Home > Identity Theft and Scams > Is This the Death of Passwords?

Comments 0 Comments
Advertiser Disclosure


Is it possible that your next password might be as simple and subtle as the way you type or hold your smartphone? If you hate trying to fill out those CAPTCHA forms with impossible-to-decipher characters, a new strategy for telling the difference between people and computers might give you some hope.

Secrets are used to keep our stuff safe on computers; for nearly three decades now, that secret has chiefly been a password, or in security lingo, “something you know.” Advanced security systems can deploy an added layer, such as a token (or at banks, a debit card), which is “something you have.” And really high-tech systems involve biometrics, such as a retina or fingerprint scan, known as “something you are.”

So far, none of these techniques has proven robust enough to stop hackers’ endless efforts to steal critical information, whether it’s millions of Target credit card numbers to access to computers that control national infrastructure. Passwords are notoriously unreliable – too hard for users to remember and too easy for determined criminals to guess. Tokens get lost. Fingerprints can be replicated.

In other words, to cyberthieves, credit card numbers and other personal information is still “something you steal.”

A Key That Can’t Be Hacked?

The continued race to stop high-tech crooks has led researchers to try yet another security frontier – and this time, they hope to be creating something that is so unique that it cannot be copied, yet is so easy to use that it doesn’t have to be remembered. They are trying a strategy known as “something you do.”

All computer users type at a unique speed, creating a pattern that is perhaps more personal than the way they sign their name. Smartphone users tilt their phones when they type, or scroll, or watch, in very personal patterns. It’s now possible to measure these things people do, turn the patterns into an algorithm, and create an authenticator that users simply can’t forget. It’s also so unique, researchers hope, that criminals won’t be able to impersonate it.

William Scheckel is chief marketing officer at one of the companies trying to solve this riddle: Oxford BioChronometrics, which spun out of the ISIS Software Incubator set up by Oxford University. He says the method has real promise.

“Phone manufacturers can identify you based on information from the gyroscopic device in your handset,” Scheckel said. “Say your bank uses this technology and you hand your phone to another person. Using this method, the bank would shut the (transaction) down.”

Oxford BioChronometrics puts together a number of these “something you do” patterns into a mathematical formula it calls electronically Defined Natural Attributes, or e-DNA. Scheckel says that using the set of highly personal characteristics creates an authentication tool that’s hard to defeat.

“The information is so specific to you it can’t be hacked,” he said.

That’s a bold claim, sure to be tested. Many “unhackable” login strategies have been foiled by criminals. One potential method: a “man-in-the-middle” attack which essentially enables a criminal to trick a user into logging in, then lets the hacker joy-ride into the now-authenticated account to steal money or commit other forms of ID theft.

But it’s pretty clear that passwords are passé. Several high-profile hacks in recent years — including companies such as LinkedIn — have seen millions of users’ passwords exposed. Researchers have used those hacks to prove that passwords are terribly insecure anyway, with a high percentage of users opting for obvious “secret” words like “password” or “123456.”

“Simple passwords are too easily hacked and there’s too much incentive for hackers to try. Identity theft is a growing problem because it’s profitable and simple passwords make it easy as well,” Scheckel said.

If you’re worried about identity theft, you should monitor your financial accounts regularly for charges you don’t recognize. You should also keep an eye on your credit — you can monitor your credit scores for free every month on Credit.com. Any major, unexpected changes in your scores could signal identity theft and you should pull your credit reports (which you can get for free once a year) to confirm.

Telling Computers & Humans Apart

He wouldn’t disclose clients the Oxford-born company is working with, though he said it was working on a “proof of concept” test with a “major household name.”

But he would talk about the interesting side benefit of Oxford BioChronometrics’ product: It is particularly good at discriminating between real people and “bots” that try to automatically log in to websites around the Web and wreak havoc — bots which have typing patterns that are obviously computer-generated. Right now, most websites use CAPTCHA forms to root out annoying bots, but they mostly annoy real people. So in May, Oxford BioChronometrics began offering a free plugin called NoMoreCAPTCHAS to WordPress users that Scheckel says eliminates the need for CAPTCHA tests. A brand-name travel company that struggles with bots scraping its site for data is right now testing the system, he said.

Forget worries about credit card hacks: If the firm can reduce the number of times users must guess what those squiggly characters are, the entire Internet will cheer.

More on Identity Theft:

Image: Tashatuvango

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team