Signs of Triviality

Opinions, mostly my own, on the importance of being and other things.
[homepage] [index] [jschauma@netmeister.org] [@jschauma] [RSS]

Passwords Are Here To Stay

June 15th, 2015

Farnsworth I'm sorry. I have bad news for you. It's about your password. No, it's not about LastPass having been compromised, at least not directly. It's this:

Passwords are here to stay.

Passwords are not going anywhere. There is not going to be an app for that. Biometrics are not going to obsolete passwords. Here's why:

Passwords are convenient.

Convenience will trump security every single time. There's nothing you can do.

Seriously Funny Card Passwords are convenient because they conflate authentication and authorization. When we enter a password into a website or -service, we pretend that we are authenticating ourselves, but in reality we are requesting authorization to access the resources mapped to a given account.

Authenticating with a password implies that I have the ability to grant other people authorization to perform tasks on my behalf merely by sharing my password.

Seriously, that is the killer aspect of passwords. And always has been. In the 1920s, during the prohibition, access to a Speakeasy was frequently gated on knowing a certain password. This had nothing to do with authentication -- it was merely a word -- "Swordfish", for example -- that allows you to pass or enter into the Speakeasy so as to responsibly enjoy a frosty beverage or two. Ein Schelm, wer Böses dabei denkt. []

Scene from Seinfeld Even more convenient: since the password is a "something I know", my giving it to somebody else does not remove my own ability to use it. This is fundamentally different with any system that involves a "something I have". For example, I can't easily give my house key to somebody else without losing the ability to get in myself. This applies also to any multi-factor authentication system, including a bank card and PIN.

Password managers are great, and so is multi-factor authentication. The use of hardware tokens or time-restricted software tokens in strictly controlled envrionments is very nice, too. And I have some hopes for certain types of one-time passwords for average users. But if you believe that passwords are obsolete and will go away any time soon, then you're fooling yourself.

People will opt for convenience, every single time. We have long way to go before any alternative method matches simple, dumb, repeatedly used, easy to share passwords. The sooner we understand and accept the social and human factors surrounding password usage, the better.

June 15th, 2015


See also:


[Velocity NY 2015 - See you there!] [Index] [Ethical Obligations in Internet Operations - Questionnaire]