Last time, we looked at hacking through the password jungle—where some passwords scored worse on recent security tests than just “password.” But before we look at beyond-the-password options, whatever happened to the guy who mocked Heartbleed and posted his passwords online? Well, as Brian Fung explains at the Washington Post,
The reader’s accounts on Tumblr, WordPress, Twitter and Facebook all appear to have been hacked in short order. The reader’s location on Twitter now reads as Gas City, Indiana, just like the commenter asked, and the account has several mocking tweets. I’ve obscured the reader’s name here to protect his identity, even though he seems intent on getting it stolen.
Making full allowance for the possibility that this was a publicity stunt aimed at drawing attention to security lapses, the message comes through: Internet pirates, besides being in it just for the money, have a professional reputation to protect. If we insist on mocking them, or just making things dead easy for them, we could indeed wake up to find our identity “changed” or sensitive papers online. It has happened to governments and powerful policy groups. They at least got publicity. We might just get fired or ostracised.
Is there a way to get beyond passwords? Yes, but it is even more high tech. Some propose using unique bodily signatures. For example, a recent article in Fortune explains,
Bionym is hoping to shape a more sensible and intuitive way of proving your identity to devices, databases, and financial instruments. In the fall, Bionym will release the Nymi, a wristband that replaces conventional passwords with a reading of a person’s electrocardiogram pattern.
But Bionym is dreaming bigger. One day, the Nymi could turn out the lights when you leave the house, lock the front door, start your car with a gesture, help a restaurant remember your name, then let you pay for your meal — all with empty pockets.
Then there’s AxisKey, which tries to identify you via 3-D ultrasound fingerprint readings (reading the blood network below the prints).
One obvious problem is that, while biological identifiers like heart rate patterns (ECG) are unique, they change alot through the day or with different activities. As David Z. Morris recounts at Fortune:
Alan Kaplan, a research engineer at Lawrence Livermore National Laboratory, has published several studies examining ECG recognition. But even after extensive refinement of his own analytic algorithm, Kaplan’s research found a 6 to 7% rate of false negatives in matching the ECG patterns of individuals in different states, such as after exercise, or even just across a long time-span. “These error rates are what you have to live with,” Kaplan says. That could end in aggravation for users, or require backdoors that would defeat the integrity of the whole system.
And there isn’t any easy way around that. On the other hand, Morris admits to having 112 passwords, which is why he is prepared to even consider bioscanning.
Here’s an introduction to 3-D fingerprint scanning in general, from Sonavation:
Denyse O’Leary is a Canadian journalist, author, and blogger.