Power users know how critical it is to change their passwords often and to avoid using easily guessed characters. Creating a login for your bank account based on your first born's birth date is a good way to share your financial information with anyone who cares to look, and the best passwords are the ones that contain a random mixture of letters and numbers. But is it enough?
An article in the New York Times points out that all password-based log-ons are susceptible to being compromised in any number of ways, and they're right. We're constantly warning users against falling for phishing schemes, and new forms of malware have become so adept at sneaking past common security fronts that a host of vendors have begun looking at new ways of dealing with the latest threats (see Internet Security 2.0 in Maximum PC's February 2008 issue, or download the PDF).
Now the experts are saying to forget about passwords altogether. According to the article, security gurus have concluded that a fundamentally different model is needed, one in which the end user has no or limited part of the logging in process. To do that, machines would have to be able to handle cryptographically encoded conversations to authenticate both parties using digital keys.
One of the roadblocks preventing the proposed movement from gaining steam is the lack of market penetration. The New York Times says that the necessary software for creating the so-called information cards is on only about 20 percent of PCs. And even if everyone were to upgrade to Vista (which comes dquipped by default), website hosts would still have to get on board.
Despite the immediate roadblocks, will passwords eventually go the way of the dodo bird?