Why do we still use keys to start cars? why not passwords?

Question

Around a year ago I have asked a question about the weakest factor of authentication.

I have had some good answers that convinced me as I always imagined the authentication process in my head as some employee in a high security facility trying to get access to his office by entering his pin or someone trying to login into his PC by entering his password but the answers make little sense if we were talking about a vehicle.

• Car keys can get easily lost or stolen by a stranger you met in some pub but it's highly unlikely that you shout your password while you are sleep talking
• It's a big hassle and an expensive process to change your car keys; Passwords are very easy to change.

As you can tell from the other question, the biggest issues with passwords (according to the answers I received) were:

• If someone has your password, you may not be able to tell that they are actively exploiting that knowledge.
• Passwords enable random guessing, offline dictionary search, and other attacks.

Well...

• That's true if someone were spying on your system, but if a stranger had your car keys I don't think they would return your car and if they did, you will be able to tell that someone else had access to your car.
• Having the car locked for 5 minutes after three failed attempts is a pretty good solution.

Are you in hurry to go to work? Get inside the house and get the master physical key; having a master physical key that overrides the password system is a good rescue solution, but not when you carry it with you all the time. Carrying the authentication secret in your head is safer than carrying it in your pocket.

Few other things that come to my mind which makes me wonder why I've never seen a car with a password

• You can always use your car as a getaway car in a bank robbery and you later claim that you have lost the keys and it was not you; you can't do that with a password.

• A similar idea has been introduced by an infosec expert got turned down the other day on Dragons' Den even when he has invented a nice combination of a device that get attached to the car engine and a mobile app. The mobile app is superior to your physical key and you can't start the car without the app, even if you have the key.

Peter Jones attacked the idea based on the fact that your mobile might run out of charge; the authentication system of the car would never run out of charge as it gets powered by the car battery; it's replaceable, protected and if it's down, the car is down anyway and you can't blame the authentication system.

Answer 1

Poor password choices

The primary threat that a car lock protects against is theft of the car or of objects inside the car. Most theft is opportunistic, not targeted: go to a parking lot, try multiple cars until you find a poorly protected one. With passwords or PIN, you know that many people are going to pick password or 1234 or for the more paranoid their date of birth. Locking a car after failed attempts doesn't matter: the thief will just try the three most likely values on each car then move on.

Additionally, force-locking the car after failed attempts would be annoying if your kid starts mashing the buttons.

Shoulder surfing

Typing a password is vulnerable to shoulder surfing. It's hard to duplicate a physical key solely from pictures (it can be done, but only with precise enough pictures). It's impossible for an unaided human to duplicate a physical key.

It's easy for an unaided human to remember the PIN they've just seen somebody type. Pass by someone in a parking lot, note the PIN, see them the next day/week around the same time, profit.

Loaning

I can loan my car keys to someone. When they give me back the key, I can be reasonably confident that they no longer have access to my car. Sure, they might have duplicated the keys, but that requires time (if they only borrow the car for a short time, I know they haven't done it), and if I trust them enough to loan my car, I probably trust them not to copy the keys.

If there's a single password to open the car, then if I let someone use my car, they have access forever.

This can be solved by having multiple passwords to open the car, of course. But that adds another set of difficulties. One is that the key space might need to be larger: with a small key space such as a 4-digit PIN, the probability of an uninformed guess can become non-negligible with multiple valid codes. A bigger difficulty is that this requires Joe Random to do key management. Joe Random's VCR blinks 12:00 since the last power failure. (Maybe not anymore with DVR that have an Internet connection.) Joe Random understands physical tokens — if I have the object in my hand, I control it — but not password management.

Answer 2

Because it's easier to get an electronic system wrong, and when you get it wrong it costs you a lot of money and bad PR to fix it:

• Chrysler recalls 1.4 million cars due to electronic key hacks
• Land Rover recalls 65,000 cars due to electronic key hacks
• BMW sends OTA patch for 2.2 million cars affected by electronic key hacks

There are a lot of ways to get it wrong, too:

• Poorly designed wireless protocol leading to replay / sniffing attacks.
• Poorly designed / implemented crypto allowing brute-force of rolling codes.
• Poor RNG allowing prediction of security-critical values.
• Improper checks performed in the car's firmware allowing for state machine abuse.
• Buffer overflows and similar software bugs in the car's firmware.

On top of that, the keys become more expensive, the key provisioning systems become more expensive, and in the long term you end up with a lot of technical debt because you have to support people asking for replacement keys for models of vehicle that you haven't manufactured in 10 years.

