The password is about to disappear completely, and no one misses it

I opened a website called "PasswordMonster" to test how (un)safe the most common passwords used by people on earth are.

Enter "123456", and the website shows that the password was brute-forced for 0 seconds. "88888888" is 0.01 seconds.

Now, you can easily find tutorials like "how to set an unbreakable password", and with a little bit of thought, you can create a password that will take 6 billion years to crack by brute force.

But the problem is, there's a good chance you won't be able to remember. Otherwise, many people will definitely use their birthday as their password as long as they are not prompted by the system that the password is too simple. Because of the other, can't remember. Then, you're stuck in a "forgot password - reset password - forgot password" loop .

Even if I remember a password that will take 6 billion years to crack, I can't resist a database leak. For example, in a large-scale data leakage incident such as "Superstar Learning Pass", personal information such as user accounts and passwords may be stolen, sold or even defrauded by criminals.

In this case, it is useless for me to create a complex password, the only thing I can do is to change the password immediately afterward.

What if the Internet didn't use passwords at all? Can we not remember passwords and not be afraid of data leakage?

There are many problems with the "old thing" of passwords

In the 1960s, the concept of "password" was born with the first generation of the Internet. The original idea was to let the user himself become an important line of defense in this security system through user-customized password design.

This system has been effective for more than 40 years. It can even be said that it is based on this password authentication system that the Internet has an entrance for users to log in, and it can flourish.

In theory, passwords are still effective against common hackers (usually by computing hashes). When you set a very complex password, it would take a trillion centuries to crack, even if the cracking device the hacker used was a supercomputer.

For example, the typical random password in the picture above, even using a supercomputer with 100 trillion floating point operations per second, would take 8.47 trillion centuries to brute force cracking

But in the 21st century, with the rapid development of the mobile Internet era, most people will have hundreds of Internet accounts that need to set passwords, and it is almost inevitable to use the same password on multiple platforms.

What is even more frightening is that the database storing this account information is also at risk of leakages, such as the improper internal operation of the platform, or database leakage due to personal interests of relevant personnel. Then the real information of hundreds of millions of users was publicly sold on the dark web. This sort of thing happens frequently.

For users whose information has been leaked, what is even more deadly is that exposing the account password and other information of one platform is equivalent to exposing the information of multiple platforms because many users use the same password on different platforms.

Today's large-scale hacker organizations usually collect leaked databases through various channels, and through integration, depict a person's various footprints on the Internet, and then archive them together to build a "social engineering library". You may be in the process of being roughly deduced from your passwords on other platforms.

For example, most accounts nowadays only need an email/mobile number and a password (many people will reuse the same password) to log in, but if this information has been leaked from the database, hackers can follow the map to find out. Piece together your account password information on other platforms. Today, the above operations can be completely automated (commonly known as "credential stuffing").

There are also cheaper scams. Criminals will use existing leaked information to defraud real people directly for more information through phishing. The most common are fake login websites and fraudulent phone calls. Even if you set an ultra-strong password composed of various random numbers, letters, and symbols, it is easy to fall into the pit in front of a scam website that reproduces the official login page almost 1:1.

It can be seen that the current password mechanism has often become an accomplice of information leakage.

But it's hard to blame it entirely on cryptography. After all, this is a system whose principles have been basically finalized since the 1980s. The designers at that time probably did not expect that today, 40 years later, everyone will have hundreds of Internet accounts.

The existing cryptographic system is like an old steam turbine that has been overwhelmed, has frequent problems, but has to continue to drive the entire Internet to continue to sail. But the industry has also begun to realize these historical problems, and they plan to start anew and create a verification mechanism that can completely replace passwords.

FIDO, the key to "no password"

At this year's WWDC conference, Apple introduced a new feature called "Passkeys" that eliminates the need for users to type in cumbersome passwords. With it, the user does not need to enter a password, but directly uses Face ID / Touch ID (face recognition/fingerprint recognition) to authorize the use of the "pass key". At this time, the user generates a private key locally. At the same time, the platform server also retains a public key for verification. Once the two matches, passwordless login can be achieved. In this process, users only need to pass biometric identification.

Coincidentally, at this year's Google I/O conference, Google also introduced passwordless login technology: when users log in to a website in the Chrome browser, they can receive verification for login on the nearest mobile phone. The same technology will be integrated into smart platforms such as TVs, smartwatches, and even cars in the future.

