Skip to main content
June 6, 2016

It's Time To Rethink The Password. Yes, Again

Every few months, another prominent person in software security suggests that the password needs to be done away with—and they invariably say it as though it's a new idea. In reality, the security community has effectively agreed for more than a decade that passwords are no longer sufficiently secure to protect the sensitive data it is tasked with protecting.

And yet, just like the proverbial unlucky penny, passwords keep coming back. And even when a password-replacement security mechanism does gain some tractions—consider the biometric authentication systems in almost all current smartphones (aka fingerprint scans)—they invariably default back to passwords. Passwords: can't live with 'em and can't live without 'em.

Quick reminder: the password weakness can be summarized simply. Strong passwords (very long, with upper- and lower-case characters, no dictionary words, lots of %&* and even a few |{[)+$~`;) are rarely used and tend to be written down by consumers, which is both understandable and absurd at the same time.

Google is the latest to make a serious-sounding attempt to do away with passwords. At its Google I/O event last week, Google talked about its ongoing Project Abacus venture, which is essentially Google's attempt to go completely biometric—albeit creatively—to replace passwords.

"With Project Abacus, users would instead unlock devices or sign into applications based on a cumulative 'Trust Score.' This score would be calculated using a variety of factors, including your typing patterns, current location, speed and voice patterns, facial recognition, and other things. It runs in the background on your device to continually collect data about you to form its Trust Score," wrote TechCrunch. "This score is basically about how confident it is that you are who you say you are. If your score isn’t high enough, apps could revert back to asking for passwords. ATAP had also said previously that apps could require different Trust Scores. For example, your bank might require a higher score than a mobile game."

Even Google's best effort still defaults back to password—just as the authentication efforts of the Android and iOS smartphones do. From a practical perspective, that makes perfect sense. From a secure authentication perspective, it makes no sense.

Let's say that you are a cyberthief and you want to steal banking information from Victim 9204. You have tracked the suspect to the Starbucks they typically frequent, have gotten yourself a nearby table (fully-disguised, of course, as there are security cameras everywhere) and are prepared to make your move, the instant opportunity presents itself. Your victim leaves her phone at the table as she goes to the counter to get more napkins. You swoop in, grab her phone and are out the door before she even notices.

Worst case scenario: Even if the victim notices the phone missing right away and immediately assumes it's been stolen, it will take her a few minutes to get someone else to let her use their phone to call police. Assuming she has the presence of mind to contact Apple—we did say that this was a worst-case scenario—the thief knows it will be several minutes before the victim can get through, authenticate herself and get Apple to try a remote swipe. That is how long you have to do your thief-ish magic. Realistically, you probably have more time than that, but try and get your work done in seven minutes.

The biometrics could thwart you effectively during that time, but there's no need for you to worry. Simply try unsuccessfully to be authenticated a few times and it will then fall back on a simple password—which you already shoulder-surfed from your victim days ago. (Thank goodness, from the thief's perspective, that 4-digit PINS are still permitted. Consumers—and thieves worldwide—can't get enough of 4-digit PINs.)

Then there's that pragmatism part. Biometrics are far from perfect and they need to have a viable backup. But given the complexity of Google's approach, why not allow other biometrics to be used? Why not have well-staffed call centers be able to ask questions? (Too expensive.) Why not a video conversation?

The point is that authentication will be only as strong as its default backup method. The response to this is to keep using passwords—which have one (and only one) saving grace: they do tend to work, albeit in a stunningly insecure manner—until the industry is sufficiently confident in biometric replacement methods.

Consider this: This is precisely the approach every thief wants the industry to take. That should tell us everything we need do know.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek, Computerworld and eWeek and his byline has appeared in titles ranging from BusinessWeek, VentureBeat and Fortune to The New York Times, USA Today, Reuters, The Philadelphia Inquirer, The Baltimore Sun, The Detroit News and The Atlanta Journal-Constitution. 

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.