Dreaming of a world without passwords
Jon Honeyball wants a better, more secure and more convenient world
I'm so tired of passwords. So tired, indeed, that I don't use them anymore. For my phone, I use a fingerprint. Since the latest releases from Apple, my Watch unlocks my desktop and laptop computers. If I find myself in front of my Microsoft Surface Book, and it hasn't crashed yet again, Windows Hello decides my security credentials by looking at my ugly mug (that's my face, not the steaming cup of heavyweight coffee sat on my desk).
When I visit a website that needs a password, my constant companion Dashlane rushes in to fill out the details for me. If I sign up to a new website, it helpfully generates a complicated random password and then saves it. I have no meaningful idea of what most of my passwords are, because they're all different and look like "Xf65Ty!uP43XTyI108Yiop", or something equally memorable. Of course, I have to rely on Dashlane not imploding and taking out all of my passwords, but then the "password recover" feature works on most sites, most of the time.
The more sensitive sites have two-factor authentication. So my phone beeps with the result of an incoming SMS message, which I tap in to prove it's really me. All sites should offer this as a matter of course. That they don't shows how incompetent their HTML hairdressers are and how little they value my information. What's that? The regulator doesn't care either? Apparently not, given how it doled out a 400k fine for the loss of 157,000 customer records from TalkTalk. Had I been one of the affected, I'm not sure I'd be reassured that my data was worth a couple of quid in the eyes of the law.
Which brings me to a function in Dashlane that I really like. It's called Password Changer - and yes, it changes passwords. Choose the item in your password/website list and hit the button. Dashlane logs into the website, enters your current details and updates the password to a stronger one, which it then puts back in its encrypted store for you.
Simple? For sure. Useful? Most definitely - if you have a weak password on a site, it can sort it out for you. Feeling a little vulnerable on a rainy Monday morning? Go change all your passwords. Remember, you didn't know what each one was before, and you don't know what they are now. But they've been changed, so any leakage has been rendered less of a worry because the leaked data is now, hopefully, invalid.
However, this magic trick only works on websites that Dashlane has managed to reverse engineer. And then it struck me - surely any decent website should expose a standardised way in which third-party tools can change the password? Not just Dashlane, but other password managers too? Not just those websites that have been rectally examined, but any and all. Wouldn't that be useful? We could then help push forward with the move to password managers, taking away the big bag of stupid salty water using "MyBabyIsCalledDavid" in the mistaken belief that absolutely no-one would ever guess that, and make passwords a truly disposable thing.
Wouldn't it be quite fab if I could set my password manager to carry out this change on all of the websites on which I hold accounts? And to do it automatically too? How about once a week? That way, I could be reasonably sure that a mass accounts database leak onto a memory stick in the jeans pocket of a disgruntled hipster employee with a topknot will get knocked into touch within a reasonably short timescale.
Oh, but there's one problem. We need the web world to come together and make it so. And that, dear friends, is not going to happen. This is an industry that took a passably good idea by a scientist at CERN and turned it into one of the nastiest, most opaque, badly designed and badly written pieces of nonsense ever foisted on the public. And then we have the web browser companies that can't even seem to get around the table and decide how big a piece of text should be, and where it should be placed on the page.
The idea of anyone, anywhere, bringing forward a useful API that is consistent, easy to program, easy to use, reliable, cross-platform, and which doesn't make you want to smash its face in within ten minutes, is not particularly likely.
Meanwhile, my data is worth the grand sum of 2.55 in the eyes of the regulator. When it's 255 or, even better, 2,550, someone might wake up and start to take this stuff seriously. There are a range of solutions out there, and some good thinking. It's time they were put to productive use.
Jon Honeyball is a contributing editor to PC Pro. He doesn't have enough hair for a hipster topknot, so you can definitely trust him with your data. Send it to firstname.lastname@example.org