May 6, 2022
Passwords Are Terrible, But We Still Need Them
They’re impractical, and we’re bad at using them, but the alternatives come with so much baggage that they make it clear just how useful passwords still are.
By Max Eddy
For years, security researchers have complained about the problems with passwords and dreamed of a better, password-free future. But that glorious dream remains elusive, and so World Password Day is a reminder of why this clunky, outdated technology is still the best solution we have.
Problematic Passwords
What has made passwords so compelling is that they solve multiple problems simultaneously. A password verifies the identity of an individual, since only the correct person would know the correct password. Requiring a password limits access to files and infrastructure, allowing multiple people with different levels of access to use the same systems. Most importantly, a password lives outside the computer, safely stored in someone’s head.
Unfortunately, passwords have not kept pace with the number of sites and services that require them. In 2018, password manager Dashlane reported that the average person had 150 accounts that required a password. That’s not to mention that many employers require their employees to change their passwords frequently—despite it having little benefit.
All this password pressure has forced people to cut corners. People share passwords with their friends and family. They use easy-to-remember but easily guessed passwords. They recycle passwords among different accounts.
Passwords have also become a commodity. When a company suffers a data breach, sometimes stolen login information is sold on secret online marketplaces. Other attackers buy the data, perhaps adding more information from other breaches and reselling it, or using it to commit some kind of money-making fraud themselves.
Problematic Solutions
While passwords were an elegant solution initially, the question for many years has been, “What do we replace them with?” Biometrics have long been the heir apparent of passwords—that is, verification using some physical measurement of the human body. Retina patterns, fingerprints, finger lengths, voices, and even heartbeats have been held up as replacements for the password. The appeal is easy to see. You can’t lose or forget your eyeball, and it likewise cannot be bought or sold. Best of all, when combined with powerful algorithms, the same biometric attribute can be reused without the risks of recycling passwords.
Unfortunately, biometrics have three major shortfalls that should make us all very suspicious of their widespread adoption.
First, some biometrics make it easy to accidentally authenticate. Consider face scanning on phones, which I maintain is the worst mistake in modern technology. Because phones with this capability immediately scan and authenticate the user, merely holding up your phone could log you in. Worse, all someone has to do to unlock your phone is hold it in front of your face.
Second, some biometrics can be read en masse. Again, facial recognition is the worst offender. A powerful facial recognition system can identify individuals accurately and at a distance, and widespread surveillance camera systems allow for a single person to be tracked as they move around. Now, people might not be signing up for this kind of Big Brother surveillance just because they use FaceID on their iPhones, but I maintain that doing so makes people far more comfortable with their identity being passively scanned. It starts with FaceID and ends in the panopticon.
Third, and most concerning, is that law enforcement might be on firmer legal footing to compel individuals to supply biometric information than demanding passwords. Legal precedents aside, you can see the problem. Police (and the FBI, TSA, ICE, etc.) will have a much harder time extracting a password that lives in your brain than an identifier that lives in the whorls of your fingers. The issue is serious enough that both Apple and Android added a lockout function for their mobile devices that temporarily disables biometric login and requires a PIN or password.
Only You Can Fix Passwords
In the future, authentication will likely happen with multiple devices, potentially without using passwords. The technology already exists for it, and I test it all the time when I review hardware multi-factor keys. However, password-free login isn’t widely adopted, and there remains little appetite for people to buy a device just for authentication. Moreover, password-less login can often include biometrics, with all the problems that come with them.
Until this technology becomes as cheap and easy as passwords, however, it’s up to us to make passwords more secure. To do that, we all need three things:
A Password Manager
A password manager is a piece of software that generates and replays passwords. It can create unique, complex passwords for each and every site and service that requires authentication. Most password manager are cheap, and many are free. While you’ll still need to remember one really good password to unlock your password manager, that’s a heck of a lot easier than remembering hundreds of passwords on your own.
Multi-Factor Authentication
For added security, use multi-factor authentication (MFA), so your security doesn’t depend on a password alone. In practice, MFA usually requires a password (from a password manager) and a code generator app or hardware key. Since an attacker isn’t likely to have both forms of authentication, it’s much harder for them to take over your accounts.
Patience
Using a password manager and MFA means changing your habits and updating old logins, which can seem daunting. But these two tweaks to the humble password will do the most to increase your security and privacy online. With a little patience, you’ll see immediate rewards.
We’ve never been closer to freeing ourselves from passwords for good, but for now we’re stuck with them. They’re frustrating yet flexible, elegant yet insecure, and they’re probably the best solution for the foreseeable future.
With that in mind, happy password day! Go use a password manager.
Originally published at https://www.pcmag.com.
