Passwords Won't Die. Should They?

Over the last few decades, almost everything in the technology world has changed except the trusty, if constantly confounding, password. Is that so bad?

Let’s go back for a minute to 1994, when an external floppy disk drive cost you $500 and a 2MB digital camera the size of a textbook set you back $5,000.

To sign in to your Prodigy account, you simply typed in your username and password in a text box, and most likely thought to yourself, "Well, that was a really easy way to log in."

Ten years later Bill Gates proclaimed "the password is dead."

Fast-forward to now. Technology has advanced in unimaginable ways since the Prodigy days. You can buy a smartphone with 32GB of storage for $300, or grab a 50GB flash drive thinner than a stick of gum for only $50. Yet, when you want to log in to Facebook, you are still entering your password the same way you did back in 1994. Despite all the technological advances of the past two decades, the way we log in to our online accounts has not changed.

The password is not dead, nor is it going anywhere anytime soon.

Passwords have survived as the de facto standard because they are cheap to implement, are not patentable, and are convenient for everyday users. Much in the same the QWERTY keyboard is still the standard today (even on devices with virtual keyboards), despite the fact they were invented way back in 1873 for a use case no one remembers!

Passwords are not inherently problematic if used correctly. Computers can communicate very securely using password-like systems. But problems start to arise when we humans get involved, because of the limits of our own memory. The average web user today has over 50 unique accounts, and to stay secure they should have different, complex passwords for each of these sites. Given the limits of the average human mind, most people do not possess the cognitive ability to remember 50 unique random strings of letters, numbers, and symbols.

For the sake of convenience, we resort to the easiest option possible; reusing the same password for multiple sites. In fact, we know from my company's Harris polling that at least two-thirds of Americans use the same password for multiple accounts. And many of us know this is not secure—it’s like having one key for both your gym locker and bank safety deposit box.

Why has no viable solution or alternative emerged in the past two decades? Using history as a guide, we can conclude at least three conditions must be met in order to replace a de facto standard like the password:

  1. It must have all the benefits of the current system, plus additional ones that are clear for all stakeholders.
  2. The benefits must generously offset the switching costs.
  3. A sufficient amount of time needs to pass for massive universal adoption.

Given these conditions there are two alternatives to the present-day password system:

Hardware-based alternatives

This includes technologies like hardware keys, biometric sensors, and potentially your phone.

Software-based alternatives

This includes technologies such as single sign-on (SSO) solutions like Facebook Connect, the Google+ button, or OpenID.

Hardware-based alternatives have had some success in the enterprise world where security requirements are very high and cost is much less of an issue. But in the consumer world, cultural shift, cost, and enrollment create a massive barrier that prevents true universal adoption. For passwords to be replaced en masse on the Internet, a clear standard would have to emerge that would be present on all the devices we use to access the hundreds of millions of websites in existence.

On the software front, even Facebook will find it difficult to get its massive user base to use Facebook Connect, because of trust and privacy issues. Moreover, Facebook Connect will likely never be available on Google, Amazon, iTunes, or eBay, because these massive companies don’t like playing nice with each other. If companies as powerful as Facebook or Google have yet to overcome the massive switching costs that exist today, smaller players will be even more challenged to do so in an online world that is growing increasingly complex.

So we’re back to passwords. And while it is in fashion to complain about them today, they don’t have to be unsecure or inconvenient.

We must start by removing human memory from the loop. Even if we wanted to use the same password everywhere, websites often impose different rules regarding length or complexity. We need come to the realization that convenience and security need not be contradictory. There should be an easy path to safety even if people don’t know how to take actions to protect themselves. Software solutions like password managers, which solve these exact problems, exist today and will see much broader adoption beyond the tech-savvy audience in the years to come.

While the threat of cyber hacking grows worse every day, it will be many years before the password is replaced. Until then, to paraphrase Mark Twain, rumors of the death of the password are greatly exaggerated.

Emmanuel Schalit is CEO of Dashlane, an online password manager based in New York, NY and Paris, France. Follow him on Twitter at @eschalit.

[Image: Flickr user Terry Johnston]

Add New Comment

2 Comments

  • Aaron Gillett

    I use a system for passwords that has worked remarkably well for me over the last few years.

    1. Pick a four-digit pin number
    2. Combine this with the first four letters of the service you're using, with the first capitalised.

    For example:
    1234Goog
    1234Face
    1234Wiki
    1234Twit

    If a service doesn't have four letters, I repeat the last letter e.g. “1382Msnn”. If it also requires a non alpha-numeric digit, I add one to the end (though I can't recall one that does).

    While not flawless, it means that I have unique, simple passwords for everything.

  • Cryptonomic

    Well done! Any teenage hacker should be able to guess your wonderful passwords in about 5 minutes.