Google's project Abacus aims to replace passwords with unique biometric identities. Your phone (or other such device) will monitor your heartrate, speech patterns, typing dexterity, ie all noticeable actions and traits to hash an identifier unique to you. It is proposed as a replacement for text passwords which are, atleast to Google and other so-called "pandits" of the tech world, insecure.

Being a denizen of the tech world I feel like I can add something to the discourse here. The current standard in information security is something called "two-factor authentication." The trust process between user and service happens through two confirmations, one an encrypted string and the other from an independent source like an SMS message.

This works because it would be hard to fake both a login password AND a text message. It would require the criminal (who is probably operating remotely in some god forsaken corner of Romania) to have stolen your smartphone as well. Being that most "hackers" are obese, the odds of him having the manual dexterity to pickpocket your phone are slim. So on some level, two-factor auth is actually kind of ingenius.

But jokes aside, although having your phone automatically recognize you is undeniably cool, it’s a case of using an innovation when it is really unnecessary. Economist, writer, philosopher, and former trader Nassim Nicholas Taleb (of Black Swan notoriety) would call this switch from traditional passwords to biometrics iatrogenics. That is, intervention in a sphere for its own sake.

The reason "pandits" claim that current passwords are insecure are because they can be subject to brute force attacks. A "hacker" will barrage your login with millions of combinations of strings until one fits and the door opens. However, the likelihood of this actually happening is contingent on the password you set being vulnerable. 256 bit encryption, which is the most common type used, is fairly safe, so any paranoia about security is at best misguided.

At a high level here is how it works. Encryption has been thrown around by the media but I'm willing to guess that few people know how it works. Cryptography is something that goes back very far, atleast to antiquity if not further back. The earliest records in the Western world are those of the Greeks, who wrapped encoded pieces of paper (parchment?) around wooden rods of a specific length and diameter and then read the messages that appeared on one of the faces. In this instance the rod was the cipher. Without it the message on the paper would have appeared as gibberish.

Encryption today works on the same principle, except the "rod" is a secret key generated either randomly or by a user. Each letter in the password is stored as a series of bits (each bit is either 0 or 1, making any combination of x bits 2^x). A 256 bit key has 2^256 possible combinations or 1.5 x 10^77.

Even a state of the art machine would only be able to attack an encrypted string with a speed of 1 billion combinations per second. To break 78 digits worth of combinations take 1 * 10 ^ (77 - 9 = 68 ) seconds, or 3.7* 10^60 years. That's a long time.

So how are some hackers successful? Here's a story that will helpfully illustrate.

Once upon a time I needed internet access and decided to ask my neighbor for the password to his network. His password was simple: 1234567890. At first glance, the password might seem difficult to attack with brute force: there are 10 digits, so 2^10 combinations. However, I happen to know that the first combination that brute force programs use to begin their cracking routine is… 1234567890. If a rogue Romanian really wanted to break into my neighbor's Wifi network it would take them less than a millisecond. What's the moral here? Some passwords are easier to crack then others.

Brute force algorithms try to target combinations of words and numbers that people constantly use. A common one concatenates dictionary words until the character limit is reached. This is precisely why most apps and sites don't allow passwords that are only alphabetical letters. Common algorithms also stitch letters onto these dictionary combinations and substitute letters for words, so "password" becomes pa55w0rd (link: it just so happens the most commonly used password is… you guessed it. "password").

Even then you might be thinking,

There are over 3000 words in the dictionary. Given a 32 letter limit (256 bits / 8) and assuming most words are under 8 letters, that means you have atleast 3000^4 combinations, which would take atleast a day of brute force to hack.

You would be right. But as I illustrated above, this only applies if the combination is completely random. Most people don't use random combinations. An alarming amount use their own name, or words that exist on the page (like "password"). The probability of a success goes up even more when you consider the use of rainbow tables. The problem here is not passwords but rather how people construct them.

Abacus seems sexy because it sounds like it allows a person to interface with their device with a minimal observable barrier. +1 Singularity. However, as a Cisco engineer points out, what if a person breaks a bone or has an operation that changes how their body functions?

Also, the most salient point it, is it worth trading deeply personal information for an unneeded level of security? If people learn about encryption algorithms and how to leverage them for their own safety, isn't that the best alternative?