December 24, 2014 • 40 mins
Passwords are a pain and they're edging towards becoming obsolete. What's next?
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Brought to you by Toyota. Let's go places. Welcome to
Forward Thinking. Hey there, and welcome to Forward Thinking, the
podcast that looks at the future and says they've given
you a number and taken away your name. I'm Jonathan Strickland,
(00:21):
I'm Lauren bo and I'm Joe McCormick. And that was
a good one, Jonathan, thank you. Once in a while,
I do, I do pick a good one. Well, you
might have guessed, if you're quite perceptive, from what Jonathan
just said that today we're going to be talking about passwords. Yeah,
and not the not the game show password, which is
unfortunate because I used to love that. I don't know
what that is. Wow, you well, you're just like from
(00:43):
the nineteen six Yeah, I was back when I was
back when I was old, just a lad in the
year of Our Lord eight hundred and forty two. All right.
So anyway, oh Joe, now that we've revealed that I am,
in fact islander and I battle to the end of
time for the prize, what about passwords did you want
(01:04):
to bring up? Well, I wanted to look at the
future of passwords, as we often look at the future
of things on this show. Because I think the state
of passwords today is unsustainable. I could not agree with
you more. Now, the way we typically go about our
lives today, if we use a lot of online services,
we use online banking, online credit cards, email, social networking,
(01:30):
video streaming, you might have, you know, twenty five fifty passwords.
I mean, who knows how many different things you have
a password for. Maybe a lot of these things are, uh,
these kinds of services online where you might only use
them once a year or even less often. But you
had to create an account with a password in order
(01:52):
to do something one time, and so you end up
with this huge list of accounts and passwords you've created,
and it is so annoying to remember all these things,
and sometimes not just annoying but impossible to a certain number.
And if you are making your passwords sufficiently complex and
(02:12):
and different from each other, because that's part of the
thing about passwords, you know, we're not supposed to use
the same password twice for any of these dozens and
dozens of accounts. Well you should tell that to the
millions of people out there who well maybe you're telling
them right now, So good job, Lauren. The millions of
people out there who do use the same passwords over
and over again. And it's worse than that because they're
(02:34):
not even necessarily using a strong one, right. Most people
are using really, really sad, horrible weak passwords that are
super easy to guess. There's actually a digital security company
called splash Data that releases a list every year of
what it claims are the twenty five worst passwords of
(02:55):
that year, and it's gathered from quote files containing millions
of stolen passwords pos stood online during the previous year.
That's creepy, That's great, Okay, So obviously a the worst
password would be probably like the most popular and easiest
to guess password, the ones that everybody's using. So I
checked out the list and coming in at the top
(03:17):
of the pack, where a few winners like one five six, password,
Quarty six seven, and the highly clever one one one
one one one. Also making the top twenty five were
some I thought weirder candidates, such as monkey Shadow and Princess.
(03:46):
I will I will refrain from commentary about monkey Princesses,
but now I gotta change my password. Oh no. Another
one was like let me in. I like that. There's
this kind of like magical spell kind of quality. Do
it the thing or it's just the thing you start
screaming at your computer when you just wanted to work.
Let me in also has sort of a kind of
(04:07):
survival horror vibe to it too. There's a lot of
different ways of looking at this. I started that. So
the state of password generation when you leave it up
to the user is really horrible these days. Yeah, and
this really does manifest in insecurity problems. Well, and even
if you are diligent, maybe several of our listeners out
there are really trying very hard to manage really complex
(04:32):
passwords that don't fall into these simple traps and uh,
but doing so, they're using different passwords for each one. Yeah,
this gets hard. I mean it's, first of all, a
strong password is by definition difficult for you to remember
because it's complex, al right, It's it's not a single word,
and any word that's in the dictionary is classically a
(04:53):
very poor password. It's easy for a computer to guess. Yeah. Yeah,
it's called a brute force attack. That's when you're just
essentially or a dictionary attack. That's a specific type of
brute force attack where you just take a database of
words which could be simply a dictionary, and you run
that through when you're trying to crack someone's password, and eventually,
(05:14):
if you're using a real word, that's gonna pop up. Now,
a dictionary attack in reality goes well beyond what words
you're going to find the dictionary. It's gonna come up
with words that appear on these lists. Like you were
talking about Joe, those those words, those numbers, whatever, those
happen to be the worst ones. You can guarantee that
those are going to be in those kind of databases.
(05:36):
And so if you are doing everything right, you're probably
having to rely on some other piece of technology to
manage all those because we're just not equipped to remember passwords.
Like a really strong passwords going to be at least
eight characters long, probably longer than that. It's going to
incorporate upper and lower case letters, it's going to incorporate numbers,
(05:57):
and if the system allows you will probably incorporate some symbols.
Not all do so. In fact, there are strong password
generators that only work with letters and numbers because not
all systems will accept ye like an AD symbol or
hashtag or something like that. Yeah, And there are some
pieces of software that help people deal with this short.
Some people have like browser plug ins. I use one,
(06:19):
for example, because otherwise I wouldn't be able. I do
have a unique password for every single service I use,
but only because I have this password manager. If I
didn't have that, there's no way I could do this, right,
But of course that has limitations also, right, Like that's
on your machine, But what if you need to go
use a different machine. Minds web based, so I can
(06:40):
actually use it as long as there's a browser to
log in from from any browser you can, or you
can also use an app on your phone to get
around this. But at any rate, Yeah, it's not a
really great solution to the overall problem. It's a good
bandage exactly. It is a bandage. It's not a it's
not a It doesn't fix the underlying issue, which is
that passwords have these limitations, and we're quickly coming to
(07:03):
a point where to make a password that's workable requires
so much effort that it defeats the purpose of having
a password. No one will want to use the service. Yeah. Well,
I think we should look at one more aspect of
the state of passwords before we look at the future
of passwords. There was a c s I D survey
as a as a data and security company. Yeah, so
(07:26):
like the company I mentioned earlier was also a secret company.
So they have sort of an interest in getting people
this information about how bad things are. Right. It's an
interesting report. I read through it. It's actually a very
short report that that lists what they found. They survey
US adults, so people eighteen and older. They found that
(07:47):
six people reuse the same passwords on different sites, which
is a huge problem because if one password is um
is caught. Like if if hackers are able to find
that one password and you're using it for multiple services,
they have access to all the services to use that
password for. Yeah, that's a bad, bad scene right there.
They also found that the age bracket of eighteen to
(08:11):
twenty four year olds was the most guilty of doing
this at seventies six percent, which kind of goes against
what you would think. You know, again, we we have
this perception, or at least maybe I should say I
have this perception. I am a member of Generation X,
and I remember growing up with computers, and so when
I grew up with computers, I became very educated about
(08:34):
computers because it was a new thing. It was fascinating
and I really took to it. But my uh, you know,
my my savvy, my tech savvy is kind of limited
to in a way, what I was experiencing when I
was growing up. You know, I still have to learn
all this new technology stuff that's coming out that other
people who are growing up right now, that's their world.
(08:55):
So I have this perception that people growing up now
are more savvy at using technology and they use it better,
and they use it more effectively and more securely than
I do. But that doesn't seem to be the case.
I did read a statistic that, um, I think from
the same report that the eighteen twenty four year old
demographic is more likely to lock their mobile device. Yeah,
(09:18):
the next sense because it's something that they have with
them all the time and they use more frequently than
a computer. Yeah, I mean, still an issue. It's still problematic. Absolutely.
Um what else? What else did the study find? They
found that of people used five or fewer passwords for
all their stuff. Now, they didn't have a follow up
(09:39):
to say how many services these people typically use. If
you're using five services and you have five passwords, congratulations,
you're doing it right. If you use twenty five services
and you have five passwords, you need to rethink your
security approach. Um. But they also set found that only
six percent had twenty or more passwords of the folks
(10:00):
they survey. Now, again, without knowing how many services you're using,
you don't know if those that six percent is like
the actually most secure. But we can kind of draw
some general conclusions of the respondents say they change their
passwords once a year or not at all. So, uh,
just under half never change their password or only do
(10:22):
it once a year. You're supposed to do it more
frequently than that. That's another thing that's really irritating about
passwords is that a lot of services recommend you do
this regularly. Fun little peek behind the curtain. This morning,
when I logged in, I had to change my local
password on my computer. Were mandated to do that. Princess Monkey, Princess,
(10:43):
It's not just princess. It's okay, I'm going to change
it before the end of this podcast. Uh. Now, nine
of the respondents. Despite despite these findings, respondents, to be fair,
that they weren't aware of what the findings were yet
felt that their behaviors were secure. That's the worst artistic
in here, because it means that they think that what
they're doing is good enough, and it clearly is not.
