To paraphrase Mark Twain, the reports of the death of the password have been greatly exaggerated. The password is not dead, nor is it going anywhere anytime soon.
Bill Gates claimed that the password was dead in 2004 and people have continued to claim that the password's days are numbered ever since. It's now over a decade later and they don't seem to be going anywhere.
Passwords have survived as the de facto standard because they are cheap to implement, are not patentable, and are convenient for everyday users. Much in the same the QWERTY keyboard is still the standard today, despite the fact it was invented way back in 1873 for a reason no one remembers.
Back to the past
Let's go back twenty years to 1995, when an external floppy disk drive cost you the princely sum of around £130 (around $200, or AU$260), and Apple's 1MB QuickTake digital camera set you back something like £500 (around $780, or AU$980). To sign in to your Prodigy, AOL or Lycos account, you simply typed your username and password in a text box, and most likely thought to yourself, "Well, that was a really easy way to log in."
Fast-forward to 2015. Technology has advanced in unimaginable ways since those days. You can buy a smartphone with 32GB of storage for £200 (around $310, or AU$390), or grab a 50GB flash drive the size of your finger for just £15 (around $23, or AU$30). Yet, when you want to log in to Facebook or to buy your groceries online, you are still entering your password the same way you did back in 1995 – hopefully the password at least has changed. Despite all the technological advances of the past two decades, the way we log in to our online accounts has not changed.
The password system in itself is still very robust. Computers can communicate very securely using password-like systems, providing we use strong passwords (over 8 alphanumeric characters). But problems start to arise when we humans get involved, because of the limits of our own memory.
The average web user today has over 50 unique accounts, and to stay secure they should have different, complex passwords for each of these sites. Given the limits of the average human mind, most people do not possess the cognitive ability to remember 50 unique random strings of letters, numbers, and symbols.
Given these conditions there are two alternatives to the present-day password system: hardware-based alternatives, like hardware keys and biometric sensors, and software-based alternatives such as single sign-on (SSO) solutions like Facebook Connect, the Google+ button, or OpenID.
These hardware-based alternatives have had some success in the enterprise world where security requirements are very high and cost is much less of an issue. But in the consumer world, cultural shift, cost, and enrolment create a massive barrier that prevents true universal adoption.
On the software front, even Facebook will find it difficult to get its massive user base to use Facebook Connect, because of trust and privacy issues. Moreover, Facebook Connect will likely never be available on Google, Amazon, iTunes, or eBay, because these massive companies don't like playing nicely with each other.
If companies as powerful as Facebook or Google are yet to overcome the massive switching costs that exist today, smaller players will be even more challenged to do so in an online world that is growing increasingly complex.
For passwords to be replaced en masse on the internet, a clear standard would have to emerge that would be present on all the devices we use to access the hundreds of millions of websites in existence. So we're back to passwords. And while it's in fashion to complain about them today, they don't have to be unsecure or inconvenient.
Path to safety
We must start by removing human memory from the loop. There is an easy path to safety even if people don't know how to take actions to protect themselves. Software solutions like password managers, which solve these exact problems, exist today and will see much broader adoption beyond the tech-savvy audience in the years to come.
While the threat of hacking grows worse every day, it will be many years before the password is replaced. By all means, speculate about what the future may hold, but you'd better find a way to learn to live with passwords in the short-term.
- Guillaume Desnoës is the Head of European Markets at Dashlane