Passwords passé

22 Mar 2005

Maybe passwords should be renamed passé-words — we’ve become so accustomed to typing them in to one computer or another that it’s all we can do to keep track of the myriad codes we routinely use. Whether they give us access to email, work servers or bank accounts, it seems we can’t live without them. There’s just one problem: they’re not very good.

There is a growing body of opinion in the technology community that the humble password is nearing the end of its useful life. Simply put, it’s not secure enough and will need to be replaced with other forms of access such as smart cards and digital signatures –items that verify who we are, rather than some sequence of letters and numbers that could be used by anyone.

Microsoft chief Bill Gates has spoken of this very problem, calling passwords unreliable in a speech last year. Rafal Lukawiecki, a security specialist and director with a UK technology consultancy Project Botticelli, expands on this thesis at some length. “Most of the difficulties in security are based on the fundamental weakness of the password,” he says. “There will always be vulnerabilities that exploit it.”
In addition, many people use the same passwords for multiple sites, making them easy to guess. “The problem with a password is that it is secret information being reused,” he says.

But if the death of the password is inevitable, there will need to be mechanisms to replace it. Lukawiecki sees a wider opportunity to put in place an entire ecosystem of what he calls ‘digital trust’ that bridges the gap between the aspirational world where everything and everyone is online and the real world where paper is still a key currency and many people are unconnected to the internet.

Smart cards are very secure but the problem is deploying them widely; here he urges the Government to oversee this system. There are precedents elsewhere: Malta, Malaysia and Costa Rica have introduced smart card systems. “It has to be done at a national level and done in association with Government,” Lukawiecki stresses.

He speaks of digital trust, not in any narrow concept such as digital signature technology but one that encompasses how we do business and on a broader level still, how we live.

Business first: take a transaction between two parties where one is electronically enabled but the other is not — where is the bridge? There is currently no legal framework to manage the mix of digital and paper documents, Lukawiecki claims. The problem is exacerbated when the transaction involves several parties. As long as there is one part of the chain that doesn’t use digital signatures, then the entire transaction collapses. Result? Back to the old way of doing things.

According to Lukawiecki: “The solution is to create a legal framework at government level that recognises the concept of an electronic notary, that can create a traditional document and attest to the digital document’s verifiability.” Again he emphasises that such a system must be implemented at government level with judicial and police support.

Lukawiecki argues that this is very applicable to Ireland — our relatively small size means that a project of this scale could be made to work quite easily by comparison with larger territories. He speaks of a three to seven-year time frame for such an initiative. Furthermore, it could put the country at an advantage in terms of attracting multinationals. “You could use digital trust to do business faster; that means less paper-oriented bureaucracy and results in a more attractive place to do business. That’s a lot of red tape that could be thrown away.”

Digital trust would also help to eliminate the kinds of email scams that are becoming increasingly prominent. If there is technology to authenticate everyone, the ability of spam email to pretend it comes from a trusted source is removed. “Digital trust allows us to both implement a platform for trustworthy business interaction and it removes the possibility of phishing.”

On the issue of deploying digital certificates in the first place, Lukawiecki says that this could take place either through face-to-face contact or in a way that has already been verified, such as a passport application.

The Government recently overhauled its passport system and could have included provisions to have digital certificates put on to a chip embedded in the passport page. Lukawiecki thinks this was an opportunity missed, but it’s not too late. “I hope that’s not a decision in principle and just a decision for the time being. I hope the Irish Government will change its mind because it’s precisely that that provides the easiest and most cost-effective way to remove the password problem from the population and now to enable the foundations of digital trust to be built.”

What about ensuring that no one remains ‘off the grid’ — that in the rush to digitise everything, we leave behind portions of society who by circumstance or by choice do not live this way? This is where the e-notary comes in again. Lukawiecki calls this service “an absolute must”. “It will allow those who are not digitally enabled to interact with the rest of the population. Unless there is a framework for notaries, mixed-trust transactions will never be possible.”

Then, once there is a Government-sponsored smart card, it can be used to transact with anything. As Lukawiecki sees it, the only part of the infrastructure that needs to be added, at little cost, is a smart card reader. Current web browsers already have the capability to ‘recognise’ both parties in a transaction, it’s just that this is never used. “It’s been a part of the browser for the past four years. The missing bit is the smart card in your pocket or the smart card reader on your desktop.”

Lukawiecki also has comforting words for those who fear that smart cards and ID systems are the thin end of the wedge and part of broader moves towards a ‘1984’ style society. “The beauty about this system is that you don’t need to manage a database of customers, because normally authentication takes place by checking against a customer database,” he says. It would also remove the fear of having such a database hacked for customer information since there wouldn’t be any. “With this, there’s nothing to store, because all you need to verify is whether you trust this certificate.” The corollary is, since the Government would validate the certificate, that trust is self-evident. “Moving to this system means simplicity, not complexity,” Lukawiecki emphasises. “People who have no banking history, for example, will be able to have the benefits of this technology.”

All of this discussion brings Lukawiecki back to his starting point. To enable a truly secure digital future for all, eliminating the password is “a necessity beyond belief”.

By Gordon Smith