, and/or symbols) and padded out to an arbitrary length (such as 24 characters) with a pattern of your choice—say, a string of commas or
*-&over and over again. The logic is that you get passwords that are easy to remember but are still hard to guess because they have high entropy (see All About Entropy).With all due respect to Steve, I think this is a bad idea.
First, it’s one thing to use this method for a single password, but if you have to remember dozens or hundreds of unique passwords like this, it’ll be impossible unless you “cheat” by including in the password a hint about the service it goes with. That decreases its security considerably, because anyone who discovered one of your passwords could reverse-engineer your system.
Second, and more important, is the fact that any cracking algorithm worth its salt (so to speak) would test all such patterns long before moving on to purely random passwords—and if the hacker has any clues about how you construct passwords, it’ll go that much quicker. (Remember, hackers read that webpage too!) So, I think it provides an inflated sense of security. And besides, there are much easier ways to create and remember passwords, as I discuss later.
If you’ve been using any of these or other common tricks, don’t feel discouraged. You should make some changes to improve your security, but they won’t be too hard. If you follow my suggestions in Apply Joe’s Password Strategy, you’ll have only a handful of passwords that must be both complex and memorable. When we get to that point, I’ll offer several suggestions that should put you on the right path.
Usernames and Passwords: an Outdated Model
The biggest issue with passwords is that they offer an outdated solution to an increasingly complex and high-stakes problem. Securing a computer resource with a username and password made reasonable sense decades ago, when most people had very few accounts and when security threats were both fewer and less serious.
But today, that security model seems silly. A few of the reasons:
Having a few passwords is one thing; having hundreds or thousands is another. Yet every time I turn around, another site asks me to create a new password. This situation puts users in an untenable position: Either follow the manageable but insecure route of reusing simple passwords, or put time, effort, and money into creating and using a secure but inconvenient system.
No universal standard exists for password security. So, while one company may exercise enormous care with your data—enforcing strong passwords and using salted hashes, strong encryption, and rigorous internal security policies—the next site you visit may limit you to an 8-character password that’s stored in a plain text file on somebody’s laptop. But you have no way to know.
Passwords, even strong ones, don’t identify a person uniquely. A password is like cash—whoever holds it can use it, so if it’s stolen or found, it works as well as if it’s in the hands of a legitimate owner. Multi-Factor Authentication helps somewhat with this problem, but not infallibly—and at the cost of greater inconvenience.
Given the number of people on the internet, economies of scale make password cracking (and theft) highly profitable—even when it requires enormous computing resources to pull it off.
If using usernames and passwords is an obsolete system, what’s the solution? Is there a better way to accomplish the same goal? Lots of ideas have been floated, and I keep seeing articles announcing various plans to “kill passwords” (see, for example, this article and this one). But behind almost every such scheme is a proposal not to eliminate passwords as such but rather to provide a more convenient means of authenticating without necessarily entering a password as part of the process. Ways to do this involve either or both of two fundamental concepts: biometrics and authenticator devices.
Biometrics
Biometrics refers to methods of authentication that rely on measurable details about your body such as fingerprint, retina, or iris scans; facial recognition; hand geometry; or even the pattern of your heartbeats. The security that comes from the uniqueness of each person’s body—plus the fact that biometric hardware is becoming smaller, cheaper, and faster—has made biometrics increasingly prevalent and useful. For example, an increasing number of smartphones, tablets, and laptops have built-in fingerprint scanners that can be used in lieu of passcodes for unlocking the device itself and various apps and services that run on the device. Other devices, such as newer Apple iPhone models and some iPads, use a sophisticated 3D facial recognition system for the same purpose. And Windows Hello on a compatible Windows 10 computer or tablet enables you to authenticate using either face recognition or a fingerprint scan.
But in nearly all cases, biometrics is an alternative or supplement to passwords, not a replacement. For example, if you burn your thumb so your fingerprint can’t be read, you can still enter a password to unlock your MacBook Pro, and if you’re wearing a ski mask, you can still use a passcode to unlock your iPhone. Some Multi-Factor Authentication systems can use a biometric factor in addition to your password to prove your identity with extra certainty. But using biometrics alone—without any fallback or secondary option—is almost unheard of. That’s a good thing; it doesn’t take much imagination to picture gruesome tactics that might enable an attacker to overcome security based solely on a body part.
Furthermore, there will always be some devices that require authentication but that can’t or shouldn’t use biometrics. (Do you really want your TV to scan your eyes so you can log in to Netflix? There’s no reason it couldn’t be done, but it sounds pretty creepy to me!)
So although biometrics is increasingly useful as both a security measure and a convenience feature, by itself, it isn’t a plausible replacement for passwords in the foreseeable future.
Authenticator Devices
If biometrics isn’t the magic bullet to replace passwords, what about an object you can carry in your pocket or on your wrist or keyring? If your computer or phone can sense the presence of this unique device nearby (using Bluetooth, for example), it should be able to log you in without requiring you to enter any password at all. That’s the theory behind a growing number of devices (and mobile apps that run on devices you already have). I refer to these technologies collectively as authenticator devices.
