The Most Secure Password In The World Might Be You : All Tech Considered Leaders from tech giants like Google and PayPal say that the password as we know it is dead. So what's the future of authentication online? Apple is implementing fingerprint protection on iPhones, but questions linger about the security and feasibility of biometrics.
NPR logo

The Most Secure Password In The World Might Be You

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
The Most Secure Password In The World Might Be You

The Most Secure Password In The World Might Be You

  • Download
  • <iframe src="" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript


This is ALL THINGS CONSIDERED from NPR News. I'm Melissa Block in Washington.


And I'm Audie Cornish here at NPR West. And we're going to take a few minutes to talk about one of life's little annoyances...

UNIDENTIFIED WOMAN #1: Please enter your passcode then press pound.

CORNISH: ...the password.

UNIDENTIFIED WOMAN #1: Sorry, 1-2-3-4 is not a valid passcode. Sorry, please try again later.

CORNISH: Your voicemail, your e-mail, your smartphone - maybe you've got a different one for each and you're bound to slip up. We did a casual survey recently on the streets of downtown Berkeley, California.

Hi, excuse me. We were..

And it was clear plenty of people are frustrated. For instance, the sheer number of places that demand a password or PIN these days has grown exponentially.


STEVE GOODMAN: Oh, my bank, my e-mail...


GOODMAN: My e-mail for sure. Wow. Phone. Wow.

SONJA HERBERT: And Pinterest, sometimes.

If you look at your bank statements online, don't you have to put a password in? It's all upsetting.

CORNISH: And keeping track of the ones you've got, forget about it.

HERBERT: I have like probably 15. And I do a bad thing. I use the same one because I just don't have enough floss in my memory to remember.

GOODMAN: I used to use the same one over and over again. Probably isn't very good.

ALOK ROCHELEAU: Friends' names or family members' names or different variations...

JUSTIN ANGELO MARTIN: Nicknames and stuff I have had from my past and...

GOODMAN: I write them down on a piece of paper...

MARTIN: Vary it a little bit but it's pretty much...

GOODMAN: You're not supposed to.


GOODMAN: But everyone does the same thing because there's no way to keep track of them.

CORNISH: Steve Goodman on the streets of Berkeley along with Sonja Herbert, Alok Rocheleau, Justin Angelo Martin, and Jason Belling.

Well, Silicon Valley titans are getting tired of them, too. At the Tech Crunch Disrupt Conference in September, Google top security executive Heather Adkins said.

HEATHER ADKINS: Passwords are dead.

CORNISH: Seriously, Google home to 425 million e-mail accounts and a founding member of their security team declaring....

ADKINS: Passwords are dead. Our relationship with passwords is done.

CORNISH: Adkins says start-ups tying their future to passwords might as well give up now given how much work it takes to keep their customers' passwords secure. But if passwords are a thing of the past what will replace them?

Wall Street is betting on biometrics. Now that Apple is adding a fingerprint sensor to its newest iPhone, companies that make similar technology have seen their share prices jump. And it's profitable. Industry analysts say the market for fingerprint scanners alone could top $10 billion in the next five years. And other biometrics companies are looking more competitive as well. Take one of Apple's partners, Nuance Communications.

NINA: Please say your passphrase.

ROBERT WEIDEMAN: My voice is my password.


NINA: Welcome back, Robert.

CORNISH: Nuance Communications is a voice recognition company. And that voice belongs to Robert Weidman, one of their executive vice presidents.

WEIDEMAN: If you have called, your airline, if you've reserved a hotel room and you have been able to speak to those systems, that is our technology almost certainly.

CORNISH: In fact, you know when you hear...

UNIDENTIFIED WOMAN #2: Your call may be monitored or recorded for quality purposes.

CORNISH: Nuance Communications is gathering data to improve its voice-print technology, and, in the future, create systems that will do away with the whole username and passcode business, and just get what you need to do done.


WEIDEMAN: Pay my Comcast bill in full next Thursday from savings.

CORNISH: Weidman gave us a little demonstration with his virtual assistant Nina. .


CORNISH: And frankly it's not quite at "Star Trek" level responsiveness but Weidman says it is more secure.

NINA: I will pay the minimum due from your savings on October 10th. OK?


WEIDEMAN: Yes, go head.

CORNISH: So when you said my voice is my passcode was that your pass phrase? Did I, as a passer by, just hear what your passphrase is?

WEIDEMAN: You did.

CORNISH: Is that OK?

WEIDEMAN: That is OK because there's two fundamental elements to a voice password. One is my voiceprint and that doesn't change no matter what words I'm saying. It's like your fingerprint and it's that unique. And the passphrase is another element. So they might be able to overhear what my passphrase might be but they don't have my voiceprint and so it keeps it very secure. And much more secure than usernames and passwords.

There will come a time where you're not going to be using pin and password as your password. You'll be speaking and touching the device and that will become your password.