(11:07):
But you know, it's kind of like the the surveys.
I don't know if you guys have ever looked at
the ones about the supertaskers, where like the supertaskers, everybody
thinks that they can multitask. There's like it's like two
of the population, but believe they are in that two percent,
which doesn't work. It's kind of like that, I can't
(11:28):
remember the percentage now, but there's this overwhelming percentage of
drivers who believe they are above average drivers. Right, it's
all those other idiots on the road that they are
the problem. Right. Yeah, Now you might wonder, out of
these people, how many of them had actually experienced any
issues with their accounts being compromised, having a security issue. Yeah,
(11:55):
more than one in five. And now, granted, security issues
can become a a problem even if you are doing
everything correctly. If something on the back end is compromised,
then you know, you don't have any control over that.
But we're focusing mainly on the stuff that we as
end users would have some sort of control or some
(12:15):
sort of interaction in order to unlock our services. Right,
So I think now we should transition to looking at
the future of passwords. What is this gonna look like
for the the user of the future when you log
onto your machine, or maybe you're not using a computer,
when you're just trying to get access to some kind
of sensitive information or private service, what are you gonna do? Well, there,
(12:41):
we can look at some of the more recent developments,
some things that are are currently happening, and then kind
of build out from there. I think that will work.
And so one of the stories I wanted to mention
was a guy named Sam Crowther and Australian who came
up with a clever app that uses pictures for your passwords.
So if you were to sign up for a web service,
(13:01):
you would open up this app. You have a collection
of pictures there, and you think, the picture of a
hamburger that's gonna be my Gmail password from now on.
You know, you don't tell people that clearly, but when
you press the little hamburger picture, it actually generates a
five hundred and twelve character long password that's so long
that there is not any you know, foreseeable problem with
(13:26):
that getting cracked. Unlessquantum computers come online tomorrow, in which
case it's total different. Yeah, it's a different conversation. But
at any rate, Uh, you know, behind the scenes, what's
going on is just a password that's being generated. But
it's a password that's so strong that there's just no
human who would be able to learn it. Um, you know,
at least no, let me say, a very small population
of humans. Perhaps I shouldn't underestimate human ability, but it
(13:51):
was I thought it was a really clever and elegant
solution this idea. And the pictures are going to always
be displayed in a different layout when you open the app,
so you're looking for the Hamburger picture, but it's not
always going to be in the same place. That way,
if someone sees you use your phone to access a
web service or whatever, uh, and they see, generally speaking,
where that person touched the screen, that's not going to
(14:12):
be useful information the next time that that app is open.
So if someone does get hold of your phone, they
won't necessarily be able to access the services. Um. The
best part about the story was that the guy is
eighteen years old. He's a young and who came up
with this idea. Very clever. Wow, And to imagine what
I was doing, I was creating very weak passwords and
(14:36):
act when I was When I was eighteen, I didn't
even know about the world. The World Wide Web didn't
exist when I was eighteen, and I didn't know much
about the Internet at all. So I really wasn't making
weak best words to a couple of years. You hadn't
(14:56):
had the opportunity to get your identity still, No, no,
I would take a couple more years. Oh yeah, the
Industrial Revolution still had to happen. Kay. Sorry, sorry, Ok,
you guys are so lucky. You took it too far.
You guys are so lucky. I left my katana at
my desk, all right. Um, there there are, of course
(15:19):
services that let you log in UM directly through something
like Gmail or Facebook. You know, as long as the
computer that you're on is signed into one of those services,
the system just checks for that log in and then
signs you in automatically UM, which is of course less
secure than entering a separate, awesome password for every website
(15:40):
that you're on. But but I think that that's kind
of the direction that a lot of people are thinking
of going as as we start moving into the future. Yeah,
I'd say on the opposite end going forward, something that's
going to be less convenient but more secure is two
factor verification, which Gmail does have available if you enable it.
And I haven't enabled online which is Facebook or something, Yes, yeah,
(16:04):
that's exactly right. Yeah, And and in fact I haven't
enabled on that too, which means every time I try
to log into my Gmail or Facebook account from a
different computer, I also have to make sure I have
my phone with me, because two factor verification is all
about sending an extra message on some other medium than
what you're going through in order for you to be
able to verify you are who you say you are.
(16:25):
So if I put in my Gmail password, I try
and sign into any of the other computers here at
the office, and I put in my password, I know
my password. Everything's cool. I hit enter. That doesn't get
me into my account. What does is Gmail will send
me a text message onto my phone which will have
a code in it, and I have to put that
code in before Gmail will allow me access to my account.
(16:47):
So the thinking here is that you have to have
two things, not just something that the person knows the password,
but something that the person owns smartphone, so it's it's
an idea that is supposed to increase security because the
likelihood of someone having both of those things is lower
than having just access to one or the other. Right,
So that does address half the problem the security concerns,
(17:08):
but it doesn't really address the convenience factor, right, And
that's where Google is starting to play with a few
automatic versions of two step verification. Their employees, for example,
use these little USB dongles that, when when they're plugged
into a computer, will authenticate the user. They've also been
talking about Android phones ability to to unlock themselves when
(17:29):
they're in the bluetooth presence of a device that belongs
to the same owner, like, for example, a smart watch. Cool.
So well wait a minute, so if someone stole both devices,
that would suck. That would suck really hard. M However, Well,
it's really the same thing with with with two step verification,
Like if if someone has if someone has your address
(17:51):
or your your your password and your phone, uh and
the and your phone is unlocked, then it's you forget it.
I mean it's that this sort of security measures they
have to work on a baseline, uh uh, you know,
belief that the physical machines are at least secure. If
(18:13):
you have had a physical machine stolen, then there are
a lot of issues here, and it's not you know,
this is just for we have to make sure that
the baseline is what is safe, you know, and then
we can start to look into further issues, like if
someone takes your phone. A lot of these phones also
go into a sleep mode that have to you know,
they require an access code or some other form of
(18:34):
verification or to wake up. So that's the security measure
for those devices. Yeah, it helps. It's not necessarily a
perfect system. Um. As of October, though, you can totally
buy a US Speaky of the sort that Google's employees use,
and if you pair it up with Google Chrome on
your physical computer, you can use it to log into
(18:55):
your Google account, which which is a pretty nifty little
piece of technology considering it's running for like eighteen bucks
retail or something. It's not bad. So is that is
that only for Google accounts though? Yes? So I wonder
if something like that would ever be possible to log
into all your accounts. I'm sure you could get something
like that. I mean, they're like when I was talking
(19:16):
about my web based password manager, you could probably get
a physical us beat stick type thing that essentially follows
the same same pattern. But then if you lose that,
then you're in trouble. So it's you know, having a
physical thing to lose makes it tricky, uh that you know,
it's not a it's not the ideal solution because again,
(19:37):
if you if you were to misplace it, like I know,
my wife has a security dongle that she uses for work,
and if that gets misplaced, then it becomes fine where
the dongle went day. Okay, Well, obviously having a device
on you to unlock all your digital services as convenient
as long as you don't lose the device. So what
(19:59):
about having a physical object that you can't lose, like
say your eyeball or your hand. Well, I mean you
can lose an eyeball, but but guys try not to write.
So there's been more likely to lose a hand or
an eyeball depends. If you're a pirate, it's a shot
(20:19):
so um. But if you're an though, if you're a ninja,
it's it's you know, ninja pretty much, it's all or nothing.
You know, you don't see a lot of one armed
ninja's running around or ninja I should say, since the
plural is the same as the singular. But at any rate,
we're talking about biometrics, right, and we have systems like
this that are already active, right, like like iOS devices. Um,
(20:40):
the latest iPhones have actually from the iPhone five s forward,
they have a sensor that detects uh, finger presence and
then they scan it to make sure that you are
who you say you are, so that unlocks the phone.
