Is it time for businesses to nudge us towards the death of passwords?Passwords are no longer fit for purpose. There is a better way and it is time for businesses and indeed all publishers of websites to push us towards a more sensible system of identification, leading us towards the death of passwords
It’s now in the stats. Some people find passwords more stressful than divorce. A tad under a half find remembering all their passwords overwhelming. Frankly, it’s surprising the numbers are as low as the data says. According to a survey carried out by Bilendi on behalf of GMX, among 1050 people, 8% find think that remembering all their passwords is more stressful than a divorce, changing jobs or getting a speeding ticket. 41% find remembering passwords overwhelming. If there is one death that people would surely not mourn, it would be the death of the password.
The survey also found that there must be an awful lot of people with amazing memories. No less than 40% rely on their memory for password recall — 20% write their passwords down on paper. (Big sheet of paper!).
To be clear, as all technologists know, we are supposed to have different passwords for each account and we are supposed to change them regularly — every day, some say.
The passwords must not be words that are in the dictionary, and there must be numerical and ideally contain symbols such as % or *.
All the more impressive then that 40% of people are able to memorise all their passwords. Doesn’t this memory feat make you feel humble? Forget about the death of passwords, if only we all had memories like this we would be fine. Maybe we could all recite pie to 200 decimal points while we are it.
Will biometrics replace passwords, or complement them?
It would be interesting to know how many CTOs or CSOs — chief security officers — get it right. The survey found that 19% of ordinary folk frequently get locked out of an account because of multiple incorrect attempts. 18% get websites to log them in automatically. What percentage of CTOs do that, one wonders?
Setting aside the apparent superhuman memory that 40% of us are blessed with, it does seem likely that the system isn’t working.
Too many people use the same password for multiple accounts — we don’t need surveys to tell us this. The reason is obvious, it is too difficult. For many of us, passwords have become the bane of our lives. The system is broken, there needs to be a better way, passwords must die.
Microsoft’s authentication system for Windows 10 is a step in the right direction. It is now officially recognised as an authenticator, which means the company is inching towards completely killing off passwords in its software and services.
But as Mark Twain, CSO for Huckleberry Finn said of the password “reports of my death are greatly exaggerated.” It is like the Mountain from Game of Thrones, no matter how we stab at it, the death of the password remains elusive.
As Jake Moore, security specialist at ESET said: “The password option will still be a feature in the background as Windows won’t get rid of it completely, so users will still have to adopt better password management and multi-factor authentication to protect their data in case their information gets into the wrong hands.”
Will technology really destroy jobs? Amber Rudd reckons automation is driving the decline of banal
Jason Hart, cyber security expert and chief technology officer for Gemalto’s data protection solutions, isn’t so sure. “It’s time to retire passwords as a security solution,” he said. In an attempt to hammer the nail into the password coffin he added: “After years of employees using the same credentials to log into everything from social media to corporate networks, should just one account be breached, all associated accounts risk being compromised too.
“What’s needed now is an adaptive, intelligent approach to the log-in experience. Innovative technologies such as Passwordless authentication with Smart Single-Sign On allow users to log-in to multiple applications with a single identity, removing the need for passwords altogether. By taking into account contextual information, such as user location, and app sensitivity and previous log-in attempts when verifying users, and combining these technologies with multi-factor authentication when needed, its possible to dramatically reduce the risk of false log-in attempts and repurposed passwords.”
He is right, of course. There are multiple password management options already. The real problem is that not enough people know about them.
GDPR imposes a duty on companies to treat our privacy as a human right. Increasingly tech firms have moved from the GDPR’s privacy by design to call for ethics by design.
We now need password-made-easy by design too, either that or organisations must advance systems that don’t require passwords at all, rather they require some form of biometric security.
It is not the customer’s job to remember hundreds of passwords complete with non alpha numeric characters/symbols. The customer expects their life to be made easy, not more stressful than divorce or getting a speeding fine.
It is up to technologists to promote to end users a better way. If they can orchestrate the death of the password, they will be seen as heroes.