The End of Passwords?

One of the great annoyances of the Internet is slowly going away.

subscribe, registration, signup, software, applications, tablet, device, subscribe button, login, account, business, coffee, smart, security, credential, information, user, password The free high-resolution photo of subscribe, registration, signup, software, applications, tablet, device, subscribe button, login, account, business, coffee, smart, security, credential, information, user, password, gadget, technology, electronic device, product, electronics, display device, multimedia, smartphone, mobile device, mobile phone, tablet computer, personal computer, communication device, brand @mohamed hassan, taken with an unknown camera 07/13 2018 The picture taken with The image is released free of copyrights under Creative Commons CC0. You may download, modify, distribute, and use them royalty free for anything you like, even in commercial applications. Attribution is not required.
Photo by mohamed_hassan fromPxHere

WSJ (“Technology Alliance Says It Is Closer to Killing Off Passwords“):

A group of technology companies including Apple Inc., Alphabet Inc.’s Google and Microsoft Corp. says it is a step closer to eliminating what many people call one of the worst aspects of the internet experience: passwords.

The Fast Identity Online Alliance has for nearly a decade worked on a system that lets users log into their online accounts simply by using the unlock mechanisms of their smartphones or computers. Rather than sending a password over a network susceptible to outside interference, users connect a public “key,” which sits on the account service provider’s server, to a private one, which cannot be removed from their device.

Previous versions of the group’s system still required people on new devices to enter passwords for each account before they could go password-free. Now, it says it has found a way to let users log into online accounts with their faces, fingerprints and PIN codes straightaway, even on brand-new devices.

The update “means that users don’t need passwords anymore,” said a white paper by the alliance, called FIDO for short. “As they move from device to device, their FIDO credentials are already there, ready to be used.”

The alliance, which represents more than 250 members, has been trying to reduce reliance on passwords since 2013, when six companies including PayPal Holdings Inc. and Lenovo Group Ltd. came together to develop a new, safer industry standard for online authentication.

Passwords create not just friction on the information superhighway, critics have long complained, but real frustration and even abandoned accounts when consumers forget their secret codes. They also still leave users, businesses and other organizations vulnerable to hackers and other bad actors.

Security solutions such as two-factor authentication, in which users typically supplement passwords with push notifications or codes sent by apps or texts, bring their own drawbacks. Plenty of people seem uninclined to opt in.

“Even though we know in 2022 that passwords are inherently insecure and creating lots of problems, getting people to actually secure them is still a challenge,” said Merritt Maxim, vice president and research director at research firm Forrester Research Inc., where he specializes in security and risk.

Passwords are “the cockroaches of the internet,” Mr. Maxim said—irritating, hardy and worth taking the time to kill.

[…]

But a completely passwordless world is still far off, said Forrester’s Mr. Maxim. FIDO’s vision mostly relies upon account holders having their own connected devices, which is not true for all users globally, he said. And while the system does not share users’ biometric data with account service providers, some privacy-minded users may hesitate to use their faces and fingerprints to unlock everything, he said.

The alliance tested which language, icons and information makes people feel most comfortable with switching on FIDO, said Andrew Shikiar, the group’s executive director and chief marketing officer.

“People need to adjust from doing what they know—just entering passwords—to doing something that they know how to do, but don’t really connect with logging in,” Mr. Shikiar said.

I’ve been using a commercial password manager for years but the process remains far from seamless and having to constantly log in on multiple devices for things that I’m paying for is certainly annoying.

If, for example, I want to read a WSJ or WaPo article on my phone and do so from their respective apps, it’s seldom an issue. If, however, I follow a link from, say, Google News to one of their stories, I frequently have to go through the machinations of logging in.

And, for reasons I’ve never figured out, the Disney bundle (Disney+, Hulu, and ESPN+) is incredibly poorly integrated. We happily pay the subscription price but the logins frequently need to be re-entered and reset. Inexplicably, while I can get ESPN premium video streaming pretty easily from any device, I’ve never been able to get the premium text context on my laptop and am only able to do so roughly 70 percent of the time via my iPhone. There’s simply no reason it should be that difficult.

Meanwhile, despite Randall Munroe’s password strength generator becoming a meme more than a decade ago,

the trend described in the cartoon has actually increased. I have several seldom-used but critical work-related sites that I have to log into once or twice a year that require creating a new, incredibly complicated, password every three months—thus, every time I use it—that require me to type insanely long text with multiple changes in the shift key blind and then duplicate it.

And, amusingly, my WordPress instance logged out just as I typed that last paragraph, requiring me to log back in. Thankfully, the password for that is saved, requiring little effort.