Physical locks and keys are relatively simple, relatively reliable, relatively easy to get right in terms of physical design, and don't inherently suffer from remote attacks. Keys also force thieves to be in direct physical contact with the car, which is a bonus from a forensics and investigation point of view.

Answer 3

I have exactly the opposite problem. Why do we use these silly password based systems that have major flaws when physical keys have secured everything relatively successfully for centuries?

The password based system is horribly flawed. Few people understand how easy it is to guess passwords. Forgetting passwords is incredibly common, far more common than losing all the copies of your keys. I've forgotten dozens of passwords over the years, but not once have I lost every copy of a key.

Answer 4

Cars (and for that matter doors) have used token based authentication for a long time because that was something you could make (relatively) cheaply and simply and it worked OK.

Nowadays we can build password based systems just as cheaply and simply, but why would you want to?

There's nothing inherently wrong with using tokens. We understand how they work. They are very reliable. We're good at managing them. They're easier to steal than passwords, sure. But passwords have their own problems, for example the endless struggle to persuade users to put enough entropy into them.

Car manufacturers and users get better results from improvements to the existing token based systems. For example, modern tech makes it practical to include identification in the token and have the car reconfigure itself based on who is driving.

Answer 5

A key is what you have (physical) and a password is what you know. The first one must be cloned and the latter needs only be guessed or sniffed.

Sniffing a password on a computer is done either by "shoulder surfing" (i.e., looking when somebody enters the password) or with a network sniffer. In the (unhacked) car network, sniffing hopefully cannot be done but shoulder surfing can probably easily be done. In lots of cases there are enough people around when you start your car, there are security cameras and there might be other tiny cameras installed which you don't notice, similar to cameras in ATM skimmers.

You might try to find some place in the car for the keyboard where the keypresses can not be watched but this is probably some uncomfortable place. And of course the password must be strong enough so it cannot be guessed but must still easy to remember. This means people either have weak passwords or write the password somewhere into the car or use some other utility to remember it (e.g., cheat of paper in pocket, password manager in smartphone...). So using a password might actually not be that comfortable as intended or might have a really weak security so it can easily be sniffed or guessed.

There are already solutions to reduce the dependence on the key by replacing it with another thing you have, like a fingerprint or a smartphone. While these might be more comfortable they might fail in different ways than the usual key: attackers might remove your finger or not only you but also others might unlock your car remotely because of insecure design. But if car manufacturers team up with security experts they might actually create something that adds comfort without reducing security.

Given the recent trend to improve password security by adding a second factor to augment something you know (password) with something you have (smartphone, security token...) it is unlikely that security with cars will move in the opposite direction. But you never know because the car manufactures sometimes get strange ideas to please their customers which might even impact safety in an unintended way.

Answer 6

It may be worth noting some cars do/did use passwords. Those passwords are usually a 4-number PIN.

They look something like this:

Although I've seen it in multiple cars, I do not know of any cars who have such a system built-in from the factory.

To start the car, both a key and the code are required. It doesn't seem hard to work around it if one feels so inclined, but it is always implemented as an extra step, not a replacement. I'm not a security expert, but a chipped key seems safer to me than a 4-number code on a keypad.

Answer 7

It's a very good question and a question that touches on some very elementary but often misunderstood information security principles. The most elemental fact is that a car key is an authorization while a password, at least in its common use is often bound to a form of identity (such as a username) and as such is in authentication token. While these concepts are often used interchangeable, they are very much different. Your car does not need your identity to know you are authorized to use it. Your key "is" the authorization. If you went to the bar with a few friends and got totally pissed, you can easily delegate your authority to the car by giving that one friend that only drank perrier all night your car key so he can drive you home safely. After dropping you off at your house he gives back your key, gets on his bike and peddles home. So basically the delegation was voluntarily revoked by him giving back your key.

If you want to replace a car key with something better, its very important that:

A) You don't fall in the trap of using identities. There is absolutely no justification for getting into the complexities involved with identities, authentication, access control lists, etc. After 6 lagers the security savvy sysadmin inside of you sure isn't capable to change the ACLs to allow your friend to drive you home.

B) You will want to embrace and build on the concept of delegation.

I think this old blog post touches on some of the human aspects that a better 'authorization' system would need to think about.

https://minorfs.wordpress.com/2014/07/13/security-debunking-the-weakest-link-myth/

The most important thing to realize is that we need better authorization. NOT (better) authentication, for cases like this. Could such a better authorization system system use passwords? Probably. Would passwords (or memorable password capabilities, that are basicly passwords without identity) on their own be sufficient as replacement tokens of authority? Most definitely not. It would be very interesting though to see if anyone comes up with a solution that is both safer than car keys yet fully embraces the human's natural strength in relatively secure delegation rich interaction patterns.

