In the last two weeks, the Petition Against Passwords movement launched by a group of US-based companies that sell password-less technology has been gaining widespread media attention across the world. Their mission is to collect every frustrated yell at forgotten passwords and make sure the organizations responsible hear them.
In the RSA conference in San Francisco early this year, James DeLuccia’s Passwords are dead created quite a buzz. At the conference, Zoho’s sister division ManageEngine demonstrated its Enterprise Password Management Solution, Password Manager Pro, and almost all the visitors to our stand quipped: “They are talking about the death of passwords and you are demonstrating password management!”
So, we hear the vox populi loud and clear: Clearly, people are fed up with passwords. With the proliferation of online applications, a variety of passwords occupy each aspect of our life. Remembering dozens of passwords is impossible; storing them only invites trouble and managing them manually is a pain. With high-profile security breaches involving stolen online identities, all of us want to be rid of passwords. So, when someone talks about replacing passwords, it’s only natural for people to get interested.
But, the million-dollar question is: Do we have viable alternatives if the passwords die finally?
Before going any further, here is some history on ‘death of passwords’:
For over a decade now, people have been discussing the death of passwords. In the same RSA conference in 2004, Bill Gates, the Chairman of Microsoft predicted the death of passwords. In 2006, he said that the end to passwords was at sight. Not just Bill Gates, but many other luminaries and industry analysts have been predicting the death of passwords.
However, in reality, the predictions haven’t yet materialized. Passwords are still the most prominent method of authentication till date. Alternatives to passwords, such as biometric authentication, iris authentication, facial authentication, various forms of multi-factor authentications, and even authentication through items like watches, jewellery, and electronic tattoos, are all being discussed. Active research is also on to formulate better alternatives.
However, none of the alternative approaches have been viable for various reasons. Firstly, passwords are very easy to create and are absolutely free. Whereas, the alternate models are mostly expensive, require additional hardware components, are difficult to integrate with the existing environment, and are not easy to use.
Interestingly, some of these alternative authentication methods have been cracked even before they could be adopted widely. Few years ago, a group of researchers hacked faces in biometric facial authentication systems by using phony photos of legitimate users.
As on date, a viable replacement for traditional passwords is not in sight! We may get one in the future, though. But, it will require considerable time for the new mechanism to be accepted and adopted. That means, traditional passwords are not going to die anytime soon; they are going to be around for a while.
Passwords are not the problem; their management is
While raising our voices against passwords, we overlook the actual problem, which is poor password management. Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere. Users store passwords in text files and post-it notes; share credentials among the team members; and pass them over emails or by word of mouth. Real access controls do not exist and passwords of sensitive resources and applications remain unchanged for ages. Such bad password management practices invite security issues and other problems.
Use a password manager
While the research to find an alternative to passwords continues, it would be prudent to deploy a password manager to safeguard your data. With a password manager, you can secure all your passwords in a centralized repository; use strong, unique passwords without worrying about remembering them; automate and enforce password management best practices; control access to resources and applications; keep track of activities; and do much more.
If you are wondering which password manager to use, take a look at Zoho Vault.
Will give this a try with Android. I'm a generational user of a very similar password manager that does not Intergrate with Android, but is just a vault. Intergrating with Android browsers is a key component for a truly viable password manager. I completely agree with ZOHO's premis that easily used and STRONG passwords are a viable solution to the secure access problems of today. The idea that voice prints, finger prints, facial recgonition, keys, fobs, and other 'No brains required' methods of identity protection/confirmation is a long way off. These toy like methods can and are broken much more easily than several hundred extemely strong long complex multi character passwords that are easily created and autofilled within the webpage as they are visited. The most important feature of these high performance password managers is a way to back up and restore the vault contents!
Just fyi, 'here to stay for long' sounds like a construction by a non-native speaker. In the US, we would say more readily 'here to stay for a long time' or simply 'here to stay'. We could also say 'here for the duration', 'here for the foreseeable future' is ok as well. 'Here to stay, for now...' could also work. Just some musings - ignore them if they bring nothing fruitful to you. Sincerely, Daniel
Many of these new password alternatives DO use asymmetric key cryptography. CryoKey, for instances, makes use of freely available digital certificates. The problem is lack of recognition - sites have to accept the identities from these alternatives, and most of them are still bogged down by password inertia.
Hi Devin,My point is that bad password
management is the actual problem. Passwords themselves are not
problematic. The most common grievance is the problem related remembering
passwords. Password Managers help enforce password management best
practices while solving the problem of remembering credentials too.Yes,
password less world would be good to have. When talking about
replacement, many alternative technologies, including yours are getting
attention. I respect all your efforts and I don't belittle any such
innovation/invention. But, these technologies will take years to gain
wide acceptance and adoption before eventually "killing" passwords.The
alternative technologies are generally not easy-to-use, expensive and
require additional devices while passwords are usable, free (or low
cost) and very easy to create. The alternative technologies are not
hassle-free. They also pose problems on portability, accessibility,
usability, compatibility, scalability and so on. As on date, passwords
are all pervasive and are not likely to be 'killed' anytime soon. Good luck with your efforts!Thanks,
Bala
"Passwords are not the problem" yet you go on... "Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere."How are passwords not the problem? Imagine if we didn't have to remember ANY passwords. Zoho Vault should look at one of the password-less solutions and at the very least let users protect their passwords with a non-password factor. I recommend launchkey Passwords and Password Managers are here for as long as we need to rely on them, but with the advent of alternative solutions we may see this space disappear.I am a co-founder of LaunchKey and can help with any integration Zoho would be interested in, just contact us!
Why people just don't use RSA public/private key crypto? in ssh, passwords are no more