FILED UNDER: Science & Technology, , , , , , , , , , , , ,
James Joyner
About James Joyner
James Joyner is a Professor of Security Studies. He's a former Army officer and Desert Storm veteran. Views expressed here are his own. Follow James on Twitter @DrJJoyner.

Comments

  1. SKI says:

    Fighting with our InfoSecurity folks over password requirements is an occupational hazard for me. We can reach agreement on the ridiculousness of the frequent change requirements but I can’t seem to wean them off it.

    Can’t recommend 1Password strongly enough.

    2
  2. Scott says:

    I keep a 5 page encrypted word doc with all the passwords. It is a pain to keep up. I’ve also tried Last Pass and Bitwarden for password management. On top of that the iphone has its own password manager as does Chrome.

    But the biggest hurdle is those items that I share with my wife, particularly financial. Because she in not interested in such things, I handle it for her. I continually have to access her accounts, (401k, IRAs, etc) pretending I’m her to manage them. We just do it on trust. But often we have to call some bank or mutual fund, etc to get something done and have to get on the phone jointly. And even then, there are times only she is allowed to talk even though I can explain the issue better. Hate it all.

    Maybe they can create a process (pseudo person or entity) where we can jointly do what needs to be done without a lot of subterfuge, etc.

  3. Scott says:

    And don’t get me started on those agencies (DoD agencies like DFAS, Tricare, VA) that require quarterly updates of passwords with about 10 different criteria of what’s an acceptable password.

  4. Not the IT Dept. says:

    One of the advantages of being semi-retired (I’m basically still on payroll to train newcomers to the firm) and full retirement at the end of 2022 (YAY!!!!) is that I’m shedding passwords like a tree sheds trees in autumn. Every time I don’t have to login somewhere is a burst of freedom.

    3
  5. Not the IT Dept. says:

    “sheds leaves”, of course.

    Where’s the edit button? And where are the italics/bold/etc. options?

    Are you changing things again, James?

    1
  6. DK says:

    @Not the IT Dept.:

    Every time I don’t have to login somewhere is a burst of freedom.

    Jealous.

    1
  7. Kathy says:

    I don’t have a password or lock of any kind on either of my phones. Just swipe up.

    If/when I decide I need to use the phones less, I’ll put one in.

  8. Just nutha ignint cracker says:

    The only situation where I have an issue is at the school districts at which I teach. I usually have to have tech services reset my password from the district office 3 or 4 times a year. The next reset need will come after spring break.

    1
  9. James Joyner says:

    @Kathy:

    I don’t have a password or lock of any kind on either of my phones. Just swipe up.

    Because I have access to my work/Government email and files on the phone, I’m required to have a 6-digit passcode, which expires every few months. But I’d have protection on it, anyway, because I have banking access, Venmo, and various private things like emails and contacts on there.

  10. grumpy realist says:

    @Scott: God, don’t mention it. We’re coming up on Yet Another Password Change and I’m having to generate one more at-least-12-letters-having-3-out-of-four-of-the-following-characteristics password that I can remember.

    Heck, I’m tempted to start using lines from Lorum Ipsum. Or Latin poets.

    1
  11. MarkedMan says:

    FWIW, I was talking to a fairly senior guy in a major corporation’s IT group and the subject of passwords came up. He agreed that the methods we used were non-optimal, but then said that there was no chance they were going to change, because of insurance, among other reasons. It turns out there is a set of generally accepted computer security practices (similar to GAAP on the financial side) and if you don’t follow them you can’t get insurance. On top of that, if an senior IT official goes against them, they essential assume all risk, with very little upside. So the incentives to keep sticking to the norm is overwhelming.

  12. SKI says:

    @Scott:

    keep a 5 page encrypted word doc with all the passwords. It is a pain to keep up. I’ve also tried Last Pass and Bitwarden for password management. On top of that the iphone has its own password manager as does Chrome.

    But the biggest hurdle is those items that I share with my wife, particularly financial. Because she in not interested in such things, I handle it for her.

    Again, 1Password (https://1password.com/). I have a family account that includes a shared vault with my wife with all the financial stuff and a shared vault that includes the kids with all the media and streaming stuff. Can share notes, etc. too. Apps for PCs, Macs, Android and iOS plus web access. Full browser integration.

    But often we have to call some bank or mutual fund, etc to get something done and have to get on the phone jointly. And even then, there are times only she is allowed to talk even though I can explain the issue better. Hate it all.

    Maybe they can create a process (pseudo person or entity) where we can jointly do what needs to be done without a lot of subterfuge, etc.