Answer 8

Car manufacturers can't even get basic security right, not even with standard keys. Almost all cars today have immobilizer technologies built-in (that read a chip embedded in the key), but :

• their "crypto" is broken and keys can be cloned, something impossible with any PKI token/smart card worth its price.
• the computers in the car happily show their entire firmware and memory (which includes all the info needed to program a matching immo chip) to anyone asking, and will even agree to install a new firmware like one patched to remove immo-related code.

So if they can't even get keys right, how do you expect them to get passwords right ? If they try passwords I'm sure there will be some idiot who will say "hey let's implement some un-changeable master password for law enforcement", and imagine the disaster after that.

Plus, you'd still need a physical token to open the car, as typing a long password on a cold night in a sinister parking lot isn't that safe, so if you have a physical token you may as well reuse that. I'd like it to be secure though, as currently it's clearly not.

By the way, about the expensive process to change car keys, that's by design. What would the poor car manufacturers do if they can't steal $300 from you anymore each time you need to replace your keys ? The real reason there are immobilizer technologies in cars isn't because security (as I've said above, their "security" is moot), it's just to force honest customers to pay astronomic amounts for nothing. Thieves on the other hand, can use software-based solutions to continue stealing.

Answer 9

I think there are two main factors to this:

• Convenience

It is much easier to have a key around, and be able to give it to someone, have a spare copy, etc., than to handle a password, input it every time, change it, when your son gets a fender-bender, etc.

• Idiocy

People will rather have a device that unlocks the car, than manage a security solution consisting of a password, or set of passwords.

(Side note: In fact in most cases, as an IT specialist, I would rather have people use a chip card, or a simple key to log-in, than a password. It is far more convenient when you need to diagnose/fix something in an enterprise environment, than to have a password policy and have a person share her password. So really I am looking forward to a wider adoption of keys, rather than passwords in general IT.)

Answer 10

This relates to the principles of information security that make multi-factor authentication desirable.

• Something you know
• Something you have
• Something you are

From a security perspective, trading one for a different one does not provide an exponential gain. It is the combination of multiple factors that typically yields increase.

With cars, the something you know is usually the location of the car. Historically, cars were not trackable or reachable remotely, so risk exposure was limited to the local area of the car. This is gradually changing as cars become networked. Much like a data center, a car can be physically secured in a restricted access area, such as a garage. People who are genuinely concerned about having their car stolen will likely only park in restricted areas, or very public areas where brute force theft would be noticed. What makes online account attacks so dangerous is that they are largely invisible and rarely noticed.

The something you have has always been the physical key. Nowadays that might be a keyfob or remote starter. From a security perspective a physical token is valuable because it limits the range of theft from anyone to just someone with the token in hand. That often means committing a separate crime to obtain the physical token. Adding a physical token to online account access for two-factor authentication dramatically decreases risk of unauthorized account access via password.

Something you are is the registered owner. You can have the police arrest anyone in possession of the car who is not the physical owner. This is the primary deterrent to theft, not difficulty. Logging into someone's online account without their permission has questionable consequences, often none at all. Stealing their car and getting caught is almost guaranteed jail time with a felony record.

Applying information security principles to car theft is not yet a one to one. When cars are fully networked, and self-driving, then they will need to be secured the same way online accounts are because they will experience similar risks. At that point, someone might steal your car by logging into it remotely and having it drive itself to their desired pickup location without anyone seeing them, and without physically exposing themselves to capture (important distinction). They might even be able to use your car and return it to the same place without your awareness. Even then, someone might notice and alert you as the owner, since a large physical object is changing state in a way that any person (even a kid) can see. That visibility is a critical point.

We are headed toward strong multi-factor authentication for vehicles. The key (or fob) won't be eliminated, it just won't be enough anymore. Likewise, a purely virtual solution such as a password should also not be enough, as it just trades one type of risk (physical access) for another type (virtual access). I suspect that the key will grant physical access to the vehicle (open doors, trunk, hood), and the key (rfid) plus password or biometrics will then enable it to be used.

As a parting thought, how often are servers hacked remotely (passwords) versus physically stolen from datacenters (keys)? Why is that? Why will that always be true?

Answer 11

There 's still another problem with password protected cars. We must not forget that the owner/driver is generally a mere human being. As such he/she has been used to physical keyrings since childhood and one key for the car, between one and three for the house and one at work is easy to carry in a pocket. And even if your neighbour knows the age of you children and the name of your dog, it is no help to forcing your house door.

