Don’t Kill the Password

Don’t Kill the Password

People hate passwords because they can’t remember them. Security experts dislike passwords because they can be stolen, brute-force, or phished. The inability to solve the password’s weaknesses saw the birth of the campaign to “Kill the Password!”

In the meantime, multi-factor authentication was added as a layer of security, increasing the level of difficulty for hackers to breach an account.  Key Fobs, Registered Mobile Devices, and SMS Text was referred to as the “Something You Have factor”.  Biometrics such as a fingerprint scan, retina scan, facial recognition, and voiceprint represented the “Something You Are factor”.

Password-less authentication is the next emerging solution in play.  Password-less authentication, as opposed to password-based authentication, doesn’t rely on passwords to verify a user’s identity.  Instead, identity is based on a “Possession factor” which is then used to verify the user (e.g., One-Time Password, Mobile Device, Key Fob or Token).

“What You Know” such as a pin number, password, or passphrase, is a huge concern.  Forgotten passwords lead to password resets and is attributed as amongst the unnecessary and preventable I.T. costs for an enterprise.  Service providers and their users don’t know if their credentials were stolen, thus allowing a hacker to gain access to their account undetected. 

The key is to find a method that is convenient and more secure for the user but difficult and inconvenient for the hacker.  The user should not bear the responsibility for security.  As it is, we rely on and ask the user to detect phishing campaigns which the experts themselves fall into.  If the appropriate technology is developed and deployed correctly, mistakes should not occur when followed by users as prescribed.  Why not make credentials immune to and not susceptible to phishing campaigns?  If we make the credential Dynamic, they would be useless to the hacker even if phished.

Should we really blame the Password?  Or is it the fault of the technology itself?  If a password is something a user will never forget and doesn’t require any memorization, will users still hate them?  If the password cannot be stolen, brute-force or phished, would that alleviate the concerns of the security experts?

Perhaps password-less authentication is not the solution.  Is there a way to re-invent Password?  Yes, there is…and it is patented with the U.S Patent Office. The following is a helpful overview.

“Natural Memory” is treated as stories that are unique to each user.  In addition to each story has MEMORIES associated with it. Insecurity terms, each story is an alternate “Something You Know.”

These Natural Memories can be disaggregated and randomized such that they can be reconstituted only by youOur software allows the system to intelligently challenge the user by requiring them to select the answer embedded in a set of words.  This is done by displaying 4 memories (see Blue Box) and 14 associations.  Only one of the memories and associations will be displayed, even though the user might have register 3 to 7 stories..  There are a few words from a specific story.  These are randomly embedded among the mix of false words and serve merely as “noise”, making a selection of the actual story extremely difficult for all but one person in the world.

Using the Credential. Instead of entering a password, the user merely clicks the correct words, or values (see arrows). The red thought bubble is the story name (or memory) that the user registered. The 4 arrows point to associations with that memory.  There are names and word are readily known an instantly recognized without effort to one person and yet improbable for hackers to guess.

The user need not remember something they already know.  Since the answer resides in the user’s thinking mind, device vulnerabilities are absent.  Since it is useless when stolen or phished, it is more secure.

Don’t kill the password.  Instead, make it easier for the user by not requiring any memorization and be more secure by making it useless if stolen or phished.

If you have any questions, please send an email to  Alex Natividad MD, CEO/Founder                              NimbusID and author of this article.  NimbusID is a registered trademark.