No Matter How Hard People Try, Passwords Will Not Die
It seems like every week a headline appears which announces the “Death of the Password”. The past few weeks in particular have seen a surge of announcements which seek to end the passwords reign…
Most recent of these was Microsoft’s new Windows Hello authentication system, offering facial recognition authorization. This year’s Mobile World Congress, also saw a flurry of announcements in the biometric space, including Fujitsu’s new smart eye tracker that can recognize each user’s unique iris. Then, outside of biometrics, Yahoo announced a new “on-demand” feature which sends a one-time code each time you need to log in to your email account.
Bill Gates first announced that “passwords are dead” in 2004, so analysis is required to see if the latest predictions are more accurate.
There is no denying that many of these developments have their merits. However, once the hype has died down we must ask ourselves whether any of these are really viable alternatives to passwords on a mass scale? After all, Bill Gates first announced that “passwords are dead” in 2004, so analysis is required to see if the latest predictions are more accurate.
Take biometrics. On paper this is a great way to prevent identity theft and various kinds of fraud. The argument goes that your passwords can be stolen, but not your fingerprints. However, biometric authentication can be hacked. We saw this when hackers from the Chaos Computer Club managed to reproduce fingerprints of the German Defense Minister from high resolution public photos and used them on consumer phones biometric sensors.
The real issue however is not that they can be hacked, it’s that once hacked they cannot be changed. You cannot change your fingerprint, retina scan. On the other hand, a password can be changed and also be unique to other identification policies.
Next let’s look at one-time authorization codes, such as the system Yahoo has launched. The idea is similar to other methods of email or text two-point authentication; however it tries to remove the second point of authentication that tends to go with this system — most commonly a standard password.
One issue here is that if a phone is stolen, then the person in possession of the phone could access an email account by requesting a password be sent to the phone. Even if other security is in place on that phone it’s still common for text messages to be displayed as notifications even when the phone is locked, so anyone who sees this can then access your email at that time.
Furthermore, the system relies on having access to phone signal to receive a message on your phone through SMS, which could prove difficult if in a remote area or if your phone runs out of battery. Alternatively if the code is being sent to an email, you still need the password to that other email account, so therefore you haven’t eliminated the password from the equation.
This sort of one-time code can be very effective as an additional factor of security however by itself it has many risks. Even the creators of the system admit it has flaws, with Dylan Casey, Yahoo’s vice president of product management, saying the system “is not for everyone”.
The password, on the other hand, has been the de facto standard for decades. Similar to the QUERTY Keyboard, which was invented in 1873, the password has withstood new technologies over time. After all, passwords are cheap to implement, they are not patentable, they can be anonymized and are appropriate for the vast majority of daily security checks. To replace password as an industry standard, new technologies have to offer additional benefits and offset the switching cost. It’s not the case yet and it will take a lot of time before it changes.
“Let’s secure the present before we invent the future!”
So why don’t we focus on how we can improve the security of today’s consumers that use and will keep using passwords? If used correctly, passwords provide strong security. In the modern digital age, we are often using dozens of log-ins on a daily basis. Each of these should have a different, complex, random, alphanumeric password, and they should be changed regularly. If you respect this rules and store them in an encrypted format, you are safe. The issue is less with passwords than with the way humans use them because, let’s face it, we are all awful at remembering them. That’s why more and more Internet users are relying on password managers like Dashlane to solve this problem.
New security developments outside of passwords can certainly be useful. Other layers of authorisation can provide a very valuable layer of security, particularly when using services which are especially sensitive. However, the password is today’s standard so the priority is to strengthen your password policy if you want to be safe.
While it’s fashionable to complain about passwords today, they don’t have to be unsecure or inconvenient.