Why passwords will never die

Fundamental issues with the nature of security mean that passwords aren't going anywhere for the foreseeable future says Bill Carey who sees their role remaining as part of multi-factor solutions.

Bill Carey, vice president of marketing and business development, RoboForm
Bill Carey, vice president of marketing and business development, RoboForm

The Internet has expanded about 20 times over since I joined Siber Systems a decade ago. And during that time, I've heard the same story repeated over the years: The end of the password is nigh; it's just not possible for the average person to employ unique, secure passwords on every site to meet all their needs. But reports of the password's demise have been greatly exaggerated — or maybe even completely fabricated.

When I went to my first RSA Conference in 2007 to promote a password manager I was told that very soon there would be no passwords left to manage. Biometrics were touted as the next big thing — the holy grail of online identification and access control. The impressive array of tech on display at the conference seemed to support this and suggest that affordable consumer fingerprint scanners would soon be commonplace. But nearly a decade later, biometrics still haven't replaced the humble password as the first line of security defence.

The basic nitty-gritty details of being human keep getting in the way. Factors like changes on the surface of the user's skin, damaged scanners, etc — factors new tech can't change — all make it difficult for biometrics to replace passwords as the security standard. And if you use biometrics and you do get hacked, you are effectively locked out of your account for good. Even if you do manage to get the service provider to re-secure your device, they can't send you a new fingerprint.

The great advantage of fingerprints is that they are unique to the individual. But this doesn't actually help much if they are copied. The Chaos Computer Club famously broke into an iPhone 5s in 2013 using nothing more sophisticated than a domestic scanner. Even if you could make fingerprints harder to replicate, it will never be possible to entirely eliminate the risk. The whole point of a password is that it is infinitely changeable, whereas if your fingerprint replica is sold online by hackers, you can't ever use it confidently again knowing that it has been compromised.

The point is that we simply can't rely on any one thing to be a panacea for all of our security problems. There will always eventually be a way to defeat any security barrier. The password will never die because it is a fast, convenient and affordable way to supply people with an identifier that is both specific and changeable, and the truth is, there is no technological advance on the horizon to replace it.

We need to start adapting our thinking about the future of security to something more integrated. Multifactor authentication isn't just a buzzword or a fad; it is a viable solution to an intractable problem and is likely to become the standard over the next decade.

The triple-line defence of “what you have, what you are, what you know” or “key, password, fingerprint” exponentially increases security by bolstering the weak spots of each factor with the strength of another. No one factor is going to be enough on its own, however secure it is, and the industry must stop pretending that it has a cure-all and think instead in terms of using a combination of security options.

Passwords in one form or another have been in use for thousands of years for a simple reason: they work. And they will almost certainly continue to work long into the future, with or without the help of other technologies.

Contributed by Bill Carey, vice president of marketing and business development, RoboForm