You are using an outdated browser. Please upgrade your browser to improve your experience.

Should We Break Up With Our Passwords?

A treatise on passwordless systems of authentication
July 31, 2015

For security-conscious people, a password is like an illicit affair. You keep it as secret and hidden as you can, making sure nobody is looking when you give it the proverbial kiss by typing it in. Your password is woven in complication and secrecy, in desperate hopes that nobody unearths it.

The security unconscious

Or, those who don't care about their passwords
The security unconscious

Others, though, are much more open about their passwords. For these people, a password is a flippant thing, almost like a casual acquaintance, and they don’t have a care in the world who knows about it. These folks, I might add, are often at the most risk of identity theft, since their passwords are usually easy to see or even just guess.

I’m talking about you folks who think a password like “123,” “3k3k3l,” or “3lk3lk3j” is secure. Those aren’t secure passwords, and Time’s John Patrick Pullen has pointed out how easy passwords are to hack. Pullen stresses, “If you can remember it, someone else can figure it out.” I’m not sure I completely agree with him, but something needs to change because our security is getting worse instead of better.

The problem with passwords

Like the trouble with Tribbles, only different
The problem with passwords

Identity theft is a huge threat nowadays, and it’s only growing in prevalence. To help fight the problem of the hacked password, many companies are suggesting the security measure be thrown completely out the window. A recent article from Readwrite notes that streamlined blogging platform Medium has begun using a new login process that ditches the password in favor of a temporary login link emailed or texted to you. Aldrin Calimlim also discussed the move in a recent AppAdvice article.

They’re hard to remember or easy to guess, everyone reuses them (even though they know they shouldn’t), and they’re a pain to type on mobile. They don’t even keep you that safe.

- How To Kill The Password: Don't Ask For One

Medium’s Jamie Talbot points out the inherent problem with passwords that are either too simple or too complex.

Talbot is absolutely right. Passwords can be hacked, either through brute force, random guessing, or social engineering.

Companies like 1Password, Passible and Lastpass have made a mint on hiding and managing passwords behind a master pass phrase, but is it time to just break up with that old-fashioned security measure altogether?

Security for the future

Passwordless authentication
Security for the future

We have more ways to secure our logins, now. For instance, the rise of Touch ID and similar technology on other mobile platforms makes for an excellent alternative to the password. Nobody can guess your fingerprint, but there is one chink in the armor, at least when it comes to iOS. After a reboot, the iPhone or iPad doesn’t use Touch ID for the first unlock. Instead, it defaults to a four digit passcode, which is pretty easy to hack. That’s the reason behind iOS 9 making the wise suggestion to use a six digit code, instead.

The Touch ID technology Apple uses in its iPhones and iPads is an example of passwordless authentication.

The Touch ID technology Apple uses in its iPhones and iPads is an example of passwordless authentication.

Would our online lives be more secure if everything moved to a security system like the one Medium has rolled out? Medium’s system sends a temporary login link to your email or mobile number. This token is virtually impossible to hack, and lends much more security than a password alone. On the other hand, there is a level of inconvenience in needing to switch to your email or phone in order to get logged into your Web page.

What should we do?

The future of authentication
What should we do?

Inconvenience aside, something needs to change to prevent the rash of problems ranging from hijacked Facebook accounts to stolen credit card numbers. If you trust Google or Facebook to secure you, those services can all be used to log into other Web pages, and those “master authentication” services should adopt the passwordless system of sending login tokens instead.