Tired of #$%& passwords? Single Sign-on could be savior
The experience we know as password hell could be radically changed for the better within the next year and a half to three years.
Struggling to come up with long strings of complex capital and lower case letters, numbers and symbols? That's so yesterday.
That's the hope, anyway.
In a fascinating interview with Google product manager Mark Risher in The Verge this week, he laid out his vision for why those passwords we've been told to create don't actually help.
They have "no bearing on phishing, no bearing on password breaches, no bearing on password reuse," he said. "We think that it's much more important to reduce the total number of passwords out there."
In other words, all that time you've been forced to spend trying to create tougher to crack passwords is a waste. At least that's the way he appears to see it.
I think all Talking Tech readers would agree that anything we could do to eliminate the constant typing of passwords during our daily hours would be most welcome.
But how to get there?
Google wants you to use its single sign-on feature, which still requires a password and has Google authenticate your identity, for a second layer of authority, via text messages or via the Google smartphone app.
Apple just announced its answer to Google's sign-in, with an alternative that will be introduced to the iPhone and iPad in the fall, as part of the iOS13 software upgrade. Google has an 85.% market share for its Android phone system, to 14.9% for Apple, according to market tracker IDC.
"Between the two of them, that's pretty much everyone's phone system," says Bob Rudis, the Chief Data Scientist for security firm Rapid 7. "So most everyone will get this by default over the next 18 to 36 months."
Facebook and Google have for years been offering consumers the ability to ditch having to recall their multiple passwords, and instead use their single sign-on system for gaining entry to websites. These tools don't even require the input of screen name and passwords, just a click of the "Sign in with" Facebook or Google tab.
Apple hopes to go a little deeper, by using the Face ID and Touch ID biometrics features of the iPhone and iPad to bypass those clicks. If a website or app asks for an e-mail address, Apple will "create a unique email address that forwards to your real one," the company says.
So how is single sign-on more secure, if Facebook is in charge? It's not, say security experts. "They've shown they can't be trusted with our information," says Rudis.
Google, however, is more trustworthy and Apple the best of the trio, he adds, due to its public commitment to privacy.
Both are super convenient. Who wouldn't rather click a Facebook or Google icon instead of having to type in your name and password, once again?
But not everyone we spoke with was in agreement that we can let our back down and forget about tough passwords.
Even Google, on its website, recommends 8 characters minimum, and combinations of letters, numbers and symbols. Apple has the same requirements, with at least one number minimum. "You can also add extra characters and punctuation marks to make your password even stronger," the company says.
"You can also make the password more complex by making it longer with a phrase or series of words that you can easily remember, but no one else knows," says Facebook.
Andy Halverson, who runs IT for video firm Ooyala, looks to a password manager, and lets it create and remember the hard passwords, so he doesn't have to. He uses the password manager Dashlane, but there are many other popular ones, including Lastpass and 1Password.
"I like single sign-on, but this is another tool, and really convenient," he says.
James Litton, the CEO of security firm Identity Automation doesn't think single sign-on achieves much. "If it's a horrible password, your security situation hasn't improved," he says.
He likes super long passwords, as many as 32 to 64 characters, but stored in a password manager. With a manager, you type in one master password, and the software logs you in.
"It's more difficult for a bad guy to pick words out of a dictionary for a hack attack if I go long," he says.
Meanwhile, for now, Rudis says a combination of long passwords and a password manager will lead to us "to that nirvana of being able to sign on with a single sign-on," everywhere.
It will take time. First, Apple will have to convince hundreds of thousands of websites to add its single sign-on system, which won't be easy. Apple, Google and Facebook have huge sales jobs ahead. For instance, while you can sign on to Barnes and Noble and Kroger with Google, that option isn't available on many top websites, including Target, Walmart, American Airlines, Verizon Wireless and Home Depot.
(c)2019 U.S. Today
Distributed by Tribune Content Agency, LLC.