Microsoft is trying to kill the password, and it’s about time. This week, the company said the next test version of its stripped-down Windows 10 S operating system will strip out passwords as well, by default. If you go through setup as suggested, you’ll never get a password option.
But killing the password altogether will take more work and time — and the issue may get worse before it gets better.
Which is a shame? Passwords, we can certainly agree, are the bane of modern digital existence. On a big-picture level, insecure passwords cause an estimated 80 % of breaches, according to a 2017 report from Verizon. On a human level, they’re paralyzing; right when you need to access your utility bill, you can’t remember if you replaced the “a” with a 4 or an @ symbol. Or when, say, a missile alert has gone out to your whole state and you can’t find your password to give an all-clear.
Passwords have amassed their share of enemies. Microsoft’s latest move follows pushes from Apple, Google and others to shake up the old passcode and password system with fingerprint scans, face scans or temporary codes.
There’s no question passwords aren’t adapting to a modern age. “It’s quite clear to us that the era of the password is passing. Based on the compelling amount of accounts that now exist, it doesn’t scale as a system,” William Beer, a principal at the business management consultancy EY, said.
Microsoft has been waging a war on passwords for a while. Like others, it has poured effort into other kinds of authentication, namely biometric scans of your face or fingerprints — it introduced facial recognition unlocking for Windows PCs in 2015. It has also built an app that you download onto your phone to provide an ever-changing code to act as your password.
“This relic from the early days of computing has long outlived its usefulness, and certainly, its capability to keep criminals at bay,” an official blog post from Microsoft said in December.
Now Microsoft is edging even closer to pushing passwords off a cliff, at least in its lighter version of Windows — though it’s worth remembering that not every feature that gets tested in early versions of operating systems makes it to customers.
But we don’t have a lot of time to work on a slow revolution. The way we handle security is about to hit an even largest test.
One reason passwords are appalling is that there are so many of them. Dashlane, a password manager company, found in a survey of its own clients that they have an average of 130 accounts with passwords.
And password overload is poised to get worse before it gets better. Technology companies are doggedly pushing into more areas of our lives by giving “smarts” to any item that can accommodate a chip — from your toilet to your car to your bed. Securing all of those gets messy, and it’s not remotely achievable to think that you could make a secure, unique password for every home appliance. It’s equally chilling to think that they are collecting very personal data, and how essential it is to have that information secured.
Another big problem? Finding the perfect password is difficult, as it requires a unique balance of “simple to remember” and “hard to hack.” And then you have to find that sweet spot over and over again. In the pursuit of safety, companies often need passwords to have a complex combination of capital letters, symbols and other requirements. But those requirements can actually cause people to reuse their complex passwords or refuse to change them once they’ve devoted them to memory. Britain’s National Cyber Security Centre in 2016 actually recommended simplifying password requirements to encourage people to change them.
All of these problems point to a system that doesn’t work, and it makes sense for companies and people to get on the bandwagon to replace it.
Yet while there is widespread agreement that passwords are awful, they linger like roaches in the corners of our digital lives. Alternatives such as fingerprint scans, retinal scans, voice recognition and other technologies can be hard for companies — particularly non-tech companies — to implement well. Those solutions are also immature, as some pairs of twins can tell you. If something requires new costs to implement and is still flawed, many companies may stick with the devil they know. (Even Microsoft is simply proposing getting rid of passwords, and only on a light version of Windows, instead of replacing it with another security alternative.)
Plus, even when companies offer something more, it’s often difficult for people to get utilized to a new routine, Beer said.
Changing habits will need more efforts such as those from Microsoft, and a slow introduction to different methods to change people’s habits. Beer said that many of the businesses he looks at are now at least combining the old username and password combination with something else — a fingerprint scan, a voice print or, for those cagey about sharing biometric info (or for companies unwilling or unable to secure such keys), a temporary code.
Ultimately, Beer said, the real path to killing the password is not technology but education.
“We’re putting all the focus on technology and not thinking about explaining to people,” he said. “I would suggest that while technology is great, it needs to be accompanied by a significant awareness campaign to explain and support users as they go through these changes.”