Microsoft is trying to kill the password, and it’s about time. This week, the company said the next test version of its stripped-down Windows 10 S operating system will strip out passwords as well, by default. If you go through setup as recommended, you’ll never get a password option.
But killing the password altogether will take more work and time, and the problem may get worse before it gets better.
Which is a shame. Passwords, we can surely agree, are the bane of modern digital existence. On a big-picture level, insecure passwords cause an estimated 80 percent of breaches, according to a 2017 report from Verizon. On a human level, they’re paralyzing; right when you need to access your utility bill, you can’t remember if you replaced the “a” with a 4 or an @ symbol. Or when, say, a missile alert has gone out to your entire state and you can’t find your password to give an all-clear.
Passwords have amassed their share of enemies. Microsoft’s latest move follows pushes from Apple, Google and others to shake up the old passcode and password system with fingerprint scans, face scans or temporary codes.
There’s no question, passwords aren’t adapting to a modern age. “It’s quite clear to us, that the era of the password is passing. Based on the significant amount of accounts that now exist, it doesn’t scale as a system,” William Beer, a principal at business management consultancy EY, said.
Microsoft has been waging a war on passwords for a while. Like others, it has poured effort into other types of authentication, namely biometric scans of your face or fingerprints; it introduced facial recognition unlocking for Windows PCs in 2015. It’s also built an app that you download onto your phone to provide an ever-changing code to act as your password.
“This relic from the early days of computing has long outlived its usefulness, and certainly, its ability to keep criminals at bay,” an official blog post from Microsoft said in December.
Now Microsoft’s edging even closer to pushing passwords off a cliff, at least in its lighter version of Windows, though it’s worth remembering that not every feature that gets tested in early versions of operating systems makes it to consumers.
But we don’t have a lot of time to work on a slow revolution. The way we handle security is about to hit an even bigger test.
One reason passwords are awful is that there are so many of them. Dashlane, a password manager company, found in a survey of its own customers that they have an average of 130 accounts with passwords.
And password overload is poised to get worse before it gets better. Technology companies are doggedly pushing into more areas of our lives by giving “smarts” to any item that can accommodate a chip, from your toilet, to your car, to your bed. Securing all of those gets messy, and it’s not remotely feasible to think that you could create a secure, unique password for every home appliance. It’s equally chilling to think that they are collecting very personal data, and how important it is to have that information secured.
Another big issue? Finding the perfect password is difficult, as it requires a unique balance of “easy to remember” and “hard to hack.” And then, you have to find that sweet spot over and over again. In the pursuit of safety, companies often require passwords to have a complex combination of capital letters, symbols and other requirements. But those requirements can actually cause people to reuse their complex passwords or refuse to change them once they’ve committed them to memory. Britain’s National Cyber Security Centre in 2016 actually recommended simplifying password requirements to encourage people to change them.
All of these issues point to a system that doesn’t work, and it makes sense for companies and people to get on the bandwagon to replace it.
Yet while there is widespread agreement that passwords are awful, they linger like roaches in the corners of our digital lives. Alternatives such as fingerprint scans, retinal scans, voice recognition and other technologies can be hard for companies, particularly non-tech companies, to implement well. Those solutions are also imperfect, as some pairs of twins can tell you. If something requires new costs to implement and is still flawed, many companies may stick with the devil they know. (Even Microsoft is simply proposing getting rid of passwords, and only on a light version of Windows, instead of replacing it with another security alternative.)
Plus, even when companies offer something more, it’s often difficult for people to get used to a new routine, Beer said.
Changing habits will require more effort such as those from Microsoft, and a slow introduction to different methods to change people’s habits. Beer said that many of the businesses he looks at are now at least combining the old username and password combination with something else: a fingerprint scan, voice print or temporary code for those cagey about sharing biometric info (or for companies unwilling or unable to secure them).
Ultimately, Beer said, the real path to killing the password is not technology, but education.
“We’re putting all the focus on technology and not thinking about explaining to people,” he said. “I would suggest that while technology is great, it needs to be accompanied by a significant awareness campaign to explain and support users as they go through these changes.”