Smart SpendingSmart Spending

Is this the death of passwords?

Hackers have an arsenal of ways to steal your passwords, so researchers want to protect your data with something else.

By Jul 29, 2014 12:57PM

This post comes from Bob Sullivan at partner site on MSN MoneyIs it possible that your next password might be as simple and subtle as the way you type or hold your smartphone? If you hate trying to fill out those CAPTCHA forms with impossible-to-decipher characters, a new strategy for telling the difference between people and computers might give you some hope.

User name field on computer screen © William Andrew, PhotographerSecrets are used to keep our stuff safe on computers; for nearly three decades now, that secret has chiefly been a password, or in security lingo, "something you know." Advanced security systems can deploy an added layer, such as a token (or at banks, a debit card), which is "something you have." And really high-tech systems involve biometrics, such as a retina or fingerprint scan, known as "something you are."

So far, none of these techniques has proven robust enough to stop hackers’ endless efforts to steal critical information, whether it’s millions of Target credit card numbers to access to computers that control national infrastructure. Passwords are notoriously unreliable -- too hard for users to remember and too easy for determined criminals to guess. Tokens get lost. Fingerprints can be replicated.

In other words, to cyberthieves, credit card numbers and other personal information is still “something you steal.”

A key that can’t be hacked?

The continued race to stop high-tech crooks has led researchers to try yet another security frontier – and this time, they hope to be creating something that is so unique that it cannot be copied, yet is so easy to use that it doesn’t have to be remembered. They are trying a strategy known as “something you do.”

All computer users type at a unique speed, creating a pattern that is perhaps more personal than the way they sign their name. Smartphone users tilt their phones when they type, or scroll, or watch, in very personal patterns. It’s now possible to measure these things people do, turn the patterns into an algorithm, and create an authenticator that users simply can’t forget. It’s also so unique, researchers hope, that criminals won’t be able to impersonate it.

William Scheckel is chief marketing officer at one of the companies trying to solve this riddle: Oxford BioChronometrics, which spun out of the ISIS Software Incubator set up by Oxford University. He says the method has real promise.

"Phone manufacturers can identify you based on information from the gyroscopic device in your handset," Scheckel said. "Say your bank uses this technology and you hand your phone to another person. Using this method, the bank would shut the (transaction) down."

Oxford BioChronometrics puts together a number of these “something you do” patterns into a mathematical formula it calls electronically Defined Natural Attributes, or e-DNA. Scheckel says that using the set of highly personal characteristics creates an authentication tool that’s hard to defeat.

“The information is so specific to you it can’t be hacked,” he said.

That’s a bold claim, sure to be tested. Many "unhackable" login strategies have been foiled by criminals. One potential method: a "man-in-the-middle" attack, which essentially enables a criminal to trick a user into logging in, then lets the hacker joy-ride into the now-authenticated account to steal money or commit other forms of ID theft.

But it’s pretty clear that passwords are passé. Several high-profile hacks in recent years -- including companies such as LinkedIn -- have seen millions of users’ passwords exposed. Researchers have used those hacks to prove that passwords are terribly insecure anyway, with a high percentage of users opting for obvious "secret" words like "password" or "123456."

"Simple passwords are too easily hacked and there’s too much incentive for hackers to try. Identity theft is a growing problem because it’s profitable and simple passwords make it easy as well," Scheckel said.

If you're worried about identity theft, you should monitor your financial accounts regularly for charges you don't recognize. You should also keep an eye on your credit -- you can monitor your credit scores for free every month on Any major, unexpected changes in your scores could signal identity theft and you should pull your credit reports (which you can get for free once a year at to confirm.

Telling computers and humans apart

He wouldn’t disclose clients the Oxford-born company is working with, though he said it was working on a “proof of concept” test with a “major household name.”

But he would talk about the interesting side benefit of Oxford BioChronometrics’ product: It is particularly good at discriminating between real people and “bots” that try to automatically log in to websites around the Web and wreak havoc -- bots which have typing patterns that are obviously computer-generated. Right now, most websites use CAPTCHA forms to root out annoying bots, but they mostly annoy real people. So in May, Oxford BioChronometrics began offering a free plugin called NoMoreCAPTCHAS to WordPress users that Scheckel says eliminates the need for CAPTCHA tests. A brand-name travel company that struggles with bots scraping its site for data is right now testing the system, he said.

Forget worries about credit card hacking: If the firm can reduce the number of times users must guess what those squiggly characters are, the entire Internet will cheer.

More from

Jul 29, 2014 3:14PM
Of course the NSA will get a hold of your biometric data and be able to track you down anywhere in the world.
Jul 29, 2014 2:26PM
I wish passwords would die...well at least as they are.  While I understand hacking is a scary thing my workplace forces me to change my passwords for all of its different programs once a can never use the same password twice.  I literally just keep adding one number to it each month.  If I stay at this job for 10 years I will have changed multiple passwords 120 times.  Not to mention that some programs have different requirements for their is annoying...and I hate it.  No one will care to use my information for anything, and even if they did they would have to break into my home to get to it.  Sort of pointless.
Jul 29, 2014 6:11PM
Ah, the household name is Google!  Am I right?