The underlying technologies that support these experiences all come from an organization dedicated to promoting the "passwordless" process - the FIDO Alliance. FIDO has formulated relevant technical standards and promoted them to major Internet giants. Now, FIDO members include not only mainstream operating system manufacturers such as Apple, Google, and Microsoft but also chip hardware suppliers such as Qualcomm and Broadcom, as well as payment application giants such as Paypal.

These members from different fields, working together under the framework of the same set of technical standards, may ensure the consistency of the passwordless login experience in the future, and even the interoperability of users between different devices/applications.

For example, as shown by Apple during WWDC: iPhone users can scan the code, on a Windows PC, and use the Chrome browser to log in to an account that supports FIDO technology, such a simple operation similar to "WeChat scan code login", more It is like the epitome of the efforts of the three Internet giants Apple, Microsoft and Google in the field of no password.

Public key with the private key

From the perspective of user experience, FIDO is not much different from the current fingerprint/face recognition verification login, and it is even similar to the mainstream password auto-fill service.

The most important difference is hidden under the login page: FIDO technology does not generate a random password by the system but uses the "public key + private key" verification method to generate a private key locally on the device, and at the same time the account server-side Keep the public key. This can only be done when the private key is paired with the public key for login verification.

For those phishing websites that cannot be easily identified by users, accounts that have used FIDO technology in registration, detect that the local private key cannot match the correct web page public key, and will not transmit any information, thus avoiding the root cause. The fraud attacks of various high imitation login pages and the risks brought by database leakage are discussed.

When the webpage detects that the corresponding private key has been stored on the device, since the corresponding biometric verification has been performed, the server does not need to judge again whether it is from a real user or a malicious robot attack. Of course, there is no need to add repetition. verification steps. For example, various complicated verification code inputs, and various CAPTCHA man-machine verification of "prove that you are not a robot".

In addition, when users switch devices or want to log in to their accounts on other users' devices, Apple's passkey can also transfer the local private key and assist verification by means of data backup or QR code. It should be emphasized that the private key is always stored on the user's local device.

One last step to a future without passwords

As if overnight, the major tech giants were promoting FIDO passwordless technology, but the FIDO Alliance was established as early as 2012 before smartphones were even popular, and the organization began to research more advanced authentication methods.

But eradicating passwords is not easy. At present, the Internet ecology we are familiar with can be said to be rooted in the password verification mechanism. Passwords have become part of the Internet's DNA. Therefore, even if the FIDO Alliance has attracted industry giants, in the past ten years, it has only been able to progress step by step and seek breakthroughs step by step.

Over the past few years, the FIDO Alliance has promoted three different passwordless protocols. Among them, FIDO UAF was proposed in 2014: users can realize operations such as direct identification of fingerprints and payment by installing a biometric authentication device.

Another technology called "FIDO U2F" provides more secure encryption methods through two-step verification, including Bluetooth/NFC physical keys and two-step verification codes. Today, this is also a very common verification technology, and the SMS verification codes that we receive almost every day in our daily life also belong to this category.

After the above two protocols, the FIDO2 protocol that really started to promote the era of completely passwordless was born in 2015. This agreement has also taken eight years, and it will not be until 2022 that FIDO is finally ripe for replacing passwords, and it will be able to appear on the stage of global attention such as WWDC and Google I/O.

Today, ten years after the founding of the FIDO Alliance, the "third stage" of Internet history in the field of passwordless is the most important step.

Apple has announced that the official versions of iOS 16, iPadOS 16 and macOS 13, released in September this year, will support "pass keys" based on FIDO technology, while Google will support its own Android before the end of 2022. , Chrome browser, and other platforms to join support.

Microsoft has also issued a statement that it plans to add FIDO support to Windows "in the next few months." It is only one step away from real practicality.

Although the passwordless future presented by FIDO is very attractive, there are still some practical problems with this new standard: the most important is that more account services are needed to support this technology, which is destined to be a gradual and gradual replacement. process.

In addition, between different operating systems/devices, how to let users synchronize local private keys more conveniently will also affect the actual promotion process: including iPhone users synchronizing private keys to Windows PCs or Android phones (or In turn, synchronization), coupled with the current situation of Android third-party systems, users may encounter far more complex needs than "logging in to their own account on other people's computers" in actual use.

"Destroy passwords" is of course the most important thing for ordinary surfers: they no longer have to rack their brains to set passwords, which are forced to reset after forgetting.