Kill or cure

PASSWORDS are a pain. People forget them. Hackers pinch them—this year Twitter lost 250,000 and Evernote, an online notebook service had to reset 50m after a breach. Many companies have been found to store passwords without “salting” them (adding extra data to flummox hackers) or even encrypting them at all.

Firms are demanding harder ones: a minimum number of characters, plus numerals and upper- and lower-case letters. Busy and careless people skimp on security: the typical internet user, research suggests, uses just seven passwords to manage 25 online accounts. Even those tend to be easily cracked variations on a theme: “Bageh0t”, “Bageh1t”, “Bageh2t”, etc.

The search for alternatives is both urgent and potentially lucrative. Google, along with other behemoths like PayPal and hardware-makers such as Lenovo and LG, have forged the FIDO Alliance, to develop alternative authentication employing a panoply of gadgets. These include USB sticks, chips on fobs and other tokens. (Google is working on a ring.)

Yet any hardware is vulnerable to being pinched or cracked. Bracelets, rings, smartphones and computers can all be lost or stolen. Consumers can freeze accounts linked to compromised accounts and devices, but sometimes a moment is all it takes for mischief-makers to do damage.

Some of the new ideas involve biometric data—in theory unique to each user. Apple may have a fingerprint reader in its latest iPhone, which is due to go on sale later this month. On September 3rd Bionym, a Canadian firm, launched Nymi, a bracelet which detects the wearer’s heartbeat. The technology relies on the uniqueness of an individual’s PQRST pattern: the five peaks and troughs that appear in an electrocardiograms (ECG). Its shape depends on things like the heart’s size, shape and position in the body. An elevated heartbeat means ECG of a higher frequency, but does not affect PQRST itself. The Advanced Institute of Industrial Technology in Tokyo has developed a chair which detects—with 99% accuracy—the unique shape of a user’s bottom.

Such biometric data could be more secure. But handled wrongly, they could be far more damaging. These data can be cloned, as when someone’s fingerprints are “skimmed” from something he has touched and replicated (or “spoofed” in the jargon), for example by etching a print onto a jelly mould. Getting a new password is merely a hassle. What if thieves have the digital version of your retina, or chop off your finger?

One answer is to supplement passwords (and gadgets) with something else, such as a code texted to a phone, or generated by an app. But other companies eschew clever gizmos altogether, focusing instead on making passwords friendlier, for instance by tapping people’s visual memory rather than their verbal one. Many Samsung smartphones require a doodle, not a code. A British start-up called PixelPin asks users to select some objects, in a preset order, from an image they have uploaded. Barclays, a bank, sets multiple-choice questions which require detailed knowledge of the customers’ past life and times.

Yet instituting and using all these schemes take time and money. Joseph Bonneau, a security researcher at Google, has catalogued dozens of schemes designed to replace passwords over the past two decades. As yet, none has. Meanwhile, the cyber-criminals keep feasting.