Google is Pushing to Kill Passwords

News
By published

Google is proposing various ways to avoid the need for long and numerous passwords.

One of the big problems surrounding identity theft and account hacking is that people tend to use poor passwords (AKA easy to figure out), and/or the same password across multiple accounts. To make matters worse, the typical web surfer has logins for numerous accounts ranging from social to banking to online shopping which typically hold credit card or other sensitive information.

That said, no one really wants to use hard-to-remember passwords with letters, capitals, numbers and symbols, and they definitely don't want to keep up with more than a few. Google totally understands this, and is aiming to eliminate the password altogether by developing a makeshift ring-finger authenticator. This is expected to not only alleviate the need to remember passwords, but make accounts even more secure.

"Along with many in the industry, we feel passwords and simple bearer tokens such as cookies are no longer sufficient to keep users safe," Google Vice President of Security Eric Grosse and Engineer Mayank Upadhyay state in a new research paper. It's slated to be published later this month in the engineering journal IEEE Security & Privacy Magazine.

One of the new methods Google is proposing is a tiny YubiKey cryptographic card that can automatically log users into Google when slipped into a USB port. There's no software to download on the computer side – support will be built into Chrome. To set it up, the user simply loads the Chrome browser, log into Google, plug in the USB stick and register it with a single mouse click.

Google already incorporates the smartphone in its two-step authentication process. Every thirty days, a user is sent a special code that must be entered to verify the password. If you use a different browser or a different desktop/laptop/mobile device, another validation code is sent to the smartphone. In some cases, users must create application-specific passwords.

But using a YubiKey would make logging into Google much simpler. It would be even better if it used NFC technology so that users simply touch an NFC-compatible laptop or desktop. "We’d like your smartphone or smartcard-embedded finger ring to authorize a new computer via a tap on the computer, even in situations in which your phone might be without cellular connectivity," the paper adds.

To read the full report on Google's move to remove passwords, check out Wired's report here.

Contact Us for News Tips, Corrections and Feedback

Kevin Parrish
34 Comments Comment from the forums
  • mousseng
    "no one really wants to use hard-to-remember passwords with letters, capitals, numbers and symbols"

    Then don't. :l
    Reply
  • Vorador2
    You can use KeePass, even using a file as password.
    Reply
  • tirvon
    This is a good idea, until people learn to steal the usb identities on public computers like they have been credit cards, by placing scanner devices over the magnetic strip readers on ATMs, and saving the person's card's data. Now all they have to do is copy that info. onto a frash drive, and plug it into a pc while logging into chrome and "hey look, my email got hacked....again."
    Reply
  • Interesting concept, actually, I wouldn't mind if they actually implemented it.

    I have an "interesting" experience with 2-step verification. I used to receive SMS from Google when logging in on a new computer or device. I didn't have Authenticator for Android or backup codes. Then I changed my mobile phone number (so the old number got deactivated). I forgot to update my number in Gmail security settings which locked me out of my account for nearly a month. I contacted support 3 times to no avail. In the and, I had to reactivate my old number (luckily that was possible because it was postpaid) to get back the access to my account.

    This just made me realize how safe 2-step verification is. Now I'm using Authenticator and have backup codes stored in safe place and even if someone gets my password (which is complicated as hell) with keylogger or something, they won't be able to do a thing without hijacking my cell phone.
    Reply
  • I prefer using the "Middle Finger Authenticator" method
    Reply
  • jarred125
    tirvonThis is a good idea, until people learn to steal the usb identities on public computers like they have been credit cards, by placing scanner devices over the magnetic strip readers on ATMs, and saving the person's card's data. Now all they have to do is copy that info. onto a frash drive, and plug it into a pc while logging into chrome and "hey look, my email got hacked....again."
    Which is why people should stop using public computers to access sensitive accounts. A little common sense goes a long way. It is a completely un-trusted device and should NEVER be used for anything other than browsing junk.

    People can fix their own problems with a little effort, people too lazy to do it deserve what comes their way. I am all for this move to a device like the ubikey becoming the standard.
    Reply
  • AzureFlash
    How about some OpenID spread too? That would be great.
    Reply
  • pocketdrummer
    What happens when you lose the USB key?
    Reply
  • assasin32
    Personally I prefer the LastPass route. Been using it since Sony got hacked (I didn't even know I had an account at the time till I got an email) but I took that opportunity to update all my passwords to at least 64character of random stuff when this happened. Though admitably some website don't allow that such as Yahoo who I think capped me at something like 24 or something low.

    This works for 90% of the website out there as LastPass unfortunately doesn't work with all of them out there. For the rest I just save login info in LastPass and access it manually or I go the XKCD way and throw together random words like "Correct Horse Battery Staple" if I have to login to it often and without LastPass (login screen to laptops/desktops/etc).

    Having just read the wired description of how Google plans to use a Yubico device vs how Lastpass uses one. It just seems like Googles way of doing things is far less secure. It doesn't sound like it will ask you for a password if you use said device by default (or any mention of the option). Which means if you lose the device you just lost all your passwords which can now be easily used by ANYONE who finds it.
    Reply
  • lebois kid
    Why don't they just embed the YubiKey in your wrist, kinda liking chipping a dog...that way, in addition to application authentication via NFC, they can keep track of our whereabouts via turnstyles and building entryways.
    Reply