So if I pick up my wife's iPhone and I
put my thumb on that it won't activate because it
knows I'm not my wife life. Um. So these are
(21:02):
systems that rely on something that is unique to you
to act as a verification and authentication. UM. So it
could be a fingerprint, it could be something a little
more secure than fingerprints, because you can lift a fingerprint
and you can recreate it using something like latex. But
if you are scanning beneath the surface of the skin
for things like the layout of blood vessels, which is
(21:25):
the way a lot of these verification devices are working now, uh,
that's a lot harder to to replicate, right if you
don't have access to the person's actual figure. Of course,
there must be something that's preventing this from going all
over the place, right, I would imagine systems like this
are kind of expensive and difficult and not worth the
(21:46):
trouble in a lot of cases. Uh, they're definitely finicky.
The technology right now is a little bit on on
the delicate end and comes back with a lot of
false negatives, right Yeah. Yeah, it's one of those things
where you want something to just work, and this does
not always just work. And also it's just it's one
of those things where depending on the implementation, it may
(22:07):
be very limiting. Like if it's something like an eye scan,
then you're working with a camera that you need to
stare into. Not a lot of people really find that
particularly enticing. Uh. There are some other implementations that are
kind of exciting that involved biometrics that aren't you know,
a physical feature. I mean there's some like the shape
of your ear has been referenced as a potential way
(22:28):
of testing, you know, being a way of identifying somebody.
But there are others like your heartbeat. The actual electrical
impulses that your heart makes when it's beating, no matter
what rate we're talking about, are distinct and that is
very difficult to replicate. So if you are if you
get a device and you map it to the electrical
(22:50):
impulses of your heartbeat, you can be fairly certain that
that device is going to be, you know, geared to
you and you alone. Uh. There is in fact a
device that's in development that does this, called the Nemi
wrist band in why am I and and maybe it's
ninety but I didn't know. It's supposed to work this way,
and it's supposed to detect the electrical activity of your
(23:11):
heart and then map it to whatever. So you could
use this not just to activate systems, but also imagine
walking up to your house and it unlocks automatically because
it knows you're coming, because the heartbeat says it's you. Yeah.
It's pretty neat, also clever, because you would have to
be alive as your approach exactly exactly. So, So for
(23:32):
all of those folks out there who are thinking I'm
just gonna be producing a whole lot of pirates, poking
out as and cutting off hands doesn't work for this one.
I gotta have that heartbeating. I mean, everybody who's played
Resident Evil four understands that you can just take the
eyeball and use that for the retinal scanner, right right,
yeah's somehow I doubt that would work in real life.
(23:53):
Minority Report did the did a similar thing right where
they the guy had his surgery to replace an eye
so that he could get x us to a place. Yeah,
Loki pulled that trick, y'all in like the Avengers. So
let's let's let's all forget about that one. Okay. Well,
one thing I think about this though, is that with biometrics,
you're having to do some analog to digital translation where
(24:16):
you're having to take a system where it's gonna scan
something about your body. You know, you're the pattern on
your fingerprint, or the patterns of the blood vessels under
your eyeball, or your skin, or your heart rate, and
in all these cases it's got to turn that into
data that can be used as a password. Are there
ways that we could just start with digital data that
(24:36):
would basically be the same as biometric Well, there might be.
I want to talk about the password tattoo and the
password pill. Okay, okay. The tattoo thing that we're talking
about isn't like a physical tattoo. It's not tattooing a
barcode on you. But well, I mean it's physical. It's
not a permanent it's not a permanent tattoos, That's what
(24:58):
I mean. It's it's one of the tattoos stick ers
that we've talked about a few times on the show.
One of the little stretchy circuitry stickers, right, yeah, sort
of the second skin thing. It's it's not like my
monkey princess tattoo on my right cheek. Right. So, at
D eleven, which was the All Things Digital conference in May,
of the Motorola researcher and form A Darper director Regina
(25:19):
Dugan gave an interview where she talked about the hassle
of passwords and a couple of future authentication methods, namely
the two I mentioned here. So one example, of course,
was these temporary password tattoos. And this is based on
stretchable circuits, which we've talked about on the show before,
that you can embed circuitry in these. I mean, I
(25:39):
can't think of a better way to explain it. They're
temporary tattoos. You stick them on your skin and they
stay there. It's it's almost like a sticker, but it's thinner. Yeah,
And of course so they can have a little embedded
antenna that can communicate with devices nearby. So all you'd
really need to have would be in the morning, you
put on one of these stickers and it has your
password verify a SIN on it. So you go around
(26:01):
and you've got this on your body wherever you're at
a device that you need to log into. And so
that's one way. But here's another way. You could take
a pill in the morning, like like a chill pill, no,
like a password pill. So Ducan brought up that there's
a company called Proteus Digital Health. They got FDA clearance
(26:22):
to create an edible sensor, and I think the original
idea was to use it for medical purposes, but it
could also be used for digital authentication. So you take
one in the morning and then you've got access for
the rest of the day. Basically, the way it would
work is that you swallow this tiny pill and the
acids in your stomach activate the electrical component in the pill,
(26:46):
so they sort of act as the electro light there.
And then when the pill gets activated, it starts to
give off a coded electrical signal, which she compares to
an E C G signal like an electro cardiogram. UH
and so after you've taken the pill, all you have
to do is touch something and your body automatically enters
the electrical code. Uh supposedly, how safe. I'm wondering what
(27:13):
the mechanism is for that that activation. That's kind of crazy.
I mean, she compares it ECG. So it's got to
be electrical impulses that are emanating from this pill inside
your body. But when you come in contact with the
thing at activates, that's what's getting me. I guess maybe
if it's constantly broadcasting and then everything else is essentially
a receiver, once you get within close enough contact, then
(27:35):
there's a connection based or something like that. Otherwise, I
can't imagine it being like turning you into electro. I mean, yeah,
I take a pill for that. Well, I would take
a pill to turn into electro. I just don't think
that's what this is, all right, I'm sorry, Joe. Please,
she confirmed it's so you turned into electric okay, all right,
well never mind objection. She did not. But apparently apparently
(27:57):
this is safe. She claimed you could take many of
them and it wouldn't harm you. So that way, for all,
they can't overdose on passwords. You can't overdose on passwords,
but not on password pills. Okay, of course, the thing
that I was wondering about it was are there going
to be situations where if people are taking password pills,
(28:18):
are there going to be potential identity thieves like scraping
septic tanks and sewage treatment plants to find active pills
to exploit. Yeah, it gives a whole new meaning to
the word fishing. Yeah. I would imagine that these things
have to have a limitation on their power source, so
some kind of self destruct. I would just imagine making
(28:41):
their way through the digestive tract of a of a
human being, they probably wouldn't be in the best working
condition by the time they came out the other end. Yeah,
I don't know, but I'd have to assume that's part
of the design. Yeah. If it weren't, that would be
a bizarre oversight. Well. Also, I would imagine you could
also create your hard enough to create something like this.
(29:01):
I mean, the other issue with this is that how
do you have at work on a on a regular
basis regular basis, But assuming assuming that this is not
for just a temporary one time pass, if it is,
that's great. I mean that that makes perfect sense for
this implementation. But if you're talking about prolonged use, like
it's something that you log into every day, then you
(29:22):
would have to have access to that same pill every time.
Oh yeah, that's the idea. You take it every morning,
so there's an actual physical repository of the password that
lets you into your system. Somebody gets into your medicine, right,
that's the real issue. I'm not I'm not so much
worried about going through the sewage as I am getting
(29:45):
access to the bottle of magic pills that gives you
access to all my stuff. That's what I would worry about.
I don't know. It's a good question. Okay, maybe maybe
as a pair with some other security I'm not sure.
At any rate. Um, you wouldn't hold on you're saying
no to the pill. You wouldn't take the password pill.
I would totally take the password pill. I'm just you know,
(30:07):
for for if someone needed to let me onto an
air force base for one day in order to i
don't know, like report about cool stuff that that was
technologically happening there, then that would be really great. That's interesting.
It also sounds like a great way to tweet about
ephemero while you should be working my personal My personal
philosophy is that whenever I visit a military base, I
(30:28):
don't automatically swallow something someone hands me. Okay, now we're
getting off topic. I'm sorry, No, No, I've got another
place I want to go with this. A lot of
people aren't going to be very cool with the idea
of taking a pill or even wearing a tattoo. You know,
I guess to some people it just seems kind of invasive.
