The password is about to disappear completely, no one misses it

I opened a website called "PasswordMonster", and wanted to test how much it was (not) for the most commonly used passwords for Earth people.

Enter "123456", and the website shows that the password is cracked by 0 seconds. "88888888" is 0.01 seconds.

Now, you can easily find a tutorial similar to "how to set a password that cannot be cracked". You can create a password with a lot of thoughts that take 6 billion years to be cracked by brute.

But the problem is that you are likely to be unable to remember. Otherwise why many people are not as simple as the system prompts the password, they will definitely use their birthday as a password. Because of others, I can't remember. Then, you fall into the cycle of "forgetting password -reset password -forgot password".

Even if I remember the password that can be cracked for 6 billion years, I can't resist the leakage of the database. For example, in large -scale data leaks such as "Super Star Learning", personal information such as accounts and passwords of users may be stolen, sold, and even fraud.

In this case, I did not help me to create a complicated password. The only thing I can do is to modify the password immediately afterwards.

What if the Internet does not need a password? Can we not remember the password, nor are we afraid of data leakage?

There are many problems with the "old thing" of the password

In the 1960s, the concept of "Password" was accompanied by the birth of the initial Internet. The initial concept was through the customized password design of the user to make the user itself an important line of defense in this security system.

This system has been effective for more than forty years, and it can even be said that it is based on this password verification system that the Internet can have the entrance to the user login to develop.

Theoretically, passwords are still effective in resisting common hackers (usually by calculating hash values). When you set a very complicated password, even if the interpreting device used by hackers is a super computer, it will take trillion centuries to crack.

For example, the typical random password in the figure above, even if you use a supercomputer that uses 100 trillion floating -point computing capabilities per second, it also takes 8.47 trillion centuries to crack violently.

But entering the 21st century, the rapid development of the mobile Internet era, most people have hundreds of Internet accounts that need to set passwords, and the use of the same password on multiple platforms will almost become unavoidable.

What is even more frightening is that the database that stores these account information also has the risk of leakage, such as improper operation inside the platform, or the personnel of the relevant personnel have leaked the database because of their own personal gain. The real information of hundreds of millions of users was sold publicly in the dark network. Such things happen frequently.

For users who have been leaked, what is even more fatal is that information such as an account password on a platform is equivalent to exposed information on multiple platforms, because many users use the same password on different platforms.

Nowadays, large -scale hackers will usually collect databases that have been leaked with various channels, and through integration, they depict a person's various footprints in the Internet, and then archive together to build a "social work tank". You may be roughly inferred that your password on other platforms in this process.

For example, most of the accounts now need only one mailbox/ mobile phone number, and a password (many people can use the same password) to log in, but if this information has been leaked from the database, the hacker can follow the map, and you can follow the Tu. Put together your account password information on other platforms. Today, the above operations can be completed through automated operations (commonly known as "collision library").

There are lower cost scams. The criminals will use the existing leakage information to fish directly through the Internet and directly deceive the real people. The most common is the cottage login website and fraud phone calls. Even if you set up ultra -high -intensity passwords composed of various random numbers, letters, and symbols, it is easy to drop the pit in front of the fraud website on the official login page of almost 1: 1.

It can be seen that the current set of password mechanisms has often become the accomplice of information leakage.

But it is difficult for us to blame it completely on the password system. After all, this is a system that has been basically shaped since the 1980s. At that time, the designer probably expected that today, 40 years later, everyone will have hundreds of Internet accounts.

The existing password system is like an old -fashioned steam turbine that has already been overwhelmed. The problem is frequent, but it has to continue to drive the entire Internet to continue sailing. However, the industry also began to realize these historical problems. They intend to start another stove to create a verification mechanism that can completely replace the password.

FIDO, the key to "passwordless"

At this year's WWDC conference, Apple introduced a new feature that does not require users to play tedious passwords- "Passkeys". With it, the user does not need to enter the password and directly use the Face ID / Touch ID (facial recognition / fingerprint recognition) and other methods to authorize the use of the "traffic key". At this time, the user generates a private key locally. At the same time, the platform server also retains a public key for verification. Once the two match, you can log in without password. In this process, users only need to identify through biological characteristics. Apple introduces "traffic key" to developers 丨 Apple

Coincidentally, Google also introduced the password -free login technology at this year's Google I/O conference: When users log in to the website on the Chrome browser, they can receive verifications for login on the nearest mobile phone. The same technology will be integrated into TV, smart watches, and even automotive smart platforms in the future.

Google is also promoting password -free login technology 丨 Google

The underlying technologies that support these experiences all come from an organization dedicated to promoting the "password -free" process, the Fido Alliance. FIDO has formulated relevant technical standards and promoted to major Internet giants. FIDO members now include not only mainstream operating system manufacturers such as Apple, Google, and Microsoft, but also chip hardware suppliers such as Qualcomm and Broadcom, and payment application giants such as PayPal.

