Is it the end of the road for the password?

People have been predicting the demise of the password for a long time. No less a person than Bill Gates did so in 2004. [1] Yet, 15 years on from Bill’s comments, we are still heavily reliant on passwords for many of our business and online activities. Indeed we probably have more than ever.

In many cases, passwords have now been supplemented by multi-factor authentication or biometrics, but passwords are still widely used. They are also, of course, widely compromised. Earlier this year the release of Collection #1 [2] onto the dark web exposed millions of email and password combinations, putting large numbers of people at risk. So, what’s the problem with passwords and is it time we ended our love affair with them?

Bad habits

Part of the problem is that we’re prone to bad habits when it comes to choosing our passwords. We use 123456 of Pa55word, or we use the name of the dog or our favourite football team or band, any of which could be found on a quick trawl of our social media accounts.

We also recycle passwords across multiple accounts. This means that if one set of credentials is compromised, it puts others using the same password at risk. This is a problem for businesses too, because employees will often use the same password on their personal and work accounts. A data breach at an online retailer, therefore, could be leaving corporate data elsewhere open to compromise.

We are constantly encouraged to use complex passwords with letters, numbers, special characters, minimum lengths and so forth. But this just makes them harder to remember, so we write them down or reuse them in order that we don’t have to come up with others. Paradoxically, enforcing strong password rules can actually encourage bad user behaviour.

Of course, it’s not only users that are guilty of bad practice. Many websites are culpable too, employing security recovery questions such as mother’s maiden name or pet’s name which are potentially easy to discover.

Time for change

So, what can we do? Many websites now offer some form of multi-factor authentication using SMS or an authenticator app, although you might have to seek it out rather than it being offered when you first sign up. While this isn’t always perfect [3] it’s better than relying on passwords alone. It may be time for consumers to vote with their purchasing power and decline to deal with sites that fail to offer an extra form of authentication.

Other forms of extra authentication include using a password with another form of authentication – such as a PIN – as often used by banking sites. As we do more of our transactions on mobile devices, an increasing percentage of which have biometric security devices such as fingerprint scanners, or cameras that allow facial recognition, we are likely to see these employed in 2FA.

Using more complex and harder to crack passwords is a good move and many people are starting to employ password manager apps to ensure that they don’t have to remember them. This has the advantage that passwords can be synchronised across devices too, but make sure you select a provider whose cloud security you trust.

Our heavy reliance on passwords means that they aren’t going to disappear completely any time soon. But every time there’s a high profile breach, more people start to realise that they aren’t as secure as they thought they were. This can be used by the industry to drive better habits, such as the use of password managers and two factor authentication.

[1] https://www.cnet.com/news/gates-predicts-death-of-the-password/
[2] https://betanews.com/2019/01/17/collection-1-email-password-leak/
[3] https://betanews.com/2018/03/06/sms-interception-2fa/