Did you miss World Password Day last Thursday? Me, too. (As it turns out, it was also International Day of the Midwife, World Portuguese Language Day, and African World Heritage Day. Who makes these things up?) It is comforting to know that when password replacement makes World Password Day moot, May 5th will still have other reasons to celebrate.
Not everyone missed World Password Day. I read two articles that were about password replacement.
- This piece by Ars Technica covered the announcement from Google, Apple, and Microsoft about working to develop a password replacement.
- Joseph Steinberg, a cybersecurity person I follow on Twitter, wrote this contrarian view rejecting common password advice.
Microsoft has been advocating for dropping passwords, in favor of other password replacement methods (for instance, Windows Hello).
Goodbye Password. Hello Passkey.
The Google-Apple-Microsoft announcement is interesting. These companies want to develop a standard for a technique that would send a password request to your phone via Bluetooth. Since Bluetooth only works over short distances (and since phones often have Bluetooth radios), the companies argue that the approach would require the user to be close to (within a few feet of) the computer asking for the password. So, you enter your username on the computer, it sends an authentication request to your phone, and you use Touch ID or some other biometric to provide the password replacement.
This sounds great unless (as I did this week) you go to your work office and leave your phone at home. I am also not sure how this password replacement would work for logging into a web service.
Go Ahead and Reuse That Password
Steinberg’s article is interesting. His reasoning is that humans find it hard to remember long and complex passwords. So, why bother? Some suggestions, such as tying use of complex passwords to sites that are most sensitive, are useful. And he correctly points out that any account (like your email account) that is used to send you a password reset request should have a strong password.
Steinberg does not mention using a password manager. This tool solves the problems with password complexity and managing many passwords. He also does not talk about multifactor authentication.
Be Smart About Password Replacement
Approaches to password use will continue to move between security and ease of use. I have some suggestions for how you can balance ease of use, security and password replacement in your approach.
- Encourage the passphrase. What “thequickbrownfoxjumpedoverthelazydog” lacks in complexity it makes up for in length.
- Use a password manager. As I said earlier, these tools were designed to manage lots of unique and complex passwords.
- Use secure methods to share your password. Tools like Privnote make this easy. I was shocked when a loan application asked me to provide—on paper—my credit card information so they could charge for an appraisal report.
- Multifactor authentication is your friend. Use it for any service where you have data you do not want compromised.
- Connect all your organization’s applications to your identity management service via Single Sign-On (SSO). A password the user does not need is a password that cannot be lost or stolen.
- Think twice about using Google, Facebook, etc. to log into a service. Yes, it’s convenient. However, if your social media account gets hacked, someone can log into other services as well. Create a login for each service (password managers are a big help here). Or use Google. but set that account up with a complex password (or a passphrase).
Passwords are like colds. No one enjoys them. We would all like to get rid of them. But they resist our efforts to completely eliminate them. Use these password replacement tips to chip away at them. Your users will love you for it.