It seems like something they wouldn't want to do. So
(30:51):
I think we should come back and look at the
idea of passwords that are based on behavior. Yeah, I've
got one that researchers at Rutgers School of Engineering have
been working on lately. It's it's a system for letting
users draw free form gestures on touch screens in place
of creating traditional passwords. They found that study participants have
(31:12):
been pretty good at recalling the gestures that they created,
and that visual eavesdroppers if if you follow my meaning,
like someone like looking over your shoulder trying to collect
your password as you put it in, Uh, they've been
pretty poor at reproducing those gestures accurately enough. To trick
the system. So it could be a definite step up
from either you know, pass codes or like even connect
(31:35):
the dots swipes that are in use for mobile touch
screen devices today. Um, and if touch screen happens to
really invade home computer use, that could be pretty rad. Yeah,
you can see how for an individual like muscle memory
could set in, especially if you enter something a bunch
of times and it becomes second nature to do it
so easily. Yeah, yeah, yeah, you can. You can use
any number of fingers and and and create a gesture
(31:57):
on any portion of your screen. It's a pretty it's
a pretty cool a little little system. I like that.
But what about behavior that's even more subtle, such as
behavior you don't even realize you're doing. Sure, as it
turns out, Yeah, the way we type is actually kind
of identifiable to us, and in fact, it has been
used in actual systems today already. Yeah. So if you
(32:19):
want to look at an old analogy to this, you
could look at handwriting analysis. Yeah, I mean, everybody has
a sort of unique way that they create letters on
on the line. And even though you might not write
the same word exactly the same way every time, if
you have a large sample of writing. You can you
can you can draw at least some you know, like
(32:42):
within a percentage of certainty whether or not it's you know,
something that was written by an unknown person fits in
with a known database of of of writing similar to this,
except now we're talking about systems, you know, typing specifically
systems where very minute measurement can be taken between the
way you type certain phrases. You know, how quickly you
(33:05):
transition from letter to letter, how long you hold down
particular keys, and it may be that with certain fingers
you hold down certain keys longer than others, and it's
not like it's long enough for it to register as
multiple UH entries. So you're not you know j J
J G j G j J j oh in a
t H spelling my name UM the traditional spelling, right, yeah,
(33:28):
So at any rate, you know, there's like sixteen j's
and then you get the O uh no oh sorry,
So at any rate, you you the typing you do
is is going to be identifiable back to you. And
like I said, there are some examples of this. UH
Corsera has, which is online learning service, has what they
(33:49):
call a signature track authentication method in which students type
a particular phrase. So it's a simple phrase. It's not
a password. This is something that you know, maybe multiple
students have. It's it's all about the way you type it,
not what the phrase is. So if the phrase is
something simple like the moon is made of cheese, and
you type in the moon is made of cheese, and
(34:10):
you calibrate this enough times, you type it in enough
times where it gets the rhythm that you type in
the way that you you are typing these letters, then
every time you need to authenticate that's you, because you're
you're turning in a school assignment, so you have to say, hey,
this really is me, it's not someone doing work for me.
You type in the moon is made of cheese. It
compares it against all the other entries that it's authenticated
(34:33):
as being you, and if it fits, everything's golden, and
if not, something's wrong. I would think though that it
might have an unfortunate effect on grades and astronomy classes. Well,
you know, considering that that was just a random phrase
that I came up with in my head and not
one that necessarily reflects what the content is in Corsera,
I think we're fairly safe now of course, typing is
(34:54):
just one behavior that many of us do, especially if
you're trying to access online services, you're probably typing in
some way. But it's just one behavior that we do
that's identifiable back to us. Right. In reality, everything you
do is weird. Yeah, now that's true. I am constantly
reminded by that whenever I write public trans transitness. Well,
everything every one of us does is weird, which makes
(35:17):
it even more exciting. On Martha, Uh yeah, the walking
is another thing that's peculiar to whomever is doing the walking,
like the gate, the way we hold ourselves, you know,
our our posture, our shoulders, the length of our stride,
how quickly we tend to move, how much force we
use when we step down. Are you a heavy stepper
or do you have like I think of toddlers. They
(35:39):
always sound to me like they weigh about ten times
more than they really do because the way they run. Yeah, yeah,
I know, right, like all of I can't tell you
how many of my models of Tokyo have been destroyed
whenever my young relatives visit. So you're saying, like, potentially
your computer could be like the salesperson at the shoes
(36:00):
store who says, walk down to the other end and
come back kind of except in this case, they're not
looking to see if your shoes fit. They're just looking
to see if you are who you say you are.
Have you ever noticed someone walking like, let's say, I
think of this. I always think of my college days
on college campus. Lots of people, right, lots of people,
a lot of people. You know, can't necessarily pick out
faces and a crowd, especially if they're facing away from you,
(36:22):
but you might recognize someone just by the way they're walking.
That's kind of what we're talking about here. Systems that
would do this Now, granted, these sort of systems would
be useful in some applications, but not others. I don't
think every time you want to access your email that
you want to asse up your computer and then you know,
do a power walk right in front of it. That
probably is not going to be your your first choice.
(36:42):
But it is interesting that we can map these sort
of behaviors to your identity. It might be really good
for for entry into a building. For example, Yeah, as
you walk up, it already unlocks because it knows it's you. Okay.
I think we should each predict what we think is
going to be the future of passwords. And I'm going
to say, for me personally, what seems the most plausible
(37:03):
is a sort of two step verification that's a combination
of the password tattoo, the temporary tattoo, I mean, which
is pretty non invasive and easy, and then also selecting
an image. Okay, I do like selecting an image. I
think that that's a really clever thing for because because
it's so uh difficult to reproduce it it's not you know,
(37:26):
a string of characters that's short, right, but it's also
so easy for the user. I mean, it takes half
a second. I think we will all be issued a
familiar unique to us, which will then grant us access
to whatever castle, dungeon, or fortress that we are trying
to enter. Play a lot of DND over the weekend,
(37:47):
so we're living in D and D, but we also
possibly have like a like a subtle knife damon kind
of thing. Yeah, exactly, Yeah, we're talking. You know, that
was kind of thinking of his Dark Materials trilogy. I've
got to admit um to be more serious. I think
biometrics really are going to be well. I do too.
I can finally get my monkey Princess password. That's a
(38:09):
real monkey princess. I knew it. I was in here
with a couple of Mrs Coulters. Well, at any rate,
I really think biometrics to be really, I think biometrics
are going to be, uh, really the one that wins out,
at least in the short term. I mean, I've I've
had computers that have had fingerprint scanners. You know, there
(38:29):
are smartphones on the market right now that have them.
We're seeing more and more of those devices come up
and more of those systems come up. I think that's
really gonna be, at least for the near future. The
solution in the far future, well, you're talking about especially
in the possibility of an era of of quantum computers.
You're talking about era where it's gonna be way more
(38:50):
of a tricky situation to create a truly secure system,
even if people are behaving the way they're supposed to,
So then it's harder for me to make a prediction
DNA sample actually your geno. No, I'm actually totally ready.
Like I've said this in public on the Internet before,
like at times of extreme stress with passwords that if
(39:13):
I really did just have a USB stick where I
could prick my finger and it would read my DNA.
I would sign up for that like today. If I
never had or another password, I think there'll just be
a spit cup. But oh well that's even nicer, yea
the horrible totalitarian future. Yeah, I was thinking cheek swab
because that's just funny. Everybody at the office comes into
(39:35):
nine am swabs. Well, you know, guys, this has been
a fun conversation and uh and we're about to have
another fun conversation in a moment, So I think we're
gonna have to wrap this up because I don't know
how silly we're going to be in the second episode
that we record. But guys, this is actually has been
a really entertaining and interesting discussion and we we enjoyed
looking into it. If you guys have any suggestions for
(39:57):
future topics for the podcast for the videos yours, you
should let us know. Send us an email that addresses
FW thinking at how stuff Works dot com. Check us
out on Google Plus and Facebook and Twitter. Over at
Twitter and Google Plus, where f W Thinking just searched
that in Facebook will pop right up. Don't forget to
go visit fw thinking dot com. If you've never been,
(40:18):
go check it out. It's an awesome site. We've got
tons of stuff there and we will talk to you
again really soon. For more on this topic in the
future of technology, visit forward thinking dot Com, brought to
(40:42):
you by Toyota. Let's Go Places,
Brought to you by Toyota. Let's go places. Welcome to
Forward Thinking. Hey there, and welcome to Forward Thinking, the
podcast that looks at the future and says they've given
you a number and taken away your name. I'm Jonathan Strickland,
(00:21):
I'm Lauren bo and I'm Joe McCormick. And that was
a good one, Jonathan, thank you. Once in a while,
I do, I do pick a good one. Well, you
might have guessed, if you're quite perceptive, from what Jonathan
just said that today we're going to be talking about passwords. Yeah,
and not the not the game show password, which is
unfortunate because I used to love that. I don't know
what that is. Wow, you well, you're just like from
(00:43):
the nineteen six Yeah, I was back when I was
back when I was old, just a lad in the
year of Our Lord eight hundred and forty two. All right.
