The Life and Death of Passwords: The Problem with Passwords
Our documentary, “The Life and Death of Passwords,” explores with industry experts the history of passwords, why passwords have become less effective over time, and how trust is established in a passwordless future. With it's release, we’re taking a trip through time, from digging into the early days of passwords to imagining the passwordless potential that lies ahead.
Today: Our panel of experts share their password-related pain points, from the challenges of remembering and rotating them to unequal access to technology slowing passwordless adoption.
Problem 1: From Physical to Digital Space
Christi Volny, a senior software engineer on the Duo Single Sign-On platform at Cisco Secure: “The primary difference between password and passwordless authentication is that password authentication is based on the user remembering some secret. And then that’s something that they know, and that’s what grants them access to the system. As we’ve taken that system, we’ve brought it online and made it computerized, that doesn’t really keep up with the ability of computers to try to break into those systems.
Passwords rely on something that the user knows, and that worked really well in a physical space. So to be able to enter a room, knowing the passphrase to enter that. As soon as we digitize that, how users interact with these systems is through a computer. And so these are all machine-to-machine communications, ultimately. By enabling that, what we’ve done is allowed machines to be able to impersonate humans and try to crack passwords.
And they can do that much faster than ever previously done in history, which means that we’ve had to increase our password complexity, which pushes past the limits of what humans can actually remember, a meaningful passphrase.”
Problem 2: The Human Element
Passwords Are a Pain
Ted Kietzman, a product marketing manager with expertise in bringing passwordless to market, puts us in the average user’s shoes: “Passwords have a bunch of problems from a user perspective. They’re really annoying to remember; you have to keep them in your brain, which ends up being a pain. And over time, it’s been a requirement that they have to get more and more complex, or you have to rotate them more often, because as they've been seen as the security vulnerability, you have to lengthen them and rotate them. In both of those cases, they become harder to remember. And so from a user perspective, I have to remember a bunch, I have to rotate them, I have to keep making them longer, more complicated. All those things make it harder for me. And then I also just don’t like to type them. It's annoying for my fingers.”
People Create Predictable Passwords
Nick Steele, Research Lead at Superlunar and co-chair of the WebAuthn Adoption Community Group: “Humans are really bad at creating randomness. So when it comes to creating passwords and remembering passwords, they’re generally, if they’re made by humans, not very strong. And humans also tend to use heuristics and elements that they can reuse over and over. So even passwords that are created by humans that are slightly different, still tend to be pretty easy to crack.”
Wolfgang Goerlich, advisory CISO at Cisco Secure, adds: “We tell stories with our passwords. That means it's a loved one. That means it’s a pet. That means it’s a favorite hobby. You look at Ken Thompson’s early password, which was a chess move. We look at Eric Schmidt’s early password, which was his wife’s name. We create things that are easy for us to remember — and in doing so, those are things that are easy for adversaries to guess, and once they're out there, easy for criminals to use again and again, to log into other systems.”
Users Need Security Education
Jayson E. Street, a self-described “hacker-helper-human,” emphasizes the importance of making sure that people are informed about security hygiene and the potential risks of not following best practices: “We keep relying on technology to protect the users instead of teaching properly the users to protect the technology and then having the technology there as a failsafe and a safety net for when mistakes inevitably happen. [When you make] technology the bulwark of your protection from the user, it’s always going to fail because the user is never going to understand what they are in control of or what they’re in charge of.
A person who has a delivery van, they know exactly what the responsibilities are and what damages they can incur and job penalties they can incur if they are in an accident, if they operate the vehicle unsafely. But if you’re a person on a computer, you can operate the laptop or the device as unsafely as you want and there's really not that many repercussions that you're not really told exactly what the security controls are or your responsibilities on operating that equipment.”
Problem 3: Challenges Around Passwordless Methods
Remember, Passwordless Is More Than Removing the Password
Ted Kietzman: “One [myth about passwordless] would be that it just removes the password and doesn’t add anything else to it. That’s a problem with the name [...] passwordless is much more than just removing a password from the flow. It’s actually adding in that cryptographic key and the secondary factor of the biometric or pin.
Wolfgang Goerlich offers this analogy: “We are defining authentication by what it’s not. I like to compare this to the horseless carriage. A hundred years ago in my hometown of Detroit, what was high tech was a horseless carriage. It’s a carriage without a horse. That belies all the improvements in speed safety and the culture change that came with the automobile. In a similar way, if we only think of authentication as removing the password, we are going to miss out on a lot of the improvements that we can make in authentication. When we do adopt passwordless authentication, it cannot only be to remove the password, but it also has to be to add additional risk-based authentication mechanisms to increase overall security at the same time.”
Access to Equipment Is Not Created Equal
Jayson E. Street: “The biggest hurdle slowing the adoption of passwordless and adaptive authentication is predominantly access to the equipment. We still have a significant part of the world that doesn’t have access to smartphones. The idea of asking users to carry around a key fob that contains security tokens is still something that’s difficult and really only prevalent in the enterprise space.”
Rest Assured Your Biometrics and Credentials Are Secure
Wolfgang Goerlich: “Bruce Schneier once famously said that security has two parts. There’s the feeling of security and the reality of security. For passwordless to be successful, we have to address both. And there are some very real concerns about biometrics. There’s some very real concerns about people’s data. What I like about most passwordless technologies is that they keep that data in people’'s pockets. They keep that data in people’s hands. They don’t create conditions where the data can be shared out.”
Ted Kietzman agrees: “The authentication provider never needs to see your biometric. We don’t store any of them. And the reason for that is it’s performed locally at the device you're using as an authenticator.”
Nick Steele elaborates: “People always really assume that the biometrics that are being used to unlock their device or being used to log into their website via WebAuthn, or other passwordless services, they tend to think the biometrics are being sent elsewhere. And in the vast majority of cases, your biometrics are never sent anywhere. They’re only being used by the local authenticator to release a credential. The other big misconception with passwordless is that credentials can still be stolen, which is totally outside of biometrics. I feel like this it’s two separate things, right? Because if people think their biometrics can be stolen, then their biometrics can be used on multiple websites. This is really not how that kind of cryptography can work. And in a similar way, the credentials that you produce for passwordless services also also can’t be reproduced and reused across multiple sites.”
Next in our series on passwordless history: Our panel of experts share what excites them about a passwordless future, the technical milestones to get us there, and whether we’ll truly say goodbye to passwords.