    Power of Attorney.

    1
  13. Mister Bluster says:

    I suspect xyz123 just won’t do anymore. Maybe I’ll change it to 123xyz. That will fool them for sure.

    2
  14. Jay L Gischer says:

    I have a bunch of passwords that I used for accounts for technical things online. I keep them in a notebook. On paper. Nothing digital there. Because the threat profile is much, much lower.

    I mean, yeah, I could use an encrypted spreadsheet, but then I worry about forgetting the encryption password, so I’d have to write that down, anyway.

    1
  15. Kathy says:

    @James Joyner:

    I’ve been told that.

    The bank app done’st keep the password. the rest, I could care less if someone sees them.

    Meantime, I use the phone frequently to play and read. If I had to enter a password, PIN, or pattern every time, I’d go crazy.

  16. just nutha says:

    @Mister Bluster: You’re an old telephone guy. Pick a telephone number you find easy to remember and convert it back to an old style word/number combination–like ATwater3-0111. (not one of my passwords BTW, I can’t remember any of the old Atwater numbers I used to call.)

    1
  17. Flat Earth Luddite says:

    @just nutha:
    At the risk of outing myself, the PArkway number from my childhood still sticks. The number on my cell phone (unchanged for the last 20 years) not so much. Maybe I shouldn’t have had that third helping of grapefruit slash, eh?

    The IT guys at one law firm hated me, because I argued that my password didn’t need to be changed. At the time, I was using a mnemonic of 21 characters, including specials. I had a standing bet with them that IF they could crack it, I’d buy them all lunch and drinks, AND change my password. After 5 years, I left that office. Never did change my password.

    1
  18. Joe says:

    Shortly after my old phone started taking a fingerprint to sign on, a cashier joked when he confirmed that I still had to sign the machine, “yeah, your signature would be way harder to forge than the thumbprint you just had to use to activate your card.”

  19. Mister Bluster says:

    @just nutha:@Flat Earth Luddite:..old telephone guy.

    The oldest telephone number that I remember was for my friend Suzy down the street in Irondequoit, New York, early ’50s. It was the Charlotte exchange of the Rochester Telephone Company. All I had to say when the Operator asked “number please” was 1426r (r was the party line code). I’m sure I knew our phone number at the time but it never stuck.

    1
  20. Liberal Capitalist says:

    I identify as VInewood 37118. So you can guess: Freaking old-ish (and still doing well in the telecom world).

    Yeah… no passwords. Sure. And no poverty or illness either. We’ll play in the city, powered by the sun. Perfect weather for a streamlined world. There’ll be spandex jackets, one for everyone. Got it.

    But as to passwords: Keepass (the application, ridiculously secure) is where all my webpage ID’s and passwords are. Keepass resides in our free Google Drive, so it’s replicated on all our devices.

    Thee are other password Keepers, but the experience is much the same. It’s the replication / portability aspect that was critical to me.

    One password to open Keypass, cut-and-paste for the rest. I made sure (after strongly convincing her) that my wife knew what that password was.

    And according to https://www.security.org/how-secure-is-my-password/ it would take a machine 2 Million years to crack it.

    So, until utopia, I’m good.

  21. Mister Bluster says:

    @Liberal Capitalist:..password utopia

    Clicked on your link and the first thing I see is enter password

    …pull my finger.

  22. Liberal Capitalist says:

    @Mister Bluster:

    Clicked on your link and the first thing I see is enter password…

    *facepalmslap*

    OK… first, it’s A link, not MY link. I don’t run the web page, nor am I affiliated with it in any way.

    And OF COURSE you need to enter a password… it’s the password you want to check, right? That’s the purpose of the tool. How would you expect it to test how strong your potential password is unless you enter it? (They aren’t asking for a web page or ID, so your password is just useless data.)

    Do you test a car battery by staring at it, or do you hook it up to a tester that would check it’s capability under load?

    I can tell you this: my old “favorite” password could be machine broken in 600 milliseconds. this lets you know.

  23. mister Bluster says:

    @Liberal Capitalist:..link…
    1000 pardons. Clicked on the link that you provided.
    My local Vogler Ford dealer tests my car battery while I sit at the Dunkin’ next door with a cup of their Dark Roast and a free donut compliments of the AARP and stare at OTB on my MacBook Air.

  24. Gustopher says:

    @Liberal Capitalist: my throwaway password would allegedly take 2 million years to crack. That goes up to 200 million years if end of it goes from 1234 to 12345.

    I am unconvinced.

  25. Liberal Capitalist says:

    * sigh *

    This is clearly why we can’t have nice things.