So anyway, oh Joe, now that we've revealed that I am,
in fact islander and I battle to the end of
time for the prize, what about passwords did you want
(01:04):
to bring up? Well, I wanted to look at the
future of passwords, as we often look at the future
of things on this show. Because I think the state
of passwords today is unsustainable. I could not agree with
you more. Now, the way we typically go about our
lives today, if we use a lot of online services,
we use online banking, online credit cards, email, social networking,
(01:30):
video streaming, you might have, you know, twenty five fifty passwords.
I mean, who knows how many different things you have
a password for. Maybe a lot of these things are, uh,
these kinds of services online where you might only use
them once a year or even less often. But you
had to create an account with a password in order
(01:52):
to do something one time, and so you end up
with this huge list of accounts and passwords you've created,
and it is so annoying to remember all these things,
and sometimes not just annoying but impossible to a certain number.
And if you are making your passwords sufficiently complex and
(02:12):
and different from each other, because that's part of the
thing about passwords, you know, we're not supposed to use
the same password twice for any of these dozens and
dozens of accounts. Well you should tell that to the
millions of people out there who well maybe you're telling
them right now, So good job, Lauren. The millions of
people out there who do use the same passwords over
and over again. And it's worse than that because they're
(02:34):
not even necessarily using a strong one, right. Most people
are using really, really sad, horrible weak passwords that are
super easy to guess. There's actually a digital security company
called splash Data that releases a list every year of
what it claims are the twenty five worst passwords of
(02:55):
that year, and it's gathered from quote files containing millions
of stolen passwords pos stood online during the previous year.
That's creepy, That's great, Okay, So obviously a the worst
password would be probably like the most popular and easiest
to guess password, the ones that everybody's using. So I
checked out the list and coming in at the top
(03:17):
of the pack, where a few winners like one five six, password,
Quarty six seven, and the highly clever one one one
one one one. Also making the top twenty five were
some I thought weirder candidates, such as monkey Shadow and Princess.
(03:46):
I will I will refrain from commentary about monkey Princesses,
but now I gotta change my password. Oh no. Another
one was like let me in. I like that. There's
this kind of like magical spell kind of quality. Do
it the thing or it's just the thing you start
screaming at your computer when you just wanted to work.
Let me in also has sort of a kind of
(04:07):
survival horror vibe to it too. There's a lot of
different ways of looking at this. I started that. So
the state of password generation when you leave it up
to the user is really horrible these days. Yeah, and
this really does manifest in insecurity problems. Well, and even
if you are diligent, maybe several of our listeners out
there are really trying very hard to manage really complex
(04:32):
passwords that don't fall into these simple traps and uh,
but doing so, they're using different passwords for each one. Yeah,
this gets hard. I mean it's, first of all, a
strong password is by definition difficult for you to remember
because it's complex, al right, It's it's not a single word,
and any word that's in the dictionary is classically a
(04:53):
very poor password. It's easy for a computer to guess. Yeah. Yeah,
it's called a brute force attack. That's when you're just
essentially or a dictionary attack. That's a specific type of
brute force attack where you just take a database of
words which could be simply a dictionary, and you run
that through when you're trying to crack someone's password, and eventually,
(05:14):
if you're using a real word, that's gonna pop up. Now,
a dictionary attack in reality goes well beyond what words
you're going to find the dictionary. It's gonna come up
with words that appear on these lists. Like you were
talking about Joe, those those words, those numbers, whatever, those
happen to be the worst ones. You can guarantee that
those are going to be in those kind of databases.
(05:36):
And so if you are doing everything right, you're probably
having to rely on some other piece of technology to
manage all those because we're just not equipped to remember passwords.
Like a really strong passwords going to be at least
eight characters long, probably longer than that. It's going to
incorporate upper and lower case letters, it's going to incorporate numbers,
(05:57):
and if the system allows you will probably incorporate some symbols.
Not all do so. In fact, there are strong password
generators that only work with letters and numbers because not
all systems will accept ye like an AD symbol or
hashtag or something like that. Yeah, And there are some
pieces of software that help people deal with this short.
Some people have like browser plug ins. I use one,
(06:19):
for example, because otherwise I wouldn't be able. I do
have a unique password for every single service I use,
but only because I have this password manager. If I
didn't have that, there's no way I could do this, right,
But of course that has limitations also, right, Like that's
on your machine, But what if you need to go
use a different machine. Minds web based, so I can
(06:40):
actually use it as long as there's a browser to
log in from from any browser you can, or you
can also use an app on your phone to get
around this. But at any rate, Yeah, it's not a
really great solution to the overall problem. It's a good
bandage exactly. It is a bandage. It's not a it's
not a It doesn't fix the underlying issue, which is
that passwords have these limitations, and we're quickly coming to
(07:03):
a point where to make a password that's workable requires
so much effort that it defeats the purpose of having
a password. No one will want to use the service. Yeah. Well,
I think we should look at one more aspect of
the state of passwords before we look at the future
of passwords. There was a c s I D survey
as a as a data and security company. Yeah, so
(07:26):
like the company I mentioned earlier was also a secret company.
So they have sort of an interest in getting people
this information about how bad things are. Right. It's an
interesting report. I read through it. It's actually a very
short report that that lists what they found. They survey
US adults, so people eighteen and older. They found that
(07:47):
six people reuse the same passwords on different sites, which
is a huge problem because if one password is um
is caught. Like if if hackers are able to find
that one password and you're using it for multiple services,
they have access to all the services to use that
password for. Yeah, that's a bad, bad scene right there.
They also found that the age bracket of eighteen to
(08:11):
twenty four year olds was the most guilty of doing
this at seventies six percent, which kind of goes against
what you would think. You know, again, we we have
this perception, or at least maybe I should say I
have this perception. I am a member of Generation X,
and I remember growing up with computers, and so when
I grew up with computers, I became very educated about
(08:34):
computers because it was a new thing. It was fascinating
and I really took to it. But my uh, you know,
my my savvy, my tech savvy is kind of limited
to in a way, what I was experiencing when I
was growing up. You know, I still have to learn
all this new technology stuff that's coming out that other
people who are growing up right now, that's their world.
(08:55):
So I have this perception that people growing up now
are more savvy at using technology and they use it better,
and they use it more effectively and more securely than
I do. But that doesn't seem to be the case.
I did read a statistic that, um, I think from
the same report that the eighteen twenty four year old
demographic is more likely to lock their mobile device. Yeah,
(09:18):
the next sense because it's something that they have with
them all the time and they use more frequently than
a computer. Yeah, I mean, still an issue. It's still problematic. Absolutely.
Um what else? What else did the study find? They
found that of people used five or fewer passwords for
all their stuff. Now, they didn't have a follow up
(09:39):
to say how many services these people typically use. If
you're using five services and you have five passwords, congratulations,
you're doing it right. If you use twenty five services
and you have five passwords, you need to rethink your
security approach. Um. But they also set found that only
six percent had twenty or more passwords of the folks
(10:00):
they survey. Now, again, without knowing how many services you're using,
you don't know if those that six percent is like
the actually most secure. But we can kind of draw
some general conclusions of the respondents say they change their
passwords once a year or not at all. So, uh,
just under half never change their password or only do
(10:22):
it once a year. You're supposed to do it more
frequently than that. That's another thing that's really irritating about
passwords is that a lot of services recommend you do
this regularly. Fun little peek behind the curtain. This morning,
when I logged in, I had to change my local
password on my computer. Were mandated to do that. Princess Monkey, Princess,
(10:43):
It's not just princess. It's okay, I'm going to change
it before the end of this podcast. Uh. Now, nine
of the respondents. Despite despite these findings, respondents, to be fair,
that they weren't aware of what the findings were yet
felt that their behaviors were secure. That's the worst artistic
in here, because it means that they think that what
they're doing is good enough, and it clearly is not.
