Passwords? Do They Still Matter?

As technology marches onwards, passwords are becoming less and less secure. The arms race of cybersecurity favors clever attackers who come up with unexpected mechanisms of attack. Password security advice is a tangled mess of restrictions, most of which are not worth the cost. Passwords are a weak method of security only made viable by back-end compensation. Microsoft has famously made its stance on passwords clear. Meanwhile, Google advances quantum computing technology that will make cracking current password security effortless when it falls into the hands of attackers. Many wonder if the era of passwords is coming to an end. 

Are passwords on their way out? 

Not anytime soon. 

Progress is fast, but it is fast in unexpected ways. Thirty years ago, movies like Blade Runner depicted flying cars as widely available by 2019 but most of us remain tragically ground-bound. The threat of quantum supremacy will likely not be a risk before countermeasures are in place. Looking forward, there are three practical reasons you’ll be entering passwords for a while yet. The three reasons passwords are here to stay are availability, privacy, and practicality. 

Availability

The foremost reason passwords persist despite their low security is their accessibility. Any enterprise must weigh the value of greater security against the loss of user adoption that the restrictions cause. If a user approaches an unfamiliar service but finds that the account setup process is difficult, unfamiliar, and time consuming, they may approach a competitor. 

If a person builds their house very far from civilization, they are safer from burglary, but they must spend significant time traveling to and from their house.

Passwords are like a house on the street: anyone could break in through a window or look for a key under the doormat, but most homeowners weigh the risks and choose the less secure option. If a real estate agency specialized in remote houses, they would not receive the same profits as an ordinary agency. Similarly, an enterprise that offers a more secure service may not attract the same business as an enterprise that offers a more convenient service. Enterprises must decide how to balance these two factors when designing their service. Passwords have occupied that middle ground for decades despite frequent predictions that their time is up. 

Users often have little patience for security practices when they aren’t even certain if they want to continue using the new service. Many enterprises make a risk-based choice to use passwords despite their inherent security flaws. 

Privacy

In keeping with the idea of user approachability, many first-time users are unwilling to disclose private details that might be required for alternative means of authentication. Though most of us are willing to enter location data and fingerprints into smartphones, we do so in the name of convenience: we want access to quick directions to unfamiliar places. If an unfamiliar service asks for personal information, the user might choose a less intrusive service. 

By putting personal information on the internet, the risk of an unintended person learning that information increases even if the account itself is more secure.

Furthermore, if an attacker finds a way around the authentication process or intercepts the alternative credentials being used, the attacker now has access to that private information. Even if the enterprise is responsible and ethical in its use of user data, it is reasonable to be concerned about unintended recipients accessing the same information. 

Though it is much more difficult to steal than a password, fingerprint data can be stolen. If your fingerprint is stolen, you can’t change it. A stolen fingerprint represents a lifelong security vulnerability. A fingerprint from immigration forms, police records, and even flat surfaces can be used to print a 3D model of a finger, allowing easy access to most conventional fingerprint scanners (though some higher-end systems check for a pulse and other life signs). While almost all attackers prefer to target passwords because they are easier to acquire, the risks involved with a stolen fingerprint are more significant than a stolen password because a password is easy to change. 

The government and tech giants have already fought over privacy issues in a security context. When the FBI asked Apple to help break into a shooter’s phone, Apple refused despite litigation. However, if the shooter had possessed a more recent phone with a fingerprint scanner, the FBI would have had no need to contact Apple: it’s grim, but they had his body and could have held his finger to the phone. Law enforcement and tech companies across the world struggle with similar questions of privacy in the wake of modern security advancements. 

While these are fringe cases, total dismissal of privacy concerns as we move towards a password-less future is shortsighted. Users may not be comfortable putting their private information at risk due to the possible consequences. This fear shapes user behavior and encourages some enterprises to continue using passwords despite their inferior security. Nevertheless, alternative authentication data is more difficult to steal which makes it the obvious choice for security-focused enterprises. 

Practicality

Passwords offer flexibility in use not available to alternative authentication methods. Though sharing passwords is never recommended by security experts, including those of us at Voleer, many users do choose to share passwords when they are unable to perform a necessary task in a desperate situation. Biometric scanners, geolocation checking, and other alternatives can prevent this from occurring despite the user’s intent. 

A person going on vacation often gives trusted neighbors or family members a key to their house for the duration of the trip.

Furthermore, because almost all users are familiar enough with computers to understand passwords, there is no learning period. An enterprise doesn’t need to educate employees or users on the function of passwords, because their users already understand how they work. By contrast, alternative authentication often requires a tutorial period before a user knows how the new biometric scanner or keycard mechanism works. Though this learning period is often insignificant, many enterprises choose to value that efficiency over further security. 

Finally, passwords have low startup costs. Though biometric authentication is becoming more accessible every day, passwords are cheap, easily implemented, and well-understood even outside the tech industry. The low expense of password implementation makes them appealing to new businesses, which then carry their password systems forward on inertia alone. 

The Future of Passwords

Where does this leave passwords? 

What you hear from Microsoft is true. Passwords are not as secure as the alternatives. Large enterprises, enterprises that handle highly important information, and enterprises with captive audiences all stand to benefit from ditching passwords. These kinds of services are more willing and more able to explore other security methods. They also collect user data regardless of security protocols and stand to benefit from putting it to use for security. Due to their large audiences, they do not need to fear user losses that could come about by implementing stricter security policies. Users are also more likely to appreciate the need for strong security protocols when interacting with a service that already handles highly sensitive information. 

By contrast, small enterprises and enterprises that offer relatively unimportant services, such as social media websites, are likely to continue using passwords. User acquisition and retention is much more important to small services and services that generate revenue from ads. Passwords are a very inexpensive security mechanism, making it appealing for accounts that don’t need to protect vital information. If nothing else, the low startup costs of passwords guarantee their continued use. 

While passwords will vanish from financially important accounts, they are far from dead. In the meantime, a security-conscious enterprise determined to use passwords has options for improving security: multi-factor authentication requires a user to present two forms of credentials, one of which might be a password. An automation platform such as Voleer can be used to efficiently check password strength, reset passwords and offer information relevant to password security, such as the password’s age and time until expiration. Hashing and salting passwords helps prevent attackers from gaining access to a table of plain-text passwords. While these improvements can’t solve the central problems with password security, they enable enterprises to continue enjoying the convenience of passwords. For the time being, passwords are here to stay. 

More posts on Security