It’s time to kill the password

Published on
6,799 Points
4 Endorsements
Last Modified:
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Over the past few years, there has been an ongoing never-ending deluge of data dumps. Though I’ve never had a business email address compromised, my favorite Gmail account joined the inner sanctum of ‘”;–have i been pwned?” in late 2013. This hack was courtesy of the huge Adobe data breach that slapped down 153 million pwned accounts, consisting of internal IDs, usernames email addresses, encrypted passwords (not properly hashed and salted), and plain text password hints.

Four months later, in February 2014 the same Gmail address was compromised again at the Forbes website when hactivists from the Syrian Electronic Army compromised a Forbes WordPress admin account. The attack garnered usernames, email addresses, passwords, and user website URLs.

Your ISP is not immune from hackers either. In January, Time Warner Cable (TWC) suffered a data breach that may have affected up to 320,000 customers' email addresses and passwords. TalkTalk, a UK Internet service provider was hacked three times in 2015 alone. The last hack nabbed 1.2 million email addresses.

The Linux Mint hack from last month netted another data dump that included email addresses, encrypted passwords, and personal information; ;shortly thereafter, the entire database was available on the Darknet for 0.1949 BTC ($85 USD).

I think that most of us can agree that the average Joe has minimal control over database security when registering an account at these sites. When we fill out registration information, create a password, populate our profile, and engage on these websites, security always sits on the chopping block. Aside from a few clues included in site policies, we really don’t know if the website is run by a neophyte or a security pundit.

Kill the password

SplashData’s fifth annual “Worst Passwords of 2015 list reveals that users are still putting their data and themselves at risk by using weak and easily-guessed passwords.

Default passwords, always-remain-the-same passwords, shared passwords, and weak passwords will continue to haunt the threat landscape. Simple password authentication is not cutting it anymore. Data breaches are all too common now. The hackers get it, why don’t we?

For the most part, we prefer to continue relying on plain passwords for our online accounts. In light of the continuing rise of data-breaches and identity fraud cases, tech firms are addressing this issue in earnest, and are focusing on ways to strengthen and facilitate the password paradigm, or to have it replaced altogether. — Ben Dickson, Techcrunch

W3C is working on ways to authenticate without the use of a password — known as the “Web Authentication Working Group Charter”, W3C wants to solve the password authentication problem by creating a client-side (browser) API that lets services use a pair of authentication keys to prove who you are based on the device trying to log in.

Matthew Warren, Professor of Information Systems at Deakin University, stated in a recent Sydney Morning Herald article: “Within the next decade, either passwords will not exist, or will be used with other forms of identification. Certainly the days of using passwords as the only single form of identification are numbered.”

With data breaches escalating—let’s hope that tech firms replace the washboards soon.

This post originally appeared at the Fortscale Insider Blog.


Expert Comment

passwords are maddening.   I use last  pass.   Many of us have hundreds of passwords.  And IT guys are going nuts enforcing the change  every 3 months rule.   There must be a better way  ... soon.   Not in a few years.    Banks are using authenticators.    There are very simple rules to produce unhackable passwords but there are stupid requirements: using an uppercase, a number, a symbol but not that symbol.  Must be at least 6 characters long.    It's all maddening and veering out of control.    So good luck finding a solution now.  

Thumb prints, retina scans, lastpass,  

Interestingly,  Amazon is the only company that has perfected the simple rule: you want me to buy, make it really easy.    I don't think they have been hacked.    So this can be done.

Author Comment

I use LastPass also , but even Password managers can be vulnerable. I am hoping that an alternative comes along soon. I appreciate your insight bodywise :)

Expert Comment

by:Jaime Lewis
I just saw this article about Amazon implementing a photo/video password system. Pretty interesting stuff! It figures that an eCommerce site would be leading the internet security charge...
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.


Expert Comment

by:Brian Matis
I hear ya! I hate passwords. I hate them so much. I hate them with the burning passion of a thousand suns. I'd use stronger phrasing, but I'm trying not to swear ;-)

I've seriously had panic attacks about passwords. I mean, they certainly made sense long ago, back when it was possible to count the number of systems you'd need them for on one hand, but now, it's absurd how many systems we need to login to on any given day and passwords are just a broken system for that sort of thing.

Just to count a few issues:
- I like Safari's built-in password generator system, but that doesn't help when I'm on my Windows system
- And what about mobile apps that need to login? Do any password systems like LastPass easily work with those?
- Every site seems to have its own special password restrictions, so as soon as you make up a decent method of creating unique passwords for each one, it inevitably won't work somewhere (what do you mean I can't use a dollar symbol!!? arghh!!!)
LVL 12

Expert Comment

by:William Nettmann
The Quagga is on it's way back - maybe the password will survive as well!

Author Comment

Thank you all for your comments = passwords must die!

Featured Post

Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month