In the last two weeks, the Petition Against Passwords movement launched by a group of US-based companies that sell password-less technology has been gaining widespread media attention across the world. Their mission is to collect every frustrated yell at forgotten passwords and make sure the organizations responsible hear them.

In the RSA conference in San Francisco early this year, James DeLuccia’s Passwords are dead created quite a buzz. At the conference, Zoho’s sister division ManageEngine demonstrated its Enterprise Password Management Solution, Password Manager Pro, and almost all the  visitors to our stand quipped: “They are talking about the death of passwords and you are demonstrating password management!

death-of-passwordsSo, we hear the vox populi loud and clear: Clearly, people are fed up with passwords. With the proliferation of online applications, a variety of passwords occupy each aspect of our life. Remembering dozens of passwords is impossible; storing them only invites trouble and managing them manually is a pain. With high-profile security breaches involving stolen online identities, all of us want to be rid of passwords. So, when someone talks about replacing  passwords, it’s only natural for people to get interested.

But, the million-dollar question is: Do we have viable alternatives if the passwords die finally?

Before going any further, here is some history on ‘death of passwords’:

For over a decade now, people have been discussing the death of passwords. In the same RSA conference in 2004, Bill Gates, the Chairman of Microsoft predicted the death of passwords. In 2006, he said that the end to passwords was at sight. Not just Bill Gates, but many other luminaries and industry analysts have been predicting the death of passwords.

However, in reality, the predictions haven’t yet materialized. Passwords are still the most prominent method of authentication till date. Alternatives to passwords, such as biometric authentication, iris authentication, facial  authentication, various forms of multi-factor authentications, and even  authentication through items like watches, jewellery, and  electronic tattoos, are all being discussed. Active research is also on to formulate better alternatives.

However, none of the alternative approaches have been viable for various reasons. Firstly,  passwords are very easy to create and are absolutely free.  Whereas, the alternate models are mostly expensive, require  additional hardware  components, are difficult to integrate with the  existing environment, and are not easy to use.

Interestingly, some of these alternative authentication methods have been cracked  even before they could be adopted widely.  Few years ago, a group  of researchers hacked faces in biometric facial authentication systems by using phony photos of legitimate users.

As  on date, a viable replacement for traditional passwords is not in sight! We may get one in the future, though. But, it will require considerable time for the new mechanism to be accepted and adopted. That means, traditional passwords are not going to die anytime soon; they are going to be around for  a while.

Passwords are not the problem; their management is

While raising our voices against passwords, we overlook the actual problem, which is poor password management. Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere. Users store passwords in text files and post-it notes; share credentials  among the team members; and pass them over emails or by word of mouth. Real access controls do not exist and passwords of sensitive resources and  applications remain unchanged for ages. Such bad password management practices invite security issues and other problems.

Use a password manager

While  the research to find an alternative to passwords continues, it would be prudent to deploy a password manager to safeguard your data. With a password manager, you can secure all your passwords in a  centralized repository; use strong, unique passwords without worrying about remembering them; automate and enforce password management best practices; control access to resources and applications; keep track of activities; and do much more.

If you are wondering which password manager to use, take a look at Zoho Vault.

  1. Daniel Potter

    Just fyi, ‘here to stay for long’ sounds like a construction by a non-native speaker. In the US, we would say more readily ‘here to stay for a long time’ or simply ‘here to stay’. We could also say ‘here for the duration’, ‘here for the foreseeable future’ is ok as well. ‘Here to stay, for now…’ could also work.
    Just some musings – ignore them if they bring nothing fruitful to you.
    Sincerely,
    Daniel

  2. Elodean

    Many of these new password alternatives DO use asymmetric key cryptography. CryoKey, for instances, makes use of freely available digital certificates. The problem is lack of recognition – sites have to accept the identities from these alternatives, and most of them are still bogged down by password inertia.

  3. Zoho

    Hi Devin,My point is that bad password
    management is the actual problem. Passwords themselves are not
    problematic. The most common grievance is the problem related remembering
    passwords. Password Managers help enforce password management best
    practices while solving the problem of remembering credentials too.Yes,
    password less world would be good to have. When talking about
    replacement, many alternative technologies, including yours are getting
    attention. I respect all your efforts and I don’t belittle any such
    innovation/invention. But, these technologies will take years to gain
    wide acceptance and adoption before eventually “killing” passwords.The
    alternative technologies are generally not easy-to-use, expensive and
    require additional devices while passwords are usable, free (or low
    cost) and very easy to create. The alternative technologies are not
    hassle-free. They also pose problems on portability, accessibility,
    usability, compatibility, scalability and so on. As on date, passwords
    are all pervasive and are not likely to be ‘killed’ anytime soon. Good luck with your efforts!Thanks,
    Bala

  4. devin

    “Passwords are not the problem” yet you go on… “Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere.”How are passwords not the problem? Imagine if we didn’t have to remember ANY passwords. Zoho Vault should look at one of the password-less solutions and at the very least let users protect their passwords with a non-password factor. I recommend launchkey
    Passwords and Password Managers are here for as long as we need to rely on them, but with the advent of alternative solutions we may see this space disappear.I am a co-founder of LaunchKey and can help with any integration Zoho would be interested in, just contact us!

  5. Osik

    Why people just don’t use RSA public/private key crypto? in ssh, passwords are no more