I’ve seen quite a few different spins on authenticator devices, and we’re bound to see many more. Each one promises greater security and convenience than the last, and some are pretty cool. Like biometrics, authenticator devices don’t replace the underlying password mechanism as such; rather, they provide an automated way to log in without having to type, paste, or otherwise enter passwords you’ve already set up. If your authenticator device were to go missing or stop working, you could still log in by typing your password.
That major qualification aside, let me offer several examples of authenticator devices that can reduce the need to enter passwords manually:
Apple Watch and iPhone apps: Without any additional software, your Apple Watch can unlock an appropriately configured Mac—just touch a key on the Mac and, as long as your watch is unlocked and on your wrist (as confirmed by heartbeat detection), your Mac unlocks automatically. For those without an Apple Watch or with older Macs that don’t support this feature, an iOS app called Knock lets you knock twice on your iPhone to unlock a nearby Mac running a special companion app; MacID does something similar but uses Touch ID—and includes the option to log in on your Mac by tapping a pattern on your trackpad or Magic Mouse. (Both Knock and MacID can also be used with an Apple Watch.)
Sesame 2: Sesame 2 is similar to Knock and MacID but instead of using a mobile app, it uses a standalone fob—and it requires neither knocking nor a fingerprint scan. It can also be used for two-factor authentication (see Multi-Factor Authentication). The Mac version is now shipping; a Windows version has supposedly been in beta testing for over three years, so I’ll believe it when I see it.
Everykey: Like Sesame 2, Everykey uses a tiny Bluetooth fob in conjunction with software running on your Mac, PC, or mobile device. Bring the Everykey close enough, and your device unlocks; move away, and it locks again. But Everykey is more ambitious. Not only can it log you in to your device, it can also fill passwords in your web browser and other apps. (The passwords themselves aren’t stored on the device; the companion software generates and stores them, and the Everykey itself stores only the encryption key that unlocks the software.) It’s even designed in such a way that—given hypothetical future support from third-party developers—it could open the door to your house or start your car. If your Everykey is lost or stolen, you can remotely disable it.
I haven’t yet seen an Everykey in person and can’t comment on how well it works. But I do note that it has some significant limitations. For example, it can unlock mobile devices only if they’re rooted (Android 7 or later) or jailbroken (iOS)—a major security risk that I don’t recommend to anyone. (The mobile Everykey app essentially functions as a password manager on devices it can’t unlock, which is still useful, but not in the same way.)
One question you should consider when looking at any authenticator device is how easy it would be for someone else to use it (ideally, it should be as difficult as possible). Unlocking a Mac with an Apple Watch requires that you first unlock the watch with its passcode (and that it remains on your wrist thereafter), making it reasonably secure. On the other hand, Knock, Sesame 2, and Everykey, which require no additional authentication after initial setup, assume that their respective proximity sensors (your iPhone or key fob) will remain safely on your person at all times. That’s their biggest weakness: anyone who got hold of the object could unlock your computer. (In the case of the Everykey, at least you can disable it remotely.) In addition, their range is highly variable, meaning your Mac could be unlocked even if you’re not close enough to see or control it. So, think carefully before using any of these products, because their added convenience can increase your vulnerability.
Devices that require biometric readings (for example, Apple Watch, and MacID with Touch ID enabled) are far less likely to be useful to an attacker if they’re out of your immediate possession.
A Future Without Passwords?
All these ideas, as interesting and clever as they are, merely address the inconvenience of entering passwords by asking you to do something else (which may or may not be more convenient or more secure). There’s nothing wrong with that line of thinking, and you may well find that one of these products helps you a great deal. Before you jump in, however, think about the following:
Biometrics sounds like it should be the future, but the need to have appropriate hardware and software wherever those biometric scans may be required is a significant hurdle.
Physical authenticator devices (as opposed to approaches that use your existing smartwatch or smartphone) can be pricey—and then you have to adopt the habit of carrying them with you all the time. Be careful not to lose them, and if they use a battery, don’t forget to keep it charged!
Most of these password-replacement solutions require reasonably up-to-date hardware and operating systems. Are all your devices compatible? If not, how will you deal with those that aren’t?
Because of the security risks of depending on either biometrics or an authenticator device alone, solutions that require both methods (for example, swipe your secure token and scan your fingerprint to log in) are much safer—but also more likely to fail for numerous reasons (forcing you to go back to using your password).
If you decide to adopt one of these alternative methods for entering passwords, you’ll still need to have good passwords to start with, a secure record of those passwords, and a way to display and enter them when using an unsupported device.
I don’t mean to discourage you from trying the things I’ve discussed here; if you have the time, money, and willingness to experiment, be my guest! But there’s a difference between a more convenient password entry method available to some and a true replacement for the awful username/password model.
In short, as much as I’d love to have a future without passwords, the best I think we can look forward to for now is a time when we still have to create and store passwords, but entering them is—usually—quite a bit easier. Even if someone devises the perfect technology to replace passwords, it will be up to each site and service that currently uses passwords to implement the new system. That could take anywhere from years to forever.
But while I can’t make the underlying problem go away, I do hope that by the end of this book, you’ll feel that the symptoms are under control. And you won’t need a bleeding-edge gadget to achieve that control, either.