Passwords? In 2017? Really?

Passwords? In 2017? Really?

Knock knock. The small wooden door slides to the left. You whisper, “Joe sent me” into the opening. The knob twists, the speakeasy door swings open, and you’re in. This is what security looked like during prohibition in the 1920s. But we’ve come a long way since then, and passwords are about as relevant as flapper dresses and flagpole sitting. For some reason, we’re still welded to an approach to security that is completely inadequate fin today’s technology-driven world.

In the earliest days of computers, no password was required. This worked fine for military applications where a computer was parked on a secure army base. But as we began to share and access more and more information, managing access became increasingly important.

The first computer password was developed in 1961 at MIT to manage access to a computer time-sharing system. Multiple researchers were using the same basic processing power and as a result, each person needed a specific point of entry to the system. That is what led to the creation of what we now call passwords. Less than a year after the password system was installed, it was hacked! In 1962, a researcher named Allan Scherr printed out all the passwords stored in the MIT computer so he could use the shared system for more than his four-hours-per-week allotment.

The emergence of the PC in the 1980s – and then the World Wide Web in the early 1990s –made security (in the form of passwords) increasingly important. Today, password management is a critical issue for companies and individuals alike. Because we all share a tremendous amount of our personal data on our devices and in the cloud, sites and apps are using all kinds of authentication and password tactics to keep people’s data safe and thwart unauthorized access. The average person has 19 passwords: it’s hard to believe that Bill Gates declared the password dead back in 2004.

Passwords may be ubiquitous, but they’re easy to hack. Companies encourage people to avoid using dates (anniversaries, birthdays), names of pets or family members, or common words like “password,” but it still takes hackers less than 50 milliseconds to break the average password.

Despite major advances in cybersecurity in the last few decades, password-based systems remain the primary authentication protocol for most computers and mobile devices. And they remain vulnerable. But thanks to a combination of new tactics and innovative uses of face recognition, Multi-Factor Authentication and other biometrics, new approaches are challenging the password monopoly:

  • Multi-Factor Authentication – allowing simpler passwords because they are only part of the overall security landscape.

  • Social sign-in – using credentials stored in Google or Facebook or Twitter. It’s sort of like saying, “Well, Larry Page knows who I am and will vouch for me…so let me in!”

  • Two-factor authentication (2FA) – after a username/password combination is verified, a unique code or URL is either emailed or texted to the person trying to sign in.

  • Password-less authentication – two-factor authentication without the first step. The person signing in only has to remember his or her username, email or phone number, and they receive a unique code to complete the sign-in.

A key problem with these approaches is that they may be secure, but they’re actually worse from a user-experience point of view. They make people do even more work to access the tools they need. That’s why I am so passionate about the rapid advances in face authentication and face recognition that are finally pushing passwords into the realm of irrelevancy next to punch cards and 5 ¼” floppy disks. These new technologies are the future of authentication because it is now possible to create a login experience that doesn't sacrifice security for usability.

(image: marc falardeau "ENTER YOUR PASSWORD" CC BY 2.0 https://creativecommons.org/licenses/by/2.0/ )