The San Francisco-based programmer Stefan Thomas made headlines recently because he forgot the password to unlock a small hard drive called the IronKey, which holds the keys to a digital wallet containing 7,002 Bitcoins worth $220 million. Two copies of this bitcoin password were saved on hard drives that failed due to software updates and this USB stick—IronKey—where the third copy was saved is password protected.
Thomas lost the paper where he wrote down the password for his IronKey years ago. The device is so designed that after 10 incorrect attempts, it seizes up and encrypts its contents forever. Only two attempts are now left to gain access, and Thomas can’t remember the password! Certainly, Thomas is not the only one who is in this situation due to password autarchy. A recent New York Times article, citing the cryptocurrency data firm Chainalysis, has said: “Of the existing 18.5 million Bitcoins, around 20%—currently worth around $140 billion—appear to be in lost or otherwise stranded wallets.”
This is certainly due to the unusual technological underpinnings of cryptocurrencies, which, unlike traditional bank accounts or online wallets, don’t have any institution or company to provide people the passwords to their accounts or reset lost passwords. Canadian writer Stephen Leacock’s short story My Financial Career explained how the narrator was rattled due to his tension and stupid actions inside the bank. Leacock, however, didn’t have to deal with tens of passwords in his life. But we certainly have to. In our multiple email IDs, social media handles, devices, financial accounts, those related to office and professional activities, online purchasing ones, newspapers and whatnot.
From Frequent Flyer numbers to Netflix accounts, the total number of passwords and PINs in our lives may be in three figures. However, I can’t remember more than three or four of them, for sure. What’s more, we are often asked to change our passwords periodically—sometimes they get invalidated if we don’t do it. Usually I use my email and/or phone or call the customer service to retrieve or generate a new password. Just wondering: Are most people like me? In 2017, the Garner Group found that 20-50% of all IT helpdesk calls are for password resets. What would Stephen Leacock have done had he been compelled to live in today’s world amid the autarchy of passwords?
As per a 2013 report by the Office of Communications in the UK, 55% of adult internet users admitted they used the same password for most, if not all, websites. And 26% said they tend to use easy-to-remember passwords such as birthdays or names, potentially opening themselves up to the threat of account hacking. These make hackers’ jobs incredibly easy. In October 2013, a major security breach affected over 48 million users of Adobe, and 19,11,938 users among them had the simple password: 123456. Hackers usually attempt dictionary or brute force attacks; numerous combinations of different standard aspects and their various permutations are attempted by using powerful computers.
And with quantum computers around the corner, the concept of security is going to be redefined.
In fact, we need an easy-to-remember yet hard-to-crack password. Experts believe that the best password is a random one. Mathematically speaking, the more entropy a password has, the stronger it tends to be. Entropy increases with the length of the password and the variation of the characters that it is made of. A random collection of common words, called a ‘passphrase’, is far easier to remember than the conventional passwords, but far harder for hackers to crack. A password manager randomly generates impenetrable passwords and stores them; however, the master password must still be remembered.
In a nutshell, are we like Prince Abhimanyu from the Mahabharata, all confined within the Chakravyuha of passwords, seeking a password to bail us out? Can biometrics be a solution, where we don’t need to remember our aunt’s birthday to retrieve passwords? Not just the uses of fingerprints or irises, other features such as the pattern of dragging the mouse, facial patterns, unique contours of a person’s ears, the way one holds their smartphone and voice are attempted as useful biometrics. But how efficient can biometrics be? Any such procedure is certainly subject to statistical errors, however small.
For example, in 2017, a BBC reporter and his non-identical twin managed to bypass HSBC’s voice recognition security system that measured 100 different characteristics of the human voice to verify a user’s identity, albeit only after eight attempts. The bank said it would ‘review’ ways to make the ID system more sensitive. And don’t we know that Ali Baba of the Arabian Nights could properly learn ‘Open Sesame’, the password for the mouth of a cave of hidden treasure, by overhearing one of the 40 thieves? Voice algorithms have already been reported that can perfectly imitate someone’s voice using just a five-second snippet.
A multimodal approach may be applied where different biometric modalities such as face, voice and keystroke dynamics can be combined together to increase security. However, some people would be skeptical about whether the biometrics are local or not. In the two-decades-old Keanu Reeves movie The Matrix (1999), the computer hacker Neo was led to a forbidding underworld. Neo discovered the shocking truth—the life he knew was the elaborate deception of an evil cyber-intelligence. Is the shadowy overlap of dream and reality continuing amid the world of security?
Atanu BIswas (appubabale@gmail.com)
Professor of Statistics, Indian Statistical Institute, Kolkata