Passwords on the other hand can be very secure. A truly random password of 4 to 6 digits should provide a security level equivalent to a standard physical key, not speaking on 12 alphadecimal characters. But as I have already said many of us are mere human beings and remembering many truly random password is hard is only possible. So either the passwords are provided by a third part and many people just write them down in many different places ruining the security, or they can be choosen, and you find the birthday of the children or the pet's name. Ok users of security.stackexchange know about IT security, know about password weakness and could use without major risk a car or house door protected by password. But who does not know a friend or relative that could not imagine putting a password on its smartphone or using anything more complex than his girlfriend birthday to protect his facebook page? What would be the real security of his password secured car?

Ok it is just his problem. But do you think that he will buy a password protected car, or a password procted lock on his house door? So now it becomes the problem of the company selling cars and locks

TL/DR: I do not think that passwords will soon replace physical keys for something as serious as a car or a house door, not because of security flaws, but simply because most humans could not securely use them. The problem is not the technic but as for many computer problem: the most dangerous part for a computer is between the chair and the keyboard

Answer 12

When you have 2 competing solutions and none has a huge advantage over the other, the one which already dominates the market wins.

While keys are weak security, and sometimes rather inconvenient, so are passwords - just for different reasons.

• When you bring the car to a mechanic, you give them the keys. What if you have a password?

• Cameras can steal your password, but not your key.

• When someone steals your key, you'll notice. When someone steals your password you won't notice.

• Passwords can be forgotten.

• Entering long passwords takes time. Using short passwords compromises security.

• A keyhole is ugly, but not nearly as ugly as a keypad.

• Keys can work based purely on mechanics. The password keypad is a bother when the battery is dead and you need to enter the password to open the hood in order to jump start the battery.

Passwords are different, but not better. There are several approaches that are better than passwords and which complement mechanical keys, e.g. pressing the button on the key to unlock the door.

Answer 13

Stealing physical keys is risky smallscale business, hacking perhaps not

Consider having to make this choice:

1. Walk up to someone, put your hand in his pocket, grab his key, immediately get into his car, drive away, sell it for whatever you can get
2. Hack something, arrange a sale (passwords/actual car), at a convenient time (let someone) pick up the car for which you know you can get good money

Considerations

Even when assuming that looking at the password as they enter it would not be possible, it is going to be much easier to steal a car and get away with it. So, perhaps the number of keys stolen in bars will decrease, but the number of passwords stolen should easily make up for that.

---

Adressing other points that are mentioned in the question

Car keys can get easily lost or stolen by a stranger you met in some pub but it's highly unlikely that you shout your password while you are sleep talking

Your classical key can only be stolen by someone who has physical access to it. So, anyone who attempts to steal a key will have to take a considerable risk and consider the possibility of being in jail the next day. Also, the person will not only need to steal the key, he needs to use it immediately to get in the car as the opportunity will otherwise have passed. Someone who has stolen your password code can probably remain anonymous, only facing some risk when he finally picks up the car at a convenient time. After all, you will not know that someone else has your password now.

It's a big hassle and an expensive process to change your car keys; Passwords are very easy to change.

As it cannot be acceptable that people can't use their own cars, the keys probably need to be stored somewhere centrally. Also digital keys tend to require changing much more often than physical keys as it turns out people are better at stealing them. Therefore, the annual revenue generated by 'administration costs' will likely be much higher than the total spend on key replacements at the moment.

You can always use your car as a getaway car in a bank robbery and you later claim that you have lost the keys and it was not you; you can't do that with a password.

I don't see why people couldn't claim that someone has stolen their password.

Answer 14

Several of your points don't seem valid to me.

A key is easy to steal but a password isn't? How so? I'm 56 years old and I have never, ever had my car keys stolen. Sure, people can be pick-pocketed, I'm certainly not saying it's impossible to do. But people often write passwords down, and the piece of paper can be stolen. People use passwords that are easy to guess. It's not at all obvious to me that it is easier to steal a physical key than a password. I don't know if anyone has done a study on this. Though I suspect in either case it depends a great deal on how careful you are about protecting the thing. If you're in the habit of leaving your keys on the desk at work or on the bar at the local drinking establishment and walking away, your risk goes way up. If you're in the habit of using "password1" as your password or writing your password on a sticky note and leaving it in plain sight, your risk goes way up.

