The Password is Dead?

The password is dead, or at least that was what Bill Gates proclaimed in 2004. Since then, the password has been declared defunct many times by industry leaders and pundits. Death knells for the much maligned, but much used passwords have now reached a frantic level. Despite the strident proclamations of the demise of passwords, they are nowhere near dead. In fact, they’re just getting warmed up.

From Whence They Came

Access control is as old as civilization itself. As soon as value was created, ways to protect that value were invented. Physical keys to unlock chests and doors were developed. Ciphers that used secret knowledge based keys to protect valuables evolved. As civilization grew, we began to use challenge response pass phrases to identify friend or foe for defensive purposes. Roman watch commanders, Tesserarius (from tesserae, small fragments of ceramic on which watchwords were written), used them to securely disseminate military orders.

With the advent of computers, it was very natural to use the concept of something a user knows to grant access to confidential data. And after thousands of years of use and evolution, the venerable password persists and constitutes the primary means of authentication for 99% of all computerized access.

Passwords are Alive and Well

The truth is passwords are deeply ingrained in the habits of users and have many attractive qualities as an authentication technology. They do not require training, are easy to use and virtually free to deploy. Passwords are the de facto security plumbing in nearly every computer system in use today, for both legacy applications as well as new applications being written. It would take years to rip out password security from our computer infrastructure and having done so, a significantly superior, viable alternative would have to be available to passwords. The alternative would have to be more secure, usable, scalable and cost effective than passwords.

Yes, passwords pose security challenges, but to say they are dead and should be summarily retired from use is impractical at best and downright destructive at worst.

Chris Trytten has over two decades of technical and managerial experience in systems and security at leading companies in Silicon Valley, including positions with Crossmatch, DigitalPersona, Interlink Networks, Apple, Siemens and Amdahl. In his current position as Market Solutions Manager at Crossmatch, he is using his experience serving the Financial and Retail markets by guiding the product and market teams to address the security needs of these industries. Chris is the author of multiple security white papers and articles.
Selecting an Authentication Solution: What you need to consider (Part I)
A Bridge Too DFARS: Authentication and the DoD Deadline for Cyber Compliance
Why is Proof-of-Presence Important for Authentication?
There are currently no comments.