(11:07):
But you know, it's kind of like the the surveys.
I don't know if you guys have ever looked at
the ones about the supertaskers, where like the supertaskers, everybody
thinks that they can multitask. There's like it's like two
of the population, but believe they are in that two percent,
which doesn't work. It's kind of like that, I can't
(11:28):
remember the percentage now, but there's this overwhelming percentage of
drivers who believe they are above average drivers. Right, it's
all those other idiots on the road that they are
the problem. Right. Yeah, Now you might wonder, out of
these people, how many of them had actually experienced any
issues with their accounts being compromised, having a security issue. Yeah,
(11:55):
more than one in five. And now, granted, security issues
can become a a problem even if you are doing
everything correctly. If something on the back end is compromised,
then you know, you don't have any control over that.
But we're focusing mainly on the stuff that we as
end users would have some sort of control or some
(12:15):
sort of interaction in order to unlock our services. Right,
So I think now we should transition to looking at
the future of passwords. What is this gonna look like
for the the user of the future when you log
onto your machine, or maybe you're not using a computer,
when you're just trying to get access to some kind
of sensitive information or private service, what are you gonna do? Well, there,
(12:41):
we can look at some of the more recent developments,
some things that are are currently happening, and then kind
of build out from there. I think that will work.
And so one of the stories I wanted to mention
was a guy named Sam Crowther and Australian who came
up with a clever app that uses pictures for your passwords.
So if you were to sign up for a web service,
(13:01):
you would open up this app. You have a collection
of pictures there, and you think, the picture of a
hamburger that's gonna be my Gmail password from now on.
You know, you don't tell people that clearly, but when
you press the little hamburger picture, it actually generates a
five hundred and twelve character long password that's so long
that there is not any you know, foreseeable problem with
(13:26):
that getting cracked. Unlessquantum computers come online tomorrow, in which
case it's total different. Yeah, it's a different conversation. But
at any rate, Uh, you know, behind the scenes, what's
going on is just a password that's being generated. But
it's a password that's so strong that there's just no
human who would be able to learn it. Um, you know,
at least no, let me say, a very small population
of humans. Perhaps I shouldn't underestimate human ability, but it
(13:51):
was I thought it was a really clever and elegant
solution this idea. And the pictures are going to always
be displayed in a different layout when you open the app,
so you're looking for the Hamburger picture, but it's not
always going to be in the same place. That way,
if someone sees you use your phone to access a
web service or whatever, uh, and they see, generally speaking,
where that person touched the screen, that's not going to
(14:12):
be useful information the next time that that app is open.
So if someone does get hold of your phone, they
won't necessarily be able to access the services. Um. The
best part about the story was that the guy is
eighteen years old. He's a young and who came up
with this idea. Very clever. Wow, And to imagine what
I was doing, I was creating very weak passwords and
(14:36):
act when I was When I was eighteen, I didn't
even know about the world. The World Wide Web didn't
exist when I was eighteen, and I didn't know much
about the Internet at all. So I really wasn't making
weak best words to a couple of years. You hadn't
(14:56):
had the opportunity to get your identity still, No, no,
I would take a couple more years. Oh yeah, the
Industrial Revolution still had to happen. Kay. Sorry, sorry, Ok,
you guys are so lucky. You took it too far.
You guys are so lucky. I left my katana at
my desk, all right. Um, there there are, of course
(15:19):
services that let you log in UM directly through something
like Gmail or Facebook. You know, as long as the
computer that you're on is signed into one of those services,
the system just checks for that log in and then
signs you in automatically UM, which is of course less
secure than entering a separate, awesome password for every website
(15:40):
that you're on. But but I think that that's kind
of the direction that a lot of people are thinking
of going as as we start moving into the future. Yeah,
I'd say on the opposite end going forward, something that's
going to be less convenient but more secure is two
factor verification, which Gmail does have available if you enable it.
And I haven't enabled online which is Facebook or something, Yes, yeah,
(16:04):
that's exactly right. Yeah, And and in fact I haven't
enabled on that too, which means every time I try
to log into my Gmail or Facebook account from a
different computer, I also have to make sure I have
my phone with me, because two factor verification is all
about sending an extra message on some other medium than
what you're going through in order for you to be
able to verify you are who you say you are.
(16:25):
So if I put in my Gmail password, I try
and sign into any of the other computers here at
the office, and I put in my password, I know
my password. Everything's cool. I hit enter. That doesn't get
me into my account. What does is Gmail will send
me a text message onto my phone which will have
a code in it, and I have to put that
code in before Gmail will allow me access to my account.
(16:47):
So the thinking here is that you have to have
two things, not just something that the person knows the password,
but something that the person owns smartphone, so it's it's
an idea that is supposed to increase security because the
likelihood of someone having both of those things is lower
than having just access to one or the other. Right,
So that does address half the problem the security concerns,
(17:08):
but it doesn't really address the convenience factor, right, And
that's where Google is starting to play with a few
automatic versions of two step verification. Their employees, for example,
use these little USB dongles that, when when they're plugged
into a computer, will authenticate the user. They've also been
talking about Android phones ability to to unlock themselves when
(17:29):
they're in the bluetooth presence of a device that belongs
to the same owner, like, for example, a smart watch. Cool.
So well wait a minute, so if someone stole both devices,
that would suck. That would suck really hard. M However, Well,
it's really the same thing with with with two step verification,
Like if if someone has if someone has your address
(17:51):
or your your your password and your phone, uh and
the and your phone is unlocked, then it's you forget it.
I mean it's that this sort of security measures they
have to work on a baseline, uh uh, you know,
belief that the physical machines are at least secure. If
(18:13):
you have had a physical machine stolen, then there are
a lot of issues here, and it's not you know,
this is just for we have to make sure that
the baseline is what is safe, you know, and then
we can start to look into further issues, like if
someone takes your phone. A lot of these phones also
go into a sleep mode that have to you know,
they require an access code or some other form of
(18:34):
verification or to wake up. So that's the security measure
for those devices. Yeah, it helps. It's not necessarily a
perfect system. Um. As of October, though, you can totally
buy a US Speaky of the sort that Google's employees use,
and if you pair it up with Google Chrome on
your physical computer, you can use it to log into
(18:55):
your Google account, which which is a pretty nifty little
piece of technology considering it's running for like eighteen bucks
retail or something. It's not bad. So is that is
that only for Google accounts though? Yes? So I wonder
if something like that would ever be possible to log
into all your accounts. I'm sure you could get something
like that. I mean, they're like when I was talking
(19:16):
about my web based password manager, you could probably get
a physical us beat stick type thing that essentially follows
the same same pattern. But then if you lose that,
then you're in trouble. So it's you know, having a
physical thing to lose makes it tricky, uh that you know,
it's not a it's not the ideal solution because again,
(19:37):
if you if you were to misplace it, like I know,
my wife has a security dongle that she uses for work,
and if that gets misplaced, then it becomes fine where
the dongle went day. Okay, Well, obviously having a device
on you to unlock all your digital services as convenient
as long as you don't lose the device. So what
(19:59):
about having a physical object that you can't lose, like
say your eyeball or your hand. Well, I mean you
can lose an eyeball, but but guys try not to write.
So there's been more likely to lose a hand or
an eyeball depends. If you're a pirate, it's a shot
(20:19):
so um. But if you're an though, if you're a ninja,
it's it's you know, ninja pretty much, it's all or nothing.
You know, you don't see a lot of one armed
ninja's running around or ninja I should say, since the
plural is the same as the singular. But at any rate,
we're talking about biometrics, right, and we have systems like
this that are already active, right, like like iOS devices. Um,
(20:40):
the latest iPhones have actually from the iPhone five s forward,
they have a sensor that detects uh, finger presence and
then they scan it to make sure that you are
who you say you are, so that unlocks the phone.
So if I pick up my wife's iPhone and I
put my thumb on that it won't activate because it
knows I'm not my wife life. Um. So these are
(21:02):
systems that rely on something that is unique to you
to act as a verification and authentication. UM. So it
could be a fingerprint, it could be something a little
more secure than fingerprints, because you can lift a fingerprint
and you can recreate it using something like latex. But
if you are scanning beneath the surface of the skin
for things like the layout of blood vessels, which is
(21:25):
the way a lot of these verification devices are working now, uh,
that's a lot harder to to replicate, right if you
don't have access to the person's actual figure. Of course,
there must be something that's preventing this from going all
over the place, right, I would imagine systems like this
are kind of expensive and difficult and not worth the
(21:46):
trouble in a lot of cases. Uh, they're definitely finicky.