If you use your car to commit a crime, you could claim a key was stolen, but not a password? That takes us back to the previous point. That argument is only valid if we assume that keys are easy to steal but passwords are impossible to steal. Even if you think keys are easier to steal, it is certainly not impossible to steal a password. I presume that in either case the police would look for more evidence either way.

How do you envision the user entering the password? Presumably there would have to be a keypad on the outside of the car. This keypad would have to work reliably regardless of rain, snow, ice, etc. My daughter's car has a keypad and a combination lock. We bought the car used, and it has never worked.

How long would it take to enter the password? This could be an issue for, say, a woman alone trying to get in her car on a dark night. Or less dramatically, for someone trying to get in their car when it's pouring rain or freezing cold and their fingers are numb.

It's a big hassle to change keys? Not really. I once had to replace the door of my car when it had a bad rust problem. I bought a door from a junkyard. Of course the replacement door lock did not match my keys. I swapped the key cylinder from my old door to my new door with about twenty minutes of effort. I don't know how much it costs to buy a new key cylinder, but it's not like this is something you're going to do every week. A new lock for a house door costs ten or twenty bucks at the local hardware store.

Answer 15

1. A password system needs an interface, an interface needs to be secure and durable.

1.1 If the interface is bound to the car it is potentially easy to destroy for vandalists without a lot of noise, a bad designed interface could potential be destroyed by a magnet for fun. How would you open the car if the interface was malfunctioning or damaged ? You mention a master key, but that way you just give attackers 1 more attack vector than before and decrease security.

1.2 If the interface is portable, it is also hackable or atleast bruteforcable, by emulating the hardware and the signals send.

2. Information security, stealing, uniquness and copies.

2.1 Passwords are a visual information which can be easily stolen from a distance, eg. by observing the finger movement without actually seeing the input device. A camera at any location in a parking lot could easily steal hundreds of passwords without any effort and without it's owner noticing. Additonally cars are used in public places with strangers around and unobserved password input is nearly impossible to guarantee.

2.2 Informations can travel without the owners notice. That means your car password can be obtained without your knowledge, while a car key cannot be stolen without you noticing in the long term.

3. Relative Cost, complexity and comfort.

3.1 Even if you overcome all of the above challenges somehow in a 100% secure way and produce a input device that is just as durable as a key and lock. Is it cheaper than the key and lock system ?

3.2 Does your system increase complexity for users and/or does it require to get additional devices that may be complex ? (And yes, smarthphones or tablets are complex, and probably not a secure input device anyway)

3.3 Is your system more comfortable than the previous key and lock system ?

3.4 Is your system fast to use ? If it is, is it really secure ? If it isn't, is the hassle really better than a key lock system ?

4. Shareablity, revoking access rights etc.

4.1 If I lend my son the car, I can't revoke access without changing the password, which would also revoke access for my wife and we would both have to learn a new password by heart. Passwords need to be easily remembered because writing them down devalues them.

4.2 Having multiple valid passwords would make the system more vulnerable to brute force and one leak anywhere would already be fatal to security.

Answer 16

For two reasons.

One, passwords are an incredibly stupid and weak security concept.

Two, convenience.

The second one is easier. With a key, you have a reasonable amount of security in a convenient form factor. You can give it to your friend for an hour and then take it back. Imagine how many people held the keys to your car during a typical year. The mechanic at the garage, your wife or son, your friend, the valet at that posh restaurant you went to once. Imagine having to set up temporary passwords or change your password every time. Keys today are also much more than just keys. They contain immobilizers, they let you open the door or the trunk or the windows and cabrio roof remotely. For some brands (BMW, for example) they also have a memory chip that stores car data (seat position, climate settings, etc.) so that two different people can each have their own key with their personal settings, as well as diagnostics information for the car dealer / garage if you bring it in for repairs.

Secondly, passwords are a broken security mechanism that we only keep using because it's there and we know it. Passwords are regularily, weak, forgotten, shared. They need to be stored somewhere and there's a hundred ways to attack them, while there's only half a dozen or so ways to attack keys.

There's one more point that is important for law enforcement, insurance, etc. - keys are physical items. Or in legal terms: Evidence. If you believe you stole my car, and the police finds my car keys with you, that's damn good evidence. How could I prove that you know my password?

There are certainly improvements to the car key that can be made (and are being made all the time), but switching to passwords is not one of them.

Answer 17

For the same reason that anything that needs to be secure on the web uses an RSA key. Only 1 person can have it at any time, it can't be guessed or brute forced, and it can't be forgotten. If someone has your key, you know it. If someone has your password, you don't know.

I can remember passwords for things I use every day, but something like a car that you only need to use a few times a month, the password will be forgotten.