Microsoft Corp. is trying to kill the password, and it’s about time. This month, the company said the next test version of its stripped-down Windows 10 S operating system will strip out passwords too, by default. If you go through setup as recommended, you’ll never get a password option.
But killing the password altogether will take more work and time — and the problem may get worse before it gets better.
That’s a shame. Passwords are the bane of modern digital existence. On a big-picture level, insecure passwords cause an estimated 80% of breaches, according to a 2017 report from Verizon. On a human level, they’re paralyzing; right when you need to access your utility bill, you can’t remember if you replaced the “a” with a 4 or an @ symbol. Or when, say, a missile alert has gone out to your entire state and you can’t find your password to give an all-clear.
Passwords have amassed their share of enemies. Microsoft’s latest move follows pushes from Apple, Google and others to shake up the old passcode and password system with fingerprint scans, face scans or temporary codes.
There’s no question passwords aren’t adapting to a modern age. “It’s quite clear to us, that the era of the password is passing. Based on the significant amount of accounts that now exist, it doesn’t scale as a system,” said William Beer, a principal at business management consultancy EY.
Microsoft has been waging a war on passwords for a while. Like others, it has poured effort into other types of authentication, namely biometric scans of your face or fingerprints — it introduced facial recognition unlocking for Windows PCs in 2015. It also has built a smartphone app to provide an ever-changing code to act as your password.
“This relic from the early days of computing has long outlived its usefulness, and certainly, its ability to keep criminals at bay,” an official blog post from Microsoft said in December.
Now Microsoft is edging even closer to pushing passwords off a cliff, at least in its lighter version of Windows — though not every feature that gets tested in early versions of operating systems makes it to consumers.
But we don’t have a lot of time to work on a slow revolution. The way we handle security is about to hit an even bigger test.
One reason passwords are awful is that there are so many of them. Dashlane, a password manager company, found in a survey of its own customers that they have an average of 130 accounts with passwords.
And password overload is poised to get worse before it gets better. Tech companies are pushing into more areas of our lives by giving “smarts” to any item that can accommodate a chip — toilets, car, beds. Securing all of those gets messy, and it’s not remotely feasible to create a secure, unique password for every home appliance, even though those appliances collect very personal data.
Another big issue: Finding the perfect password is difficult, as it requires a unique balance of “easy to remember” and “hard to hack.” And since you need more than one password, you have to find that sweet spot over and over again. In the pursuit of safety, companies often require passwords to have a complex combination of capital letters, symbols and other requirements. But those requirements can actually cause people to reuse their complex passwords or refuse to change them once they’ve committed them to memory. In 2016, Britain’s National Cyber Security Centre recommended simplifying password requirements to encourage people to change them.
All of these issues point to a system that doesn’t work, and it makes sense for companies and people to get on the bandwagon to replace it.
Yet passwords they linger like roaches in the corners of our digital lives. Alternatives such as fingerprint scans, retinal scans, voice recognition and other technologies can be hard for companies — particularly non-tech companies — to implement well. Those solutions are also imperfect, as some pairs of twins can tell you. If something requires new costs to implement and is still flawed, many companies may stick with the devil they know. (Even Microsoft is simply proposing getting rid of passwords, and only on a light version of Windows, instead of replacing it with another security alternative.)
Plus, even when companies offer something more, it’s often difficult for people to get used to a new routine, Beer said.
Changing habits will require more effort such as those from Microsoft, and a slow introduction to different methods to change people’s habits. Beer said that many of the businesses he looks at are now at least combining the old username and password combination with something else — a fingerprint scan, voice print or temporary code for those cagey about sharing biometric info (or for companies unwilling or unable to secure them).
Ultimately, Beer said, the real path to killing the password is not technology, but education.
“We’re putting all the focus on technology and not thinking about explaining to people,” he said. “I would suggest that while technology is great, it needs to be accompanied by a significant awareness campaign to explain and support users as they go through these changes.”
Tsukayama writes for the Washington Post.