The technology right now is a little bit on on
the delicate end and comes back with a lot of
false negatives, right Yeah. Yeah, it's one of those things
where you want something to just work, and this does
not always just work. And also it's just it's one
of those things where depending on the implementation, it may
(22:07):
be very limiting. Like if it's something like an eye scan,
then you're working with a camera that you need to
stare into. Not a lot of people really find that
particularly enticing. Uh. There are some other implementations that are
kind of exciting that involved biometrics that aren't you know,
a physical feature. I mean there's some like the shape
of your ear has been referenced as a potential way
(22:28):
of testing, you know, being a way of identifying somebody.
But there are others like your heartbeat. The actual electrical
impulses that your heart makes when it's beating, no matter
what rate we're talking about, are distinct and that is
very difficult to replicate. So if you are if you
get a device and you map it to the electrical
(22:50):
impulses of your heartbeat, you can be fairly certain that
that device is going to be, you know, geared to
you and you alone. Uh. There is in fact a
device that's in development that does this, called the Nemi
wrist band in why am I and and maybe it's
ninety but I didn't know. It's supposed to work this way,
and it's supposed to detect the electrical activity of your
(23:11):
heart and then map it to whatever. So you could
use this not just to activate systems, but also imagine
walking up to your house and it unlocks automatically because
it knows you're coming, because the heartbeat says it's you. Yeah.
It's pretty neat, also clever, because you would have to
be alive as your approach exactly exactly. So, So for
(23:32):
all of those folks out there who are thinking I'm
just gonna be producing a whole lot of pirates, poking
out as and cutting off hands doesn't work for this one.
I gotta have that heartbeating. I mean, everybody who's played
Resident Evil four understands that you can just take the
eyeball and use that for the retinal scanner, right right,
yeah's somehow I doubt that would work in real life.
(23:53):
Minority Report did the did a similar thing right where
they the guy had his surgery to replace an eye
so that he could get x us to a place. Yeah,
Loki pulled that trick, y'all in like the Avengers. So
let's let's let's all forget about that one. Okay. Well,
one thing I think about this though, is that with biometrics,
you're having to do some analog to digital translation where
(24:16):
you're having to take a system where it's gonna scan
something about your body. You know, you're the pattern on
your fingerprint, or the patterns of the blood vessels under
your eyeball, or your skin, or your heart rate, and
in all these cases it's got to turn that into
data that can be used as a password. Are there
ways that we could just start with digital data that
(24:36):
would basically be the same as biometric Well, there might be.
I want to talk about the password tattoo and the
password pill. Okay, okay. The tattoo thing that we're talking
about isn't like a physical tattoo. It's not tattooing a
barcode on you. But well, I mean it's physical. It's
not a permanent it's not a permanent tattoos, That's what
(24:58):
I mean. It's it's one of the tattoos stick ers
that we've talked about a few times on the show.
One of the little stretchy circuitry stickers, right, yeah, sort
of the second skin thing. It's it's not like my
monkey princess tattoo on my right cheek. Right. So, at
D eleven, which was the All Things Digital conference in May,
of the Motorola researcher and form A Darper director Regina
(25:19):
Dugan gave an interview where she talked about the hassle
of passwords and a couple of future authentication methods, namely
the two I mentioned here. So one example, of course,
was these temporary password tattoos. And this is based on
stretchable circuits, which we've talked about on the show before,
that you can embed circuitry in these. I mean, I
(25:39):
can't think of a better way to explain it. They're
temporary tattoos. You stick them on your skin and they
stay there. It's it's almost like a sticker, but it's thinner. Yeah,
And of course so they can have a little embedded
antenna that can communicate with devices nearby. So all you'd
really need to have would be in the morning, you
put on one of these stickers and it has your
password verify a SIN on it. So you go around
(26:01):
and you've got this on your body wherever you're at
a device that you need to log into. And so
that's one way. But here's another way. You could take
a pill in the morning, like like a chill pill, no,
like a password pill. So Ducan brought up that there's
a company called Proteus Digital Health. They got FDA clearance
(26:22):
to create an edible sensor, and I think the original
idea was to use it for medical purposes, but it
could also be used for digital authentication. So you take
one in the morning and then you've got access for
the rest of the day. Basically, the way it would
work is that you swallow this tiny pill and the
acids in your stomach activate the electrical component in the pill,
(26:46):
so they sort of act as the electro light there.
And then when the pill gets activated, it starts to
give off a coded electrical signal, which she compares to
an E C G signal like an electro cardiogram. UH
and so after you've taken the pill, all you have
to do is touch something and your body automatically enters
the electrical code. Uh supposedly, how safe. I'm wondering what
(27:13):
the mechanism is for that that activation. That's kind of crazy.
I mean, she compares it ECG. So it's got to
be electrical impulses that are emanating from this pill inside
your body. But when you come in contact with the
thing at activates, that's what's getting me. I guess maybe
if it's constantly broadcasting and then everything else is essentially
a receiver, once you get within close enough contact, then
(27:35):
there's a connection based or something like that. Otherwise, I
can't imagine it being like turning you into electro. I mean, yeah,
I take a pill for that. Well, I would take
a pill to turn into electro. I just don't think
that's what this is, all right, I'm sorry, Joe. Please,
she confirmed it's so you turned into electric okay, all right,
well never mind objection. She did not. But apparently apparently
(27:57):
this is safe. She claimed you could take many of
them and it wouldn't harm you. So that way, for all,
they can't overdose on passwords. You can't overdose on passwords,
but not on password pills. Okay, of course, the thing
that I was wondering about it was are there going
to be situations where if people are taking password pills,
(28:18):
are there going to be potential identity thieves like scraping
septic tanks and sewage treatment plants to find active pills
to exploit. Yeah, it gives a whole new meaning to
the word fishing. Yeah. I would imagine that these things
have to have a limitation on their power source, so
some kind of self destruct. I would just imagine making
(28:41):
their way through the digestive tract of a of a
human being, they probably wouldn't be in the best working
condition by the time they came out the other end. Yeah,
I don't know, but I'd have to assume that's part
of the design. Yeah. If it weren't, that would be
a bizarre oversight. Well. Also, I would imagine you could
also create your hard enough to create something like this.
(29:01):
I mean, the other issue with this is that how
do you have at work on a on a regular
basis regular basis, But assuming assuming that this is not
for just a temporary one time pass, if it is,
that's great. I mean that that makes perfect sense for
this implementation. But if you're talking about prolonged use, like
it's something that you log into every day, then you
(29:22):
would have to have access to that same pill every time.
Oh yeah, that's the idea. You take it every morning,
so there's an actual physical repository of the password that
lets you into your system. Somebody gets into your medicine, right,
that's the real issue. I'm not I'm not so much
worried about going through the sewage as I am getting
(29:45):
access to the bottle of magic pills that gives you
access to all my stuff. That's what I would worry about.
I don't know. It's a good question. Okay, maybe maybe
as a pair with some other security I'm not sure.
At any rate. Um, you wouldn't hold on you're saying
no to the pill. You wouldn't take the password pill.
I would totally take the password pill. I'm just you know,
(30:07):
for for if someone needed to let me onto an
air force base for one day in order to i
don't know, like report about cool stuff that that was
technologically happening there, then that would be really great. That's interesting.
It also sounds like a great way to tweet about
ephemero while you should be working my personal My personal
philosophy is that whenever I visit a military base, I
(30:28):
don't automatically swallow something someone hands me. Okay, now we're
getting off topic. I'm sorry, No, No, I've got another
place I want to go with this. A lot of
people aren't going to be very cool with the idea
of taking a pill or even wearing a tattoo. You know,
I guess to some people it just seems kind of invasive.
