The Time for Passwords Came … and Went
After struggling with every combination of your name and your birth year for the perfect username, you’re probably used to this welcoming you on every website you join:
Password must contain:
- One aquatic animal
- Your favorite color
- Three uppercase letters minus the number of lowercase letters, unless it’s Tuesday
- Your mother’s maiden name
- Take the number of siblings in your family divided by two and add special characters to it
- The name of the restaurant you ate at after winning the science fair
Let’s face it, like the AMC Gremlin and not putting seat belts in cars, passwords are outdated. The first computers did not have passwords. Tomorrow’s computers won’t have them, either. And good riddance.
We have come a long way in the development of computer systems and hardware. The first computers were in controlled locations and were only available to an elite handful of people. While the combination of physical and implicit social control was enough at first, as the number of users grew, connections weakened and the incentive to abuse the system grew. And so birthed the password. But just like with baby names, the chances of two people picking the same password was relatively high, and simply identifying people by them wasn’t enough. This is where those (sometimes embarrassing, always telling) usernames came into play, offering a unique “combination lock” on any computer or internet user’s personal information.
Enter Your Password
Computer passwords were introduced in 1960, when no one was trusting a machine to authenticate anything, not even MIT. However, computers and systems continue to advance and, while there was a time when password systems had a hard physical limit to how often a person could try to guess, now we have computers that can try to enter passwords on other computers, automatic and form fill-in apps, and more.
Reset Your Password
Computers and services have become ubiquitous. We’ve tried to take back control by way of setting various passwords for various different platforms. This has left us with an average of 191 passwords per person. Even if you are geeky enough to know about passphrases and the XKCD comic, remembering 191 passwords is an unreasonable task. Most people have found themselves repeating the same bad habit of reusing them. As a consequence, if those passwords are lost or stolen, every service they are being used for is now at risk. But, every problem presents a business opportunity—in this case, for the rise of password managers to cache all usernames and passwords and lock them behind a single, all-encompassing password. The obvious downside? If your manager gets compromised, so do all your accounts. This master pass phrase is very valuable. But, at least you only have one. And from a security perspective, it is far better than reusing passwords. Besides, how many times can you reconfigure your mom’s birthday and the street you grew up on?
We can either change people:
Or, we can all brace ourselves for the inevitable and accept that the current model is broken and beyond repair.
Information technology has undergone truly radical changes since usernames and passwords were invented. Are they really the best solution? Is “Well, that’s the way we’ve always done it” a compelling reason not to do better? After all, that was the same logic applied to VHS tapes and shag carpeting, and look where those ended up.
Forget Your Password
Today, most people have more than one computer, far more powerful than any earlier machine—computers so powerful that they are capable of inventing passwords better than any human can come up with, making the chance of two computers creating the same one virtually impossible.
We carry these devices on us at all times, whether we’re using our smartwatches, smartphones or tablets. The problem with so-called 2FA is that it makes our passwords and usernames less user-friendly. So what about this: What if we do away with the old song and dance that is our existing model as we know it and let our devices do the authentication? Well, this the very premise of key-based authentication.
Essentially, key-based authentication is what it sounds like. Think of your server a locked door. If a password is a traditional metal key, then key-based authentication is a passcode on the door. Using asymmetric cryptography algorithms, key-based authentication confirms your identity from this series of algorithms.
Key-based authentication = NO. MORE. PASSWORDS. 🤯
“What about theft?” I’m glad you asked. A simple PIN in this scenario will suffice, since with most devices there is physical control over the actual number of attempts someone can make. Furthermore, every device will generate its own unique key, like a thumbprint! No two devices are the same. Every key will be less valuable in the best of all ways: They can be revoked when necessary and regenerated upon demand.
The result is security far beyond what is commonplace today, but with dramatically improved usability. All it takes is for the industry to finally take the step and let usernames and passwords rest in peace.