CORNISH: But privacy advocates are wary. Every few months, a company reveals that it has lost or has had millions of customer passwords or other data stolen. And what about fraud? What about trying to fake out the system? Weideman says voice print technology is getting better all the time at preventing it.

WEIDEMAN: We go thru a lot of effort of making sure that people can't spoof it. You can get a recording and just imagine a Xerox of a picture. It's the identical - like dot by dot by dot it's the exact same picture. Well, if you get a voice prompt and it's exact same to the dot then we know there's something wrong here, because humans don't behave that way. So there's lots of different things that we do inside the system in order to protect against spoofing.

CORNISH: Meanwhile there are much wilder ideas floating around the industry than voice recognition. How about jewelry that acts as a wearable key for logging into devices, or electronic tattoos, or even a pill you swallow to put a biometric tag inside your body?

Of course there are skeptics, even among biometric experts. Take James Wayman of San Jose State University. Wayman says people have been claiming that biometrics are going to be the next big thing in consumer electronics, well, for decades. He says good old fashioned passwords endure for a reason.

JAMES WAYMAN: Passwords have the advantage that they don't require additional hardware. Generally you have some type of an input device to your computer system. It's got to be a key pad or some way of getting digits and characters into your computer. So you already have that. So pins and passwords are very durable in that respect.

Secondly they can be reset remotely. Thirdly they don't need to reveal any personal information about you. They don't need to connect directly to your body. You can transfer your pins and passwords if you wish to do so. None of those characteristics are true of biometrics.

We're told that we should have a different pin or password for every one of our accounts and that we should change it regularly. You cannot use a different right thumb print for every one of your accounts and you cannot change it regularly. And then what happens when your computer or your cell phone no long recognizes your right thumb print? How do you reset that? What if your right thumbprint no longer becomes useable?

And so, what if you have somebody my age who has really crummy fingerprints, right? What do you do? Well, you still have to have a pin and password for those people. So there are levels of complexity here that have to be carefully examined. This is connecting the authentication with a body, and I think that has great implications, but there's a very big difference of recognizing your body and recognizing something you know in your mind - a password. I think the psychological differences and privacy differences and are profound.

CORNISH: And let's face it, consumers are still nervous about this stuff. When we canvassed our informal group in downtown Berkeley about biometric technology, we got a lot of raised eyebrows.

UNIDENTIFIED MAN #1: That is way too ridiculous. Fingerprints, that's way too ridiculous...

UNIDENTIFIED MAN #2: Fingerprinting seems pretty easy, not as invasive as maybe eyes or voice.

UNIDENTIFIED WOMAN #3: Bioscans to me just seem clumsy, like a lot of problems.

UNIDENTIFIED MAN #1: Retina scans, that's way too ridiculous...

UNIDENTIFIED WOMAN #3: It's also so new that I don't know enough about it yet.

CORNISH: Except for this guy.

MICHAEL BARRETT: It's a heck of lot better than where we are now with passwords, which are just a dismal experience.

CORNISH: That's Michael Barrett. And while he lives in Berkeley, he was not a random pick. Barrett used to head up security for PayPal. Now he runs an alliance of companies including Google, MasterCard, and BlackBerry that want to create industry security standards to encourage password alternatives. And yeah, he knows all your worries about a thief faking your fingerprint or copying your voice but he's not buying it. Companies, he argues, are not worried about one or two stolen passwords, they are worried about millions.

BARRETT: If somebody wants to mug us, you know, they bash us on the head on the street and steal our wallet or purse. That's an intrinsically un-scalable approach to crime. I can't mug a hundred million people simultaneously. Whereas on the Internet, there absolutely have been cases where companies have lost databases of a hundred million or more consumers' details.

CORNISH: When we talk to skeptics about this, we hear that while the companies building this technology will tell you it's amazing and doing great things and it's come really far, that it still has a way to go. I mean are people overselling biometrics?

BARRETT: You know, let's not look at this as though there is some utopian vision of security because we're coming from a pretty bad place today. But then the second thing is there is no such thing as perfect safety and there's no such thing as perfect security either. It's only a question of how good is it and is it good enough to get the job done?

You know, I also liken this to well how much security do you want on your house? Have you replaced the locks on your front door? Do you have good window locks? Do you have an alarm system? Do you have a video camera system? It's like, you can do many things if you're worried about that, or you can just leave the locks on from the last owner who had the house when you bought it and not doing anything. So, you know, in the real world, we make conscious tradeoffs as to how much we want to do to make ourselves safer. I think the same analogy is true online. It's just today, we don't have any vocabulary to even really be talking about those kind of tradeoff decisions.

CORNISH: Michael Barrett, he's head of the Fast Identity Online Alliance, a trade group of companies looking to create new security standards and an alternative to the password. So far, 53 companies have signed up. But for now, we're still stuck with passwords and some of you out there might want to work on beefing up the ones you've got. Industry research on stolen passwords posted by hackers shows the most popular one is the word password.

Copyright © 2013 NPR. All rights reserved. Visit our website terms of use and permissions pages at for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.