It was a little over 5 years that I penned one of the most popular articles on this blog. In the article, I said that the entire idea of passwords was broken and I didn’t know how to fix it. In the meantime, I think that it’s been proven that no one else knows how to fix it either. I’ll say, in fact, that the state of passwords is probably worse than it’s ever been, despite all the advances that have been made in the last half-decade. It seems like every step forward for security has made it worse for the user. Here, I’ll prove it.
Two-factor authentication using text messages
This was a pretty new thing in the mid-’10s but everyone uses it today. You know what I’m talking about here. You go to log into a web site and it wants to send a code to your phone. Once you get the code, you can continue. There are two problems with this. First is that it doesn’t always work and it leaves you pushing “resend” over and over again. The second is that it’s categorically useless if someone steals your phone. They have access to your saved passwords. They also have a way to get the code. This, my friends, is not an improvement.
Authenticator apps really stink
One thing that most of us who work have started dealing with are “authenticator apps.” Again, this is an app on your phone. Instead of your getting a text message (which is insecure) you have to get a code off the app, or tap something to authenticate. I don’t know about you but this is a lot of hassle for me. Sometimes my authenticator apps need me to log in again, and then I have to get a code from, uh, the authenticator app? It’s a rabbit hole of wasted time. Plus, while there are a few ways to aggregate most of your accounts into one authenticator app, most of us don’t do it. I’ve got four apps on my phone right now just to get my logins covered.
Password managers obviously aren’t the answer
Just a couple months ago, LastPass revealed that they were hacked. If you used LastPass, you probably panicked and changed several hundred passwords. I wasn’t affected personally but I know people who were. I’ve not heard of anyone who actually had a real problem, but it was a sign that password managers have a problem. If someone gets the master password for them, they have access to every password. I’m sure this will be addressed by (you guessed it) making you get a code on your phone when you log in to your password manager.
Password change policies are making it worse
Conventional wisdom today is that you should change every password every three months. Some companies enforce this, and here’s what happens: people get lazy. They don’t create innovative, strong passwords. They re-use the same ones over and over again with numbers added to them. Making people change passwords is making things less secure, I’m sure of it.
Strong passwords are great but…
Clearly you would have to be some sort of savant to be able to remember even one “strong” password. You know the kind I’m talking about here. Like “x45WG3ds^!F*lst9934” or something like that. So, naturally, you’re going to use a password manager and then, of course, that password manager is going to get hacked, see above.
One reasonably good option: biometrics
Of all the security options, biometrics seem the most promising. Apple, specifically, has very good success with fingerprint and face identification. They took a bit of a gut punch a few years ago after eliminating fingerprint ID in favor of face ID, though. See, if people are wearing masks, it’s a little harder to use face ID. Surprisingly they did find a good way around that.
Unfortunately, no one else is doing biometrics quite as well. A lot of biometric systems are easily hacked and Apple is the only one doing passably good biometrics in consumer computers. So while this is a good option, it ties you to one company more or less.
I still don’t know the right answer, but it’s pretty clear we all know the wrong ones.
There has to be some way of identifying you that preserves your privacy, is largely unhackable, and doesn’t introduce a lot of annoyance into the process. The idea of some sort of implant doesn’t seem so far fetched, but privacy advocates might not like that one bit. It’s also not foolproof as an enterprising thief could just hold you down and dig it out. That’s pretty unpleasant, right?
It seems to me that the only path forward is to continue to work with companies like Google, Microsoft, and Apple to develop better tools for screening malware and protecting data. If the systems themselves were more secure, the password process wouldn’t have to be. But, this requires putting a lot of trust in these organizations and they themselves could be hacked too.
All I can tell you is that if the last five years are any indication, it’s going to just get harder and more annoying. And frankly, I’m not looking forward to it.