List of FIDO Alliance members 丨 FIDO

These members from different fields, under the framework of the same set of technical standards, may ensure the consistency of the passwordless login experience in the future, and even the interconnection of users in different devices / applications.

For example, as Apple shows during the WWDC period: iPhone users can use the CHROME browser to log in to a FIDO technology by scanning the code on a Windows PC. For example, the three major Internet giants of Apple, Microsoft, and Google work hard in the field of non -password.

Sometimes, a simple operation similar to "WeChat scan code login" is also very strenuous ｜ Apple

Public key, cooperate with the private key

From the perspective of user experience, Fido is not much different from the current fingerprint / face recognition verification login, and even the automatic filling service is almost the same as the mainstream password.

The most important difference is hidden under the login page: FIDO technology is not to generate a random password by the system, but to use the "public key+ private key" verification method to generate a private key on the device. At the same time, the account server side Keep the public key. Only when the private key is matched with the public key for login verification can it be completed.

Just press a fingerprint 丨 Apple

For those fishing websites that users cannot easily identify, they have used FIDO technology accounts in the registration, and the local private key cannot be matched with the correct web page public key, and no information will be transmitted. A variety of high imitation login page fraud attacks and the risks caused by database leaks.

When the webpage detects the corresponding private key on the device, because the corresponding biological verification has been performed, the server does not need to judge whether it is from the real user's interview or a malicious robot attack. Of course Verification steps. For example, a variety of complicated verification codes input, and various CAPTCHA man -machine verification of "prove that you are not a robot".

Similar to this kind of human -machine verification that makes people doubt whether it is human -computer verification, it should never be used anymore | Network

In addition, when the user switchs the device or wants to log in to its account on other users' devices, Apple's pass keys can also use data backup or QR codes to transfer local private keys and auxiliary verification. It should be emphasized that the private key is always stored on the user's local device.

With the future without passwords, there is still the last step

As if it was overnight, major technology giants were advancing FIDO -free technology, but the Fido Alliance had been established as early as 2012. At that time, smartphones were not even popular, and this organization began to study more advanced certification methods.

But it is not easy to eliminate the password. At present, the Internet ecology we are familiar with can be said to be cured in the password verification mechanism. The password has become part of the Internet DNA. Therefore, even if the FIDO Alliance has attracted the industry giants, it can only be step by step in the past ten years, and seeking breakthroughs step by step.

In the past few years, the Fido Alliance has promoted three different password agreements. Among them, Fido UAF was proposed in 2014: users can realize operations such as direct identification and payment by installing biological verification devices.

FIDO UAF 丨 FIDO

Another technology called "FIDO U2F" is to provide more security encryption methods through two -step verification, including Bluetooth / NFC physical key, two -step verification code and other methods. Today, this is also a very common verification technology. The SMS verification code we have received almost every day in our daily life also belongs to this category.

FIDO U2F 丨 FIDO

After the above two protocols, the FIDO2 protocol, which really began to promote the eraless era, was born in 2015. This agreement has also gone through eight years, and it was not until 2022 that Fido finally matured when replacing passwords, and was able to appear on a global eye -catching stage such as WWDC and Google I/O.

FIDO2 ｜ FIDO

Ten years after the establishment of the FIDO Alliance, the "third stage" of Internet history in the field of password -free is the most important step.

Apple has announced the official version of the iOS 16, iPados 16 and MacOS 13 released in September this year, and will all support the "traffic key" based on FIDO technology, while Google will be the Android of his own Android by the end of 2022. , Chrome browser and other platforms add support.

Microsoft has also issued a statement that plans to add support for FIDO in the Windows system in the "future". It is only one step away from the real practicality.

Although the unprecedented password shown by FIDO is very attractive in the future, there will still be some practical problems in this new standard: the most important thing is that more account services are required to support this technology, which is destined to be a gradual and gradually replaced replacement. process.

In addition, how to make users more conveniently synchronize local private keys and other issues between different operating systems/ devices, which will also affect the actual promotion process: including iPhone users synchronize private keys to Windows PC or Android phones (or Conversely), coupled with the status quo of Android third -party systems, users may encounter more complex needs than "logging in to their own accounts on others' computers" in actual use.

Replacing the password is a process that is gradual and gradually replaced.

For ordinary Internet surfing players, the most important thing is that of course: they no longer need to rack their brains to set the password, and they are forced to reset after forgetting.

references

[1] https://www.scmagazine.com/perSpective/Identity-nd-Access/will- Passkeys-finally-n-n-the- Password%EF%BF%BF%BF%EF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%BF%

[2] https://thestack.technology/passwordless-fido2-quantum-Metric-ciso/

[3] https://www.abc.net.au/news/2022-07-14/tech- Giants- Passwords- Apple- Google-Microsoft/101184382

Author: Dawn front line alan

Edit: BIU

- END -