Bring on the post password era

The Heartbleed saga has shown just how difficult password management can be, and it’s a  problem that's only getting worse as just about every service a user consumes requires a password: whether it be apps, devices, services.

Password reset requests landed in millions of inboxes after Heartbleed was exposed, imploring people to change their long-forgotten logins.

Trends such as BYOD and BYOA [Bring your own Access] will only increase the number of passphrases to manage and remember. Forgetting passphrases creates further burden for admins and lost productivity as workers either can't access what they need or lose time resetting their credentials.

Although there have been a number of initiatives attempting to solve this issue, we remain wedded to passwords. 

So what's the solution? A managed public key system with digital certificates could work in theory and would allow users to drop password entry altogether.

However in practice, dealing with certificates is notoriously difficult and leaves little margin for user error. A simple “password reset” link becomes a more complex exercise if certificate revocation and recreation are needed.

Does it have to be that complicated? Maybe not.

One of the problems with passwords, as they’re commonly used, is that they require permanence.

This means they have to be enforced by admin policy, remembered by users and securely stored by sites. All three of these factors have been shown to fail over the years: policies can be lax or difficult to enforce (how do you know that your users bother with strong and unique phrases on every device?), people are prone to forget passwords and we continue to report scenarios of stolen logins. 

Therefore, doing away with passwords altogether isn’t as silly as it may sound. It won’t be easy though: two years’ ago, Austin, Texas-based developers XOXCO came up with a simple, password-less login idea, which despite being a great concept, hasn't proven disruptive.

The XOXCO concept is to use a one-time password token embedded into a URL that is sent to your email address and which only requires a click to log in.

If that sounds like a bad idea, bear in mind that It assumes that your email account is secure, the same assumption that most other service providers make when they send verification and password reset emails to you.

The XOXCO solution does away with password entry on both the customer and provider sides which is the ideal state of affairs. Users don’t have to remember passwords - and sites and service providers don’t have to store them.

Unlike OAuth/OpenID logins via Google and Facebook, such a system doesn’t mean you give a third-party access to your contact list, timeline and whatever else the service requests.

Passwords could be a thing of the past with some refinements and further thought given to the XOXCO approach, such as providing a better way delivery service for tokens than email, which as we all know can be insecure.

Meanwhile, how to not drown in a sea of passwords

While we await the passwordless future, what’s a busy IT person who has to live with far more passphrases than your average person to do?

One option is to stop with the text files and spreadsheets, start using a password manager.

While somewhat expensive at US$50 for a single user license, 1Password4 - currently in beta for Apple’s OS X - is one such service that takes care of the heavy lifting. It creates and stores complex, unmemorable passwords and other credentials such as software license keys, Wi-Fi logins and more.

The demo vault for 1Password4

The 1Password4 service also audits user passwords for strength and age, and checks if they’ve been duplicated across services.

There’s browser integration as well as clients for iOS, Android and Windows, but for enterprise users, 1Password4 has a particularly handy feature, in that you can set up multiple vaults to store items that you wish to share and sync with other users, either via Dropbox or Apple’s iCloud cloud storage, or via local area networks.

David Chartier of AgileBits told iTnews that the multiple vaults feature has seen 1Password4 being adopted by enterprises and businesses, especially in BYOD/BYOA scenarios.

"As each vault has its own master password, it is a very secure way to collaborate and to share confidential credentials," Chartier said.

Chartier said AgileBits has had plenty of requests to support other, enterprise-oriented sync options and says his company is looking into including these.

It’s an easy bet that AgileBits and other vendors will have similar functionality ready long before passwords go away.