All hackers need to do then is develop a means to scan a particular user's behavioral characteristics while computing, run it through an algorithm array generator, and wait for a strike that opens the door.  As long as you have "information in-information out" it can and will be hacked.  I foresee them attempting to use imbedded chips in the human body as a "personal identifier" to control functions and security.  Even these will not be foolproof.  All these researchers do is invent another way to create a "cash-cow" they can exploit for profit in a big and fast way.  When that "cow" dries up - as they always do - they invent a new "cow".  I have said for three decades that there will be a concept called "bio-electronic-automated-scanning-technology" or BEAST, for short, that will be implanted into humans that will not only contain their financial and other personal information, but their physical and emotional status.  This technology will also be able to control physical and mental functions of the human body by interacting with nerve centers and impulses controlling everything from pulse rate, to metabolic function, to emotional state, and even life-and-death.  Yes, they will be able to switch you to "off" like a light switch.  Scary?  Well, its coming!  And, there is nothing we can do about it because it is going to be part of a logistical attempt to deal with human nature and the natural progression of things - simply put, "cause-and-effect".

Jul 29, 2014 9:35PM
How about a passcode that is your odor.  My dog knows it,  but nobody else does and you can't really copy it.
Jul 29, 2014 4:54PM
If its data the crooks can get it.  They get ahold of your retinal scan data and you can't change it.  All the info is still going out to someone like Target and they have to store it.  It wouldn't be hard to send that same data back when they want to steal your ID.  Also what if i get in an accident?  my cast (or worse) changes how i hold my phone and i cant buy anything till I heal (or don't). 
Jul 30, 2014 7:59AM
Using something that you do routinely like how you hold your phone won't work. Like when the dentist says bit normally you can't do it because you have to think about how you do it. As for typing speed that varies so it won't necessarily work. It's too hard to duplicate a physical action exactly and as we know if one thing is not right the password is rejected.  Increase the penalty for cyber crime.
Jul 30, 2014 8:12AM
Another blanket solution that doesn't account for the people who are still 'unplugged' from most of the 'advanced' technology because its out of their price range or they simply don't want it. Unless they start making desktop computer that are touch screen. Or they could just use the keyboard. But then what about people whose 'habits' change with use? There are days I fly on the keyboard, and days that I stagger along, and days that I can't type whatsoever. The last thing I need is to have to call into the bank or whatnot because I'm having a bad day and the 'smart system' doesn't recognize me as being me. Criminy.
Jul 29, 2014 1:46PM
I suppose a method of placing your finger print somewhere on the computer to log into might work. It scanning the retina of an eye might be a bit trickier..maybe it could be detected by a webcam app. All could be untraceable and only the user could log in with both. Let see if those hackers can over ride that one.
Have always used the exact-same password, and it's foolproof.:   ABC-123

It's so simple, that hackers will ever think to try it---Oh, wait...

Jul 29, 2014 5:17PM
Where there's a will, there's a way !!
Jul 29, 2014 8:16PM
Jul 30, 2014 10:47AM
Here's my failsafe device to avoid being robbed, I'm poor, so I don't have anything for hackers to steal, and if they do steal what little I have, it's easily replaced.
I'm not trusting any biometric data to a machine. Passwords aren't going anywhere because people won't be able to grasp the new tech easily nor do they trust it being used wrongly even if it can't be.
Jul 30, 2014 8:33AM
Hard to defeat doesn't mean that it can't be.
Jul 29, 2014 3:05PM
ABOUT TIME!  LIKE NOW!   I literally have a "book" for passwords which I must use just to be able to figure out the password for each account.  Snail pace for this one folks!  This technology (retina scan) has been out there for quite a long time with the government.  My brother uses a retinal scan for his job in DC for years now to get into Fort Bevoir.  Someone also needs to create a "safe" way to create "THE CARD"  so that all your information including health, credit, vendor discounts, insurance no can be consolidated so you only need to carry ONE CARD for everything.  Again, the key phrase is "SAFE."  Not here yet I believe - just too hackable.  Just tired of carrying around so many cards - everyone has their own card.
Jul 30, 2014 12:00PM
A key can't be hacked, LOL, an a lock can't be picked? Locks only keep honest people honest!
Jul 30, 2014 6:44AM
Moving to biometrics will give a whole new meaning to the term "hackers" I am sure many criminals will think nothing of literally hacking off the body part required to get access to other people's money!!!!
Jul 30, 2014 11:01AM
This is all an effort to scare people into buying newer, vastly more expensive computers that'll be obsolete before they hit the markets - so you'll have to buy another, even more expensive one.
Jul 30, 2014 7:40AM
I simply rely on the goodness of others not to hack me and steal all my promissory notes.  Otherwise, I suppose we could infect our machines with extraordinary virus's (cf World War Z)  so their hard drives will naturally avoid us.  Fricken cyber zombies...I hate fricken cyber zombies!
Jul 30, 2014 10:36AM
I don't have a smart phone, or and IPhone, or a cell phone of any kind, Especially after a friend of mine was cut in half on his motorsickle by some broad with one stuck in her ear while she was driving, and I refuse to own one, So now what?   duhhhhhhhhhhh
Please help us to maintain a healthy and vibrant community by reporting any illegal or inappropriate behavior. If you believe a message violates theCode of Conductplease use this form to notify the moderators. They will investigate your report and take appropriate action. If necessary, they report all illegal activity to the proper authorities.
100 character limit
Are you sure you want to delete this comment?


Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.


Smart Spending brings you the best money-saving tips from MSN Money and the rest of the Web. Join the conversation on Facebook and follow us on Twitter.