It seems like something they wouldn't want to do. So
(30:51):
I think we should come back and look at the
idea of passwords that are based on behavior. Yeah, I've
got one that researchers at Rutgers School of Engineering have
been working on lately. It's it's a system for letting
users draw free form gestures on touch screens in place
of creating traditional passwords. They found that study participants have
(31:12):
been pretty good at recalling the gestures that they created,
and that visual eavesdroppers if if you follow my meaning,
like someone like looking over your shoulder trying to collect
your password as you put it in, Uh, they've been
pretty poor at reproducing those gestures accurately enough. To trick
the system. So it could be a definite step up
from either you know, pass codes or like even connect
(31:35):
the dots swipes that are in use for mobile touch
screen devices today. Um, and if touch screen happens to
really invade home computer use, that could be pretty rad. Yeah,
you can see how for an individual like muscle memory
could set in, especially if you enter something a bunch
of times and it becomes second nature to do it
so easily. Yeah, yeah, yeah, you can. You can use
any number of fingers and and and create a gesture
(31:57):
on any portion of your screen. It's a pretty it's
a pretty cool a little little system. I like that.
But what about behavior that's even more subtle, such as
behavior you don't even realize you're doing. Sure, as it
turns out, Yeah, the way we type is actually kind
of identifiable to us, and in fact, it has been
used in actual systems today already. Yeah. So if you
(32:19):
want to look at an old analogy to this, you
could look at handwriting analysis. Yeah, I mean, everybody has
a sort of unique way that they create letters on
on the line. And even though you might not write
the same word exactly the same way every time, if
you have a large sample of writing. You can you
can you can draw at least some you know, like
(32:42):
within a percentage of certainty whether or not it's you know,
something that was written by an unknown person fits in
with a known database of of of writing similar to this,
except now we're talking about systems, you know, typing specifically
systems where very minute measurement can be taken between the
way you type certain phrases. You know, how quickly you
(33:05):
transition from letter to letter, how long you hold down
particular keys, and it may be that with certain fingers
you hold down certain keys longer than others, and it's
not like it's long enough for it to register as
multiple UH entries. So you're not you know j J
J G j G j J j oh in a
t H spelling my name UM the traditional spelling, right, yeah,
(33:28):
So at any rate, you know, there's like sixteen j's
and then you get the O uh no oh sorry,
So at any rate, you you the typing you do
is is going to be identifiable back to you. And
like I said, there are some examples of this. UH
Corsera has, which is online learning service, has what they
(33:49):
call a signature track authentication method in which students type
a particular phrase. So it's a simple phrase. It's not
a password. This is something that you know, maybe multiple
students have. It's it's all about the way you type it,
not what the phrase is. So if the phrase is
something simple like the moon is made of cheese, and
you type in the moon is made of cheese, and
(34:10):
you calibrate this enough times, you type it in enough
times where it gets the rhythm that you type in
the way that you you are typing these letters, then
every time you need to authenticate that's you, because you're
you're turning in a school assignment, so you have to say, hey,
this really is me, it's not someone doing work for me.
You type in the moon is made of cheese. It
compares it against all the other entries that it's authenticated
(34:33):
as being you, and if it fits, everything's golden, and
if not, something's wrong. I would think though that it
might have an unfortunate effect on grades and astronomy classes. Well,
you know, considering that that was just a random phrase
that I came up with in my head and not
one that necessarily reflects what the content is in Corsera,
I think we're fairly safe now of course, typing is
(34:54):
just one behavior that many of us do, especially if
you're trying to access online services, you're probably typing in
some way. But it's just one behavior that we do
that's identifiable back to us. Right. In reality, everything you
do is weird. Yeah, now that's true. I am constantly
reminded by that whenever I write public trans transitness. Well,
everything every one of us does is weird, which makes
(35:17):
it even more exciting. On Martha, Uh yeah, the walking
is another thing that's peculiar to whomever is doing the walking,
like the gate, the way we hold ourselves, you know,
our our posture, our shoulders, the length of our stride,
how quickly we tend to move, how much force we
use when we step down. Are you a heavy stepper
or do you have like I think of toddlers. They
(35:39):
always sound to me like they weigh about ten times
more than they really do because the way they run. Yeah, yeah,
I know, right, like all of I can't tell you
how many of my models of Tokyo have been destroyed
whenever my young relatives visit. So you're saying, like, potentially
your computer could be like the salesperson at the shoes
(36:00):
store who says, walk down to the other end and
come back kind of except in this case, they're not
looking to see if your shoes fit. They're just looking
to see if you are who you say you are.
Have you ever noticed someone walking like, let's say, I
think of this. I always think of my college days
on college campus. Lots of people, right, lots of people,
a lot of people. You know, can't necessarily pick out
faces and a crowd, especially if they're facing away from you,
(36:22):
but you might recognize someone just by the way they're walking.
That's kind of what we're talking about here. Systems that
would do this Now, granted, these sort of systems would
be useful in some applications, but not others. I don't
think every time you want to access your email that
you want to asse up your computer and then you know,
do a power walk right in front of it. That
probably is not going to be your your first choice.
(36:42):
But it is interesting that we can map these sort
of behaviors to your identity. It might be really good
for for entry into a building. For example, Yeah, as
you walk up, it already unlocks because it knows it's you. Okay.
I think we should each predict what we think is
going to be the future of passwords. And I'm going
to say, for me personally, what seems the most plausible
(37:03):
is a sort of two step verification that's a combination
of the password tattoo, the temporary tattoo, I mean, which
is pretty non invasive and easy, and then also selecting
an image. Okay, I do like selecting an image. I
think that that's a really clever thing for because because
it's so uh difficult to reproduce it it's not you know,
(37:26):
a string of characters that's short, right, but it's also
so easy for the user. I mean, it takes half
a second. I think we will all be issued a
familiar unique to us, which will then grant us access
to whatever castle, dungeon, or fortress that we are trying
to enter. Play a lot of DND over the weekend,
(37:47):
so we're living in D and D, but we also
possibly have like a like a subtle knife damon kind
of thing. Yeah, exactly, Yeah, we're talking. You know, that
was kind of thinking of his Dark Materials trilogy. I've
got to admit um to be more serious. I think
biometrics really are going to be well. I do too.
I can finally get my monkey Princess password. That's a
(38:09):
real monkey princess. I knew it. I was in here
with a couple of Mrs Coulters. Well, at any rate,
I really think biometrics to be really, I think biometrics
are going to be, uh, really the one that wins out,
at least in the short term. I mean, I've I've
had computers that have had fingerprint scanners. You know, there
(38:29):
are smartphones on the market right now that have them.
We're seeing more and more of those devices come up
and more of those systems come up. I think that's
really gonna be, at least for the near future. The
solution in the far future, well, you're talking about especially
in the possibility of an era of of quantum computers.
You're talking about era where it's gonna be way more
(38:50):
of a tricky situation to create a truly secure system,
even if people are behaving the way they're supposed to,
So then it's harder for me to make a prediction
DNA sample actually your geno. No, I'm actually totally ready.
Like I've said this in public on the Internet before,
like at times of extreme stress with passwords that if
(39:13):
I really did just have a USB stick where I
could prick my finger and it would read my DNA.
I would sign up for that like today. If I
never had or another password, I think there'll just be
a spit cup. But oh well that's even nicer, yea
the horrible totalitarian future. Yeah, I was thinking cheek swab
because that's just funny. Everybody at the office comes into
(39:35):
nine am swabs. Well, you know, guys, this has been
a fun conversation and uh and we're about to have
another fun conversation in a moment, So I think we're
gonna have to wrap this up because I don't know
how silly we're going to be in the second episode
that we record. But guys, this is actually has been
a really entertaining and interesting discussion and we we enjoyed
looking into it. If you guys have any suggestions for
(39:57):
future topics for the podcast for the videos yours, you
should let us know. Send us an email that addresses
FW thinking at how stuff Works dot com. Check us
out on Google Plus and Facebook and Twitter. Over at
Twitter and Google Plus, where f W Thinking just searched
that in Facebook will pop right up. Don't forget to
go visit fw thinking dot com. If you've never been,
(40:18):
go check it out. It's an awesome site. We've got
tons of stuff there and we will talk to you
again really soon. For more on this topic in the
future of technology, visit forward thinking dot Com, brought to
(40:42):
you by Toyota. Let's Go Places,
Fw:Thinking News
Hosts And Creators
Jonathan Strickland
Joe McCormick
Lauren Vogelbaum
Popular Podcasts
40s and Free Agents: NFL Draft Season
Daniel Jeremiah of Move the Sticks and Gregg Rosenthal of NFL Daily join forces to break down every team's needs this offseason.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Bobby Bones Show
Listen to 'The Bobby Bones Show' by downloading the daily full replay.