Human brains are not made for storing secure passwords
Every day, the number of passwords we have to remember are growing. All those fantastic, new mobile and cloud services intended to ease our lives require their own secretive password protection. Not to mention all those high-security banking and company logins, which protect sensitive data.
Unfortunately, in practice this is not only a pain for us users, but it is also highly insecure for a very simple reason – human brains are not made for storing infinite amounts of senseless letter and digit combinations. Human brains develop strategies to remember passwords by simplifying, reusing them for different systems, writing them down on paper, or whatever else our creativity allows us to imagine. But whatever strategy is taken, it is very likely to open up security leaks. Having some deeper insights into this topic will cause you to reconsider any faith you might have in your password invention skills.
Why are some users not able to create a secure password? Why do many choose “august1968″ instead of “sd?7gfe6%64Ffg$$vG” as password? Why can the average user not just simply invent a password which is not a variation of one of those 32 million plaintext passwords leaked at RockYou? Because not everybody out there has the ability to remember such a complex password.
The password problem is yet unsolved
I am still surprised that nobody really seems to care about this topic. Especially in the information age where our sensitive data is spread over more and more cloud and web services, and where cybercrime attacks increase day by day. The usual advice is – take a stronger password. Do not reuse passwords. Regularly change your password. But these are technical answers for a problem which is at its core very human. Often, I feel like a Sisyphean password cruncher, doomed to waste my lifetime pressing the “forgot password” button for most of my services. And it gets worse with every new service I use. Following all these password definition guidelines is like hammering virtual nails into the brain, and trying to keep them in. It does not work. Today’s password protection mechanisms are not only insecure but most of all a modern torture.
Why we need secure elements
The good news is – there is a solution for this problem. It is called the secure element. This little something is the essential part of the mobile wallet (link to my post Wallet Principle II), and currently mainly used for NFC mobile payments. But there is much more potential in it. The secure element is the key to our identity protection and authentication. In fact, it makes password handling and memorizing obsolete. And the best thing –is that it is very convenient to use.
Secure elements is a smart card in the mobile device
Let us start with the basics. The secure element is a smart card chip. These chips were designed to provide a very high level of data protection and security mechanisms for applications like payment cards. Today, the so-called chip and PIN payment cards used in Europe are based on smart card technology. Data protected in such a chip is tamper-resistant. It cannot be accessed and copied by a third party. The design even allows the card hardware to be destroyed when the data protection is endangered. That means the usual brute force attacks do not work, as the card destroys itself after several attempts to access it with the wrong PIN. Most of us know this already from EMV bank cards and SIM cards – if the PIN or PUK is typed incorrectly several times, the card becomes unusable.
Secure elements can securely store passwords. These passwords are truly random, and therefore almost impossible to hack. But even more important – users do not need to remember them. The secure element hides the complexity of the passwords and allows very easy usage. This is similar to our door keys today – each of them contains a complex and unique profile to grant (mechanical) access to places. Just put the key in the lock, and the door can be opened. Nobody would ever imagine memorizing the key profile and draw it on the door lock. Secure elements are the digital equivalent of the door key. They contain unique and secret digital profiles which were formerly known to us as passwords. These private profiles (or cryptographic keys) will never leave the secure element nor be stored at any other place. Only a digital lock, the so-called public key, is shared with external parties. As with traditional keys, the secure element is a very private token of the user. In the age of desktop computers, the use of such a digital key was inconvenient. An integrated secure element would have been bound to a fixed place, but not to the user. Hence, memorized passwords were the better approach. But this is changing in the mobile age. The smart phone is a very private device and it is always with you. It is the ideal place to also hold the secure element.
Secure elements are an alternative to memorizing passwords
Taking the secure element solution will revolutionize password handling. It is not only far more secure, but also far more convenient. The user only needs to memorize a simple four-digit PIN to access the secure element. Password-like cryptographic keys for access to websites, cloud and mobile services are managed by the secure element in the mobile device and exchanged via NFC or over a secure mobile or web channel to the target site or service. Just connect the secure element with it and access will be granted (or not). The security mechanisms are superior to today’s password handling, and there is no need for users to invent and memorize passwords anymore. This is fully handled by the secure element.
Finally, some words about the main concerns which usually come at this point. First, what happens if the secure element gets lost? Then access can be blocked, and a new secure element can be issued to the user with new private data. Second, why not use biometrics instead? If biometric data gets lost, it cannot be replaced. And in the case of a real world criminal attack, I’d rather hand over a secure element than have my biometrics chopped off.Tweet