Why a Password is Your Best Bet

By Stephen Bryen

You can have your choice.  You can use the increasingly sophisticated fingerprint reader on your smartphone, or choose face recognition to turn on your phone.  Or you can use a password.  Which would you choose?

The argument against the password is that it is clumsy, especially if it uses special characters and upper and lower case letters, which most experts say are needed to have a strong password.  And then there is the problem of human memory.  Unless you keep your password forever, a singularly bad idea, you must depend on memory which is far from perfect.  And if your device is a smartphone or tablet where the “soft” keyboard can prove tricky to type the right character, entering a password can be difficult.

Picture from Disney World. Taken by Raul654 in January, 2005

So the rush to a biometric solution offers convenience to the user.  But does it provide enough security?

Most all biometric solutions have been hacked, one way or another.  The biometric most suited to a smartphone is one keyed to voice, face or fingerprint with fingerprint in the lead as it has been adopted by top companies such as Apple (iPhone) and Samsung (Galaxy S-7, S-8).  These provide only a partial security solution, because they primarily unlock the smartphone for the user.  They do not protect either stored or transmitted data including everything from email, to photos, to videos to files.  And they don’t stop backdoor means of hacking a smartphone, meaning your smartphone can be compromised.  It is now a fact of life that a number of domestic and foreign companies sell hacking systems that can plant malware on any phone, protected or not, and even turn on a phone and listen to conversations, completely bypassing the front-end loaded security system.  Beyond private vendors selling spy stuff, the U.S. Government is a major player in smartphone malware distribution.  But the U.S. is not alone because the Chinese and Russians, the Europeans and others around the world are doing the same thing.

Thus no matter what you choose for front end protection all of these methods have their own weaknesses, and none of them provide protection if the phone has already been infected by malware.

Any of these solutions can be used for the purpose of encrypting files that either are on the smartphone itself or stored elsewhere as in a “cloud” storage site or on a corporate, government or private server.  Today what is stored locally and what goes outside the smartphone or computer has become very blurry and, from a user’s perspective unimportant.  Most users just want to have a convenient place to dump their information, and if a lot of it is in the form of data hogs such as videos, external storage becomes more important than ever.  If a biometric is used keep in mind that the biometric is converted into a password, and the password has to travel across hackable Internet or Wifi connections.  In this respect the biometric solution has a downside since you cannot change your face or your fingerprint.  There are ways around this problem but excepting the most sophisticated security setups, work arounds of this kind are not generally available to the public and in any case would probably be overkill for non-sensitive videos and data.

Overall the easiest and best method for access control is the password provided the password is regularly changed to enhance security.  Mobile phone companies could make it far less challenging by provided a much-enlarged keyboard for password entry, and by allowing the password to show on the screen as it is typed in making it easier to avoid entry errors. To improve security, mobile phone users should keep a small notebook with their passwords entered.  Each device should have its own page, so there is room to update the password. Unless this little black book is lost or stolen, the user can have confidence he will know what password to enter and when to change it. (A warning: always keep a copy of the notebook in a separate location.)

Keep in mind that access control to a mobile device is limited in the protection it affords the user. For the most part your phone remains hackable and your messages, data and voice can be intercepted, even when you are not actually using your phone.  Thus no matter what kind of access control you choose, there is much more involved in smartphone security.