Passwords aren't going anywhere any time soon

Take human memory out of the equation and passwords remain a viable access option says Emmanuel Schalit.

Passwords aren't going anywhere any time soon
Passwords aren't going anywhere any time soon

To paraphrase Mark Twain, the reports of the death of the password have been greatly exaggerated. The password is not dead, nor is it going anywhere anytime soon.

Bill Gates claimed that the ‘password is dead' in 2004 and people have continued to claim that the password's days are numbered ever since. It's now ten years later and they don't seem to be going anywhere. Passwords have survived as the de facto standard because they are cheap to implement, are not patentable, and are convenient for everyday users. Much in the same the QWERTY keyboard is still the standard today, despite the fact it was invented way back in 1873 for a reason no one remembers.

Let's go back twenty years to 1994, when an external floppy disk drive cost you £130 and Apple's 1MB QuickTake digital camera set you back around £500. To sign in to your Prodigy, AOL or Lycos account, you simply typed in your username and password in a text box, and most likely thought to yourself, "Well, that was a really easy way to log in."

Fast-forward to 2014. Technology has advanced in unimaginable ways since those days. You can buy a smartphone with 32GB of storage for £200, or grab a 50GB flash drive the size of your finger for just £15. Yet, when you want to log in to Facebook or to buy your groceries online, you are still entering your password the same way you did back in 1994 – hopefully the password at least has changed. Despite all the technological advances of the past two decades, the way we log in to our online accounts has not changed.

The password system in itself is still very robust. Computers can communicate very securely using password-like systems, providing we use strong passwords (over eight alphanumeric characters). But problems start to arise when we humans get involved, because of the limits of our own memory. The average web user today has over 50 unique accounts, and to stay secure they should have different, complex passwords for each of these sites. Given the limits of the average human mind, most people do not possess the cognitive ability to remember 50 unique random strings of letters, numbers, and symbols.

Given these conditions there are two alternatives to the present-day password system:

Hardware-based alternatives, like hardware keys and biometric sensors, and software-based alternatives such as single sign-on (SSO) solutions like Facebook Connect, the Google+ button, or OpenID.

These hardware-based alternatives have had some success in the enterprise world where security requirements are very high and cost is much less of an issue. But in the consumer world, cultural shift, cost, and enrollment create a massive barrier that prevents true universal adoption.

On the software front, even Facebook will find it difficult to get its massive user base to use Facebook Connect, because of trust and privacy issues. Moreover, Facebook Connect will likely never be available on Google, Amazon, iTunes, or eBay, because these massive companies don't like playing nicely with each other. If companies as powerful as Facebook or Google are yet to overcome the massive switching costs that exist today, smaller players will be even more challenged to do so in an online world that is growing increasingly complex.

For passwords to be replaced en masse on the Internet, a clear standard would have to emerge that would be present on all the devices we use to access the hundreds of millions of websites in existence. So we're back to passwords. And while it's in fashion to complain about them today, they don't have to be unsecure or inconvenient.

We must start by removing human memory from the loop. There is an easy path to safety even if people don't know how to take actions to protect themselves. Software solutions like password managers, which solve these exact problems, exist today and will see much broader adoption beyond the tech-savvy audience in the years to come.

While the threat of cyber-hacking grows worse every day, it will be many years before the password is replaced. By all means, speculate about what the future may hold, but you'd better find a way to learn to live with them in the short-term.

Contributed by Emmanuel Schalit, CEO of Dashlane.

close

Next Article in Opinion