In the movie "Wandering on the Net", you can see the interconnection of the online world and the fragility of the password protection system.
The daughter is missing and the father is looking for it. Through the understanding of the daughter, guessing the first application password unlocking service became the first step in the tracing war. Afterwards, through different password retrieval and verification code verification, the father easily entered the online world where his daughter was.
▲ In the case of entering one account, other accounts can be retrieved one after another. The picture comes from: "Network Lost"
In this process, the password does not seem to play a blocking role. After all, in the online world where users often forget their passwords, service providers can always provide you with one option after another to retrieve passwords so that you can use their products smoothly.
Since users can't remember the password, it is not difficult to crack the password. Why do we need the existence of the password? Microsoft says no, we don’t need a password—password, bye!
"Weirenxi" said goodbye to the password
Microsoft has been planning to kill the password for a long time.
In 2015, Microsoft introduced face unlocking technology in laptop computers. It also deliberately built an application-Microsoft Authenticator (Microsoft Authenticator), so that users can download to the phone to use the constantly changing code as a new password.
▲ Microsoft Authenticator
In 2018, Microsoft's Win10 S operating system will remove the password without changing the default settings. If users follow the system recommendations to set up, then they will not see the option to set a password.
Finally, Microsoft feels that it is time in 2021, and the "password-free era" should also come. So starting from September 15th, Microsoft allows users to delete the password of the Microsoft account and log in to the Microsoft account using the Microsoft authentication program, fingerprint recognition, facial recognition, Windows Hello, security key or SMS/email verification code.
This means that even if you don't set any password, you can still log in to your Microsoft account, and you no longer need to write the password on your notebook.
▲ Microsoft wants to make passwords disappear as much as possible
Begin with the introduction of a new login method, and then slowly guide users to log in using a non-password method, and finally directly enter the era of no password. Advancing step by step, finally got rid of the password. This time even non-Microsoft fans called "Weirenxi"-Microsoft, the hope of mankind.
All this is because the password is too "annoying".
Vasu Jakkal, vice president of Microsoft Corporation, said, "The number of cyber attacks has increased due to account and password theft-as defenders, we still have a lot of work to do in this asymmetric game. Without a password, you get it. Advanced security, and your login method is much simpler."
▲ Microsoft will provide a variety of login methods
In its official blog in December 2017, Microsoft also referred to passwords as "an antique in the early computer era" and admitted that it has a certain ability to deter criminals. But after announcing the entry into the "passwordless era," Microsoft Chief Information Security Officer Bret Arsenault directly stated:
Not everyone hates passwords, there will still be a small group of people who like passwords, and their names are criminals.
▲ Hackers like passwords. Picture from: Fortune
How did the password become the target of public criticism?
Wait a minute, is the password really that bad? We have long been accustomed to the password login method, and have used it for many years. Why has it suddenly become a "criminal weapon" that big companies want to eliminate?
In fact, the password is really beautiful and useful at the beginning. It is a simple and direct solution that people can come into contact with when using Internet services. But that was an era when there were not many passwords you need to remember. As you use more and more online services, you need to remember more and more passwords, reuse, forgotten, after the theft, resulting in a series of loss of accounts, making the password into an embarrassing situation.
In this case, Fernando Corbató , the inventor of digital passwords, also believes that there are big problems with the form of passwords . In an interview with the Wall Street Journal many years ago, 87-year-old Fernando Corbató stated that passwords have become "a kind of nightmare."
Unfortunately, with the development of the World Wide Web, this has become a nightmare. I think no one can remember all the passwords that have been issued or set. This leaves people with two choices. You either write down all the passwords in a small notebook, or choose some kind of software to manage them, but either way is very troublesome.
▲ Fernando Corbató, the inventor of the digital code
Before computers were widely used, Fernando Corbató predicted that the Internet and information security systems would be attacked: "The really scary thing is that we make computers extremely easy to use, so they will be used more and more. "And his point of view is also applicable to passwords. Passwords are a solution with a very low threshold, so they will also be targeted.
Facebook’s troubles in the past few years are actually related to passwords. At that time, security expert KrebsOnSecurity revealed that Facebook used plain text and stored hundreds of millions of user passwords on its internal platform. And these account passwords can also be searched by more than 20,000 Facebook employees.
The first lesson for Internet companies should be not to store users’ private information in plain text. Unfortunately, many students did not learn this lesson well. Facebook and Twitter are all "bad students" in this matter. But even if the Internet company does not store your password in plain text, your password is not secure.
▲ Facebook password login interface
Piru Security Home once introduced that malware drivers can steal account passwords from users' web browsers and web-based login forms across the entire network. It only takes a few dollars or equivalent virtual currency, and "black market buyers" can buy access to these logs. Furthermore, criminals can directly purchase the credential information of the designated account as long as they spend more money.
