We cannot let passwords die (yet)

Author: Colin Robbins

We cannot let passwords die (yet)

I’m getting fed up with marketing that says “Passwords must die” only to present yet another solution that won’t replace them.

Cannot let password die blog image

The challenge to solve is ubiquity – this is why passwords have stood the test of time, even with their obvious and proven shortcomings.

Don’t get me wrong there are lots of great technologies vying to replace them: two step verification, two factor authentication (2FA), pass code generators, grids, biometrics, phone apps, reputation validation etc. (sorry if I missed your favourite).

But they are largely point technologies, that need to plug into a solution.

I use a password manager, which has over 100 systems I sometimes use registered in it. Each with a unique, and most with randomly generated passwords.

To replace these passwords with any of these “great technologies” requires ubiquity; otherwise I end up with 5 systems using one approach, 10 using another, 2 yet another and the rest stuck on passwords. (I am sort of already in that mess, with the accounts I really care about using some form of 2FA – some SMS, some Google Authenticator, and some bespoke apps).

My belief is that until we get authentication-as-a-service, where I can log on once (without a password), and this then brokers authentication to all 100+ systems we’ll be stuck with passwords on the systems I care about least: having different / disjointed “better” solutions will just make life harder. The security / ease of use balance will fail.

There are developments in this area – I can log on to some sites with my Google / Facebook / Twitter credentials, but at the trade of conceding privacy and even these are not universal, nor is the trust. There have been projects such as OpenID, but progress towards widespread adoption seems slow. Whatever happened to CardSpace!?!

So please, when promoting your latest and greatest password killer – tell me how you will deploy it in the mass market? I don’t care about homogenous point solutions; they will not kill the password.

Read more posts on

About the author

Colin Robbins is a Principal Security Consultant, leading customer-funded research activities in secure interoperability and information exchange. He has specific technical interests in the Single Information Environment and Data Centric Security, as well as the processes of security, such as Secure by Design and Information Security Management Systems (ISMS). He is a Fellow of CIISec, and a former NCSC certified Security and Information Risk Adviser (Lead CCP).

Colin Robbins on Linkedin

Read more posts by Colin Robbins