Perhaps it’s just the crowd that I hang out with, but the phrase “the death of the password” seems to be on the tips of the tongues of many.
Now passwords certainly have their issues. Bill Gates described the issues with passwords succinctly.
“There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
And I guess it’s true that alternatives to passwords are certainly becoming more popular.
But does this mean that passwords are going to DIE?
Even though the article that includes the Bill Gates quote is entitled “Gates predicts death of the password.” Which he didn’t, if you read his words. But others certainly have predicted the password’s demise.
Oh, and that article with the title that trumpeted the death of the password was written in February 2004.
I’m writing this over sixteen years later, in August 2020, and passwords haven’t died yet.
Let’s take a step back and consider passwords as part of an entire security system. As Thales reminds us, passwords are just one possible authentication factor – in this case, the something you know factor. (The problem occurs when everyone else knows it too.) In addition to something you know, other factors include something you have (such as a secure document) and something you are (for example, the arrangement of ridges and bifurcations on your fingers). It is possible to add a fourth factor, somewhere you are (location).
The choice of authentication factors to use depends upon the individual security requirements. Some locations, such as a military base that stores nuclear warheads, require strong security. Other locations don’t need that much security.
To cite an example, let’s say that I’m having a yard sale, and I have a box that I’m using to store the money that I receive, and to make change. Now I need to secure that money box. How should I do that?
Well, I could decide to make that money box REALLY secure. However, using a multitude of factors of authentication would be excessive, and would even cause me to lose business. The guy who wants change for a $20 to buy a $1 used book is NOT going to wait around while I go through the following security checks to open the money box:
- Type my mother’s maiden name, my date of birth, and an 11 character password with exactly 5 symbols excluding $ and + but including two (no more) % symbols and in which no upper case letter can be repeated (and the password itself must be changed every 17 days)
- Scan my driver’s license and my passport
- Scan my fingerprints, face, iris, veins, and my typing, and perform a voice check
- Verify that I am within 50 meters of my house
To put it bluntly, use of all of these authentication factors for a yard sale lock box is overkill. (Thanks to Men at Work.)
It would be much easier to simply get a box with a combination lock.
And a combination, after all, is just a numeric password. (Thanks to Spaceballs.)
So I don’t think that passwords will ever die, or that they’ll fade away. They will still be around for certain use cases, but de-emphasized for others.
In essence, I’m calling for the death of the phrase “death of the password.” We’ll see if I’m successful.
(Oh, and a final thanks to Mark Twain. Even if the quote was itself “an exaggeration.”)