Passwords Aren't Dead — You're Just Using Them Wrong
For years, I've seen headlines proclaiming "the death of the password." I keep getting PR emails from companies promising to "make passwords obsolete." I can't count how many times I've been told that a new technology will "replace the password." But nothing ever does.
The truth is that passwords will be with us for a long time. Here are some reasons why.
Passwords are either completely right or completely wrong. "Bsdo#du()q1" looks a lot like "Bsd0#du()1" to a human, but to a computer, they're utterly different. There's no fudge factor, and no machine will ever mistake one for the other.
By contrast, biometric technologies such as fingerprint readers, iris scanners and voice or typing analyzers always have to accept a certain margin of error, because biology is fuzzy. Voices, faces and lighting all change, and a biometric reader has to take that into account.
Yet with human bodies and behavior, if you get close to the real thing, you can fool a biometric identification system. This has been demonstrated many times. A fake eye or fake fingerprint doesn't have to be perfect -- it just to be good enough.
But if you reduce the acceptable margin of error, then you'll get false negatives and angry users. Passwords have neither of these problems.
Passwords are technology-agnostic and backward-compatible. They're just a (relatively) short string of text. Every operating system made in the past half century — Windows, Mac, Unix, Linux, Android, iOS, IOS, MS-DOS, TRSDOS, BeOS, Symbian, AmigaOS, whatever — can handle a password.
But not all devices can see your face, read your fingerprint or analyze your gait. Nor does every device have a USB port into which you can plug an authentication key. Not every device can receive a texted temporary code. There's a cost to implementing new authorization technologies, and there's no guarantee they'll be universally accepted.
Passwords are disposable and cost nothing. If a password gets compromised in a data breach, you simply replace it with a new one. It's also easy and cheap to create dozens or hundreds of new passwords.
But you have only 10 fingers and only two eyes. What do you do when your fingerprints are compromised? (This happened to government employees whose information was stolen in the 2015 breach at the federal Office of Personnel Management.) You can't replace your body parts quite so easily.
Passwords are easy to share. I know you're not supposed to share passwords, but people do it all the time, often for very good reasons. You can email passwords (though it's not a good idea), text them (still a bad idea), write them on a piece of paper (better) or just tell someone in person (best). You can't pass along a fingerprint or an eyeball.
Passwords are anonymous. Unless you're using uniquely personal information for your password, there's nothing about it that traces it back to you. By contrast, your voice, fingerprint, iris, retina and other biometric data, or even your smartphone, belong to only you — and can be used to track you as well as log you in.
Passwords are secret. Or at least they're supposed to be. But biometric identifiers are not. Your face is seen in public almost every day. Your fingerprint can be lifted from a wine glass. Your DNA can be retrieved from a fallen hair. Your USB authentication key can be borrowed while you're sleeping. But only you (in theory) know your password.
Using Passwords the Right Way
The problems with passwords arise only because they're used by humans, and we humans are lazy. We make passwords that are too short and too easy to guess, and we reuse passwords for multiple accounts so that one service's data breach will result in many more services being compromised.
But we can reduce the human factor by using machines. We can use password managers that generate and remember strong, unique passwords for every account we use. It's true that a password manager is a single point of failure, but you can get around that by using more than one password manager and dividing your accounts among them.
We can use two-factor authentication, which these days can be much stronger than just a texted code. The second factor can be a randomly generated number from an authenticator app, or a USB authentication key you keep on your keychain. You won't have to use the second factor most of the time — only when you're logging in to an account from a new device.
The bottom line is that passwords are not going away, and neither are we. We simply have to use them better.