What's worse is that many people's passwords are reused, and the loss of one password may put multiple accounts in a dangerous situation at the same time.
Can the password be set a little more complex to prevent the password from being stolen? For hackers who want to crack your password forcibly, complex passwords do make it more difficult for them to operate. But unfortunately, maybe it is to help me remember, or maybe I have feelings for the password I set. Many people's password setting is very simple-like paper, it will be broken by a poke.
▲ Is your password 123456?
Splashdata, a US password management application company, publishes a list of the weakest passwords every year and has become their reserved item. Every time the list is released, you will find that people have been stupid in the past year.
Since 2013, the “123456” and “password” of Tie Da have firmly occupied the top two positions of the weakest password list . There are rumors that the server password of the “Dnipro” military automated control system of the Ukrainian Armed Forces is also “123456”. .
Even military passwords are so simple, let alone other? Splashdata says that 10% of the top 25 weakest passwords are using them. This means you go to the street to find ten people, and these 25 weakest passwords can almost all log in to one person's account.
▲ TOP 25 in the list of “The Weakest Password of 2018''
In order to avoid such simple passwords that are easy to be stolen, some people often design extremely complex passwords (some use the system's complex password recommendations), and even each service password is different. But it's useless, because if you forget it, you can only retrieve it. In the end, you have to rely on the email and SMS verification code.
Simple ones are not safe, complex ones cannot be remembered, and no matter simple or complex, they may be stolen… In this way, there are many shortcomings of passwords.
How do we log in without a password
There are also many companies that want to eliminate passwords. But all companies with this idea need to answer a question, how should users log in without a password?
▲ Login without password
The purpose of FIDO, an industry association established in July 2012, is to solve the problem of the interactivity of mandatory authentication devices and the large number of complicated user names and passwords faced by users. Microsoft, Apple, Google, and Facebook are all members of the association. Andrew Shikiar, executive director of FIDO, believes that users have long been accustomed to setting passwords, and it is difficult to change user behavior and reduce their dependence on passwords.
Therefore, FIDO's work is more to popularize the benefits of the password-free experience to ordinary users, so that more people will accept the concept of a better password-free experience. This is a bit like quitting smoking. The convenience of a password is like the pleasure of cigarettes, but its long-term health risks should be understood by more and more people. In addition to popular science, FIDO will also make suggestions for new passwordless technologies to make the passwordless system more and more standardized.
▲ Legend of no password and secondary verification
Fingerprints, faces, voices…This type of biometric identification is also an ideal "password" for identity verification, because they can basically prove that you are using the service yourself.
Fingerprint login may be the most familiar biometric method for users, and facial verification and voice verification are becoming more and more common in the payment link and login link. According to This is Money report, many British banks such as Barclays Bank, HSBC Bank, Halifax Bank and others currently support voiceprint recognition . More than 3 million bank customers in the UK use voiceprint recognition systems to log in to their bank accounts. . And the familiar WeChat also has the option of voice lock login, but the requirements for the sound environment are higher.
Coupled with the pupil verification of some confidential institutions, Amazon has begun to experiment with facial payment, and the number of scenes supporting biometrics is also increasing.
▲Picture from: This is Money
It's just that once this biological "password" is stolen, the consequences are even more serious. After all, you can change your digital password at will, but your face, fingerprints, and voice cannot be changed. Once stolen, worry for life.
It is also common practice to use common devices to assist in login and verification. More and more services want you to use your mobile phone to scan the code to log in. In addition to increasing the activity of mobile applications, there may be a layer of security considerations. Social applications such as QQ and WeChat also add an auxiliary verification link, which can also ensure account security to a large extent.
Two-step verification is also a good way to protect account security. Apple two-factor authentication can provide an extra layer of security for Apple ID. This additional authentication method allows others to know the password and cannot access your account, because it will also display a six-digit number on your usual device Verification code.
▲ Secondary verification of Apple devices
The Authenticator app is a two-factor authentication application that can be used regardless of the device. The second authentication provides a stronger security guarantee. Take our own example. Before Aifaner used Google Authenticator, there would still be author accounts that were stolen and several articles were stolen continuously. But after using Authenticator, this situation has never happened.
But even if there are many passwordless login methods, the password is not so easy to disappear. Because many passwordless solutions can only be used on newer devices, many passwordless login systems also require users to have two or more smart devices to assist in authentication. Today, when users' smart device holdings and concepts are quite different, there is a long way to go to enter the "password-free era".
But in any case, Microsoft has fired its first shot, which is a landmark event in the "passwordless era".
The title picture is from "Network Lost"
#Welcome to follow Aifaner's official WeChat account: Aifaner (WeChat ID: ifanr), more exciting content will be provided to you as soon as possible.