In 1989, Daniel Klein carried out a study showing how weak passwords can be broken on Unix systems (https://www.klein.com/dvk/publications/passwd.pdf). It was already clear in the 1990s that passwords are a very problematic solution for authentication. In 2004, Bill Gates announced that passwords are dead (https://www.cnet.com/news/gates-predicts-death-of-the-password/), and many have followed since. However, look around! Your passwords are far from dead, and are still the most common use of authentication today – for both low and high security applications. In fact, you probably have many more passwords today than you did in 2004 when Gates announced their pending death.
The reality is that passwords are not going away any time soon. They have the advantage that they can be used from any machine and without the aid of any device. Are they a great solution security wise? Certainly not. Are they a great solution as far as usability goes? Again, certainly not (how much do you like remembering 30 passwords?). However, they work everywhere, are easy to deploy, do not require additional devices, and there is a massive infrastructure out there which is based on passwords. They are not going away any time soon.
It’s important for me to clarify what I am saying. Should passwords be dead? A most resounding yes! The fact is that not only are passwords vulnerable on the user side, they are even more vulnerable on the server side. The past few years have seen countless server breaches that leaked millions of passwords. This means that there is great motivation to remove passwords. However, I have heard about the death of passwords so many times that I just don’t believe it’s going to happen. Some of the alternatives to passwords like OTP devices and smartcards are very secure, but are not suitable for the vast majority of business cases; out-of-band authentication using OTP sent by SMS is vulnerable to hijacking; phone-as-a-token approaches are weak since mobile phones are inherently insecure devices; and password managers and single-sign on solutions introduce a very dangerous single point of failure (as all passwords are centralized in a single place). There is room for all of the above alternative solutions, and they are used. But this does not mean that passwords are dead or even dying.
Having accepted that passwords are around to stay, I believe that the biggest challenge is learning how to live with them. The biggest threat to passwords in 2016 is their theft from the authentication servers inside networks. This is a problem that can be solved, and more effort must be made to do so. The standard solutions of salting and iterated hashing are not good enough, and brute force attacks on hashed passwords are terrifyingly effective. Industry needs better solutions. Note that accepting that passwords are not going anywhere is important since it enables us to accept that we need to invest in protecting them. Of course, industry must also search for solutions that provide better password security on mobiles, laptops and so on. Such solutions can be found, and Unbound has developed a solution for both protecting passwords on authentication servers and on end-user devices.
In addition to the above goal, we need to continue pursuing the goal of finding alternative authentication mechanisms that can replace passwords. At Unbound, we are also involved in this effort, and our focus is on solutions that do not require additional hardware but can provide a comparable level of security.
Unbound believes in pursuing a combined strategy: (1) providing better protection of passwords on both the user and server ends, with the understanding that in many cases they will remain, and (2) designing new solutions with both high usability and high security that can replace passwords where possible.
Passwords are not dead and will not die any time soon. Let’s do what we can to make the world tolerable with them.