Why [Insert Thing Here] Is Not a Password Killer

It is not just that everyone knows how passwords work. It is also that you can always enter a password.<p>What if I don&#x27;t have my phone to scan a qr-code? What if I want to use a minimalistic browser that doesn&#x27;t implement a key pair store and I don&#x27;t want to or can&#x27;t set up one external? What if my minimal browser is text only? What if I&#x27;m on another device and don&#x27;t have my stuff on there?<p>I will pretty much always be able to enter a string of characters. To quote the unix phillosphy:<p>Text is the universal interface.

&gt; Despite it&#x27;s [sic] many flaws, the one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone.<p>I think the problem is that people don&#x27;t understand how to use passwords. They will reuse them among sites. They pick easily-guessable and low entropy ones. They will type them into any website that asks. The end result is that not much security is provided.<p>(Things are just as bad on the server side, of course. Developers store them in plain text. They will email them to you. They delete entropy so that you can use your password to log in over the phone or from a computer terminal that apparently only has capital letters. I&#x27;ve even seen a website where the password is sent to the browser and the password checking happens in Javascript. Not great guys, not great.)

From the article:<p>&gt; I&#x27;m referring to passwordless solutions that involves things like QR codes, pictorial representations, 3rd party mobile apps, dedicated hardware devices or &quot;magic&quot; links sent via email.<p>I&#x27;m not entirely sure the argument holds for the magic links sent via email. To me, those feel like lower friction that entering a password. Because all of a sudden, users don&#x27;t have to remember their password.<p>For any company considering this, I&#x27;d suggest looking at how often the &#x27;forgot my password please send me an email&#x27; feature is used. I know that, before I had a password manager, there were accounts where I simply never remembered my password. I had to use them like once every month, and it was easier to just get the password reset link.<p>Now consider how much easier a &#x27;click here and be logged in&#x27; link is than a password reset system. This only really gives friction for those few people who aren&#x27;t always connected to their e-mail system. On account creation, this system is even better. All a user needs to enter is their e-mail address. No more needing to enter a password (twice!). No more dealing with password requirements.<p>&quot;magic&quot; e-mail links feel like they really could be a password killer in terms of lower friction.<p>However, it isn&#x27;t clear at all that &quot;magic&quot; e-mail links are more secure than passwords. I&#x27;d guess that, given enough adoption, they&#x27;d develop some issues.

I don&#x27;t agree with the author. Passwords are difficult to remember and easy to steal. Example I saw: old people write their card&#x27;s PIN code on it because they cannot remember it. Everyone knows how to use it, you say?<p>I think that for an average, not computer-loving type of person, a hardware key is the best solution. You don&#x27;t need to remember anything: just insert the key and press the button.<p>Why aren&#x27;t they popular? I think because they are not a standard and are not built in. You don&#x27;t get a free key when buying a laptop or a smartphone and that&#x27;s the main reason why nobody is using them.<p>But there already are applications that don&#x27;t use passwords. For example, Telegram (IM application): when you install it you only have to enter your phone number, it sends the code in SMS, the app reads the code without user&#x27;s interaction, and authenticates the device. No passwords, no need to remember anything. I don&#x27;t like this (it is not convenient for those who use a burner phone number for registration), but for a more typical user it is convenient and doesn&#x27;t require them to remember anything.<p>I think we will see more passwordsless authentication in the future.

In my humble opinion, very few know how to use a password. Most of the people still believe that their cat name starting with a capital letter and with 1 in the end is a good password. Or that once you have a good password it is enough to use it everywhere. Same passwords everywhere is not a security, it&#x27;s a vision of security. It may surprise author that main reason to provide authentication is to give some security, and in case of every single non-it person I know their passwords are just an illusion.<p>So, I would argue, while anyone can type in some staff, how to make it secure is rare knowledge almost no one has. So, is it, really &quot;everyone knows how it works&quot;? Or just everyone repeating their not quite secure passwords to make machine happy without any understanding of consequences

All valid points. But there two other main reasons I see as why (strong) passwords are essentially a superior choice to everything:<p>1) Using passwords properly is an exceptionally powerful way of protecting your account&#x2F;data&#x2F;etc. If you use strong, unique passwords and store in a password manager (with the PW database encrypted, of course), it&#x27;s virtually impossible to break into anything on the user side of things. You might be able to gain access via the server&#x2F;business side depending on the hack you are pulling off, but that&#x27;s on the company rather than the user. For instance, I do personally have my passwords stored in a password manager with an encrypted database. They&#x27;re all unique and strong, as is the password used to access the password database. That password exists only in my mind. It&#x27;s not written down anywhere or stored in some file on any computer. It&#x27;s not physically printed out on paper or anything like that. It literally only exists in my head. And given its complexity and length, there is effectively nothing that will be able to break it in any reasonable amount of time. The government also can&#x27;t force it from me as they could with other methods like 2FA, QR codes, fingerprints, etc. due to 1st amendment issues. Basically, short of getting me to log in from a compromised (i.e. keylogged) device (highly unlikely) or torturing me for the info, there&#x27;s no way of getting it. And if you&#x27;re willing to torture me for it - ok, you win then.<p>2) From a technical point - basically every device we would use to log into anything has either a keyboard (whether physical or on-screen) or some sort of keypad (again, physical or on-screen). This makes for universal compatibility. If people need to have special QR-code scanning&#x2F;creation software installed on a device, or fingerprint-reading hardware - that creates a non-trivial barrier to the device compatible with the login process.

I haven&#x27;t heard of any system that replaces passwords all the way. Apart from usability most systems eighter rely on things that are hard to change (biometrics), things that can be copied (keyfiles, cookies, software) or things that can be stolen (hardware token). So they don&#x27;t replace something that you have to remember (password).<p>Passwords are easy to change and while they can be copied, that would be the result of the user or the login software doing something stupid. Not something wrong with concept of the password login itself.<p>IMO those systems can be used to make the login more secure but replacing password all together not so much.

Why I like passwords (and various key locked&#x2F;unlocked with passwords? Simply because I can change them, I control them.<p>Biometrics is unsafe by design because our body can change outside our control and our body is public enough and unchangeable enough to be a REALLY unsafe authentication system for anything but human being interacting together.<p>External other-factor auths like OTP, side verification, port-knocking, ... are good, but they still need a password somewhere in the chain.<p>So no, it&#x27;s not only a matter of reactionary users not willing to change but also a matter of rational safety reasoning.

I signed up for something recently and on the password screen it popped up with something along the lines of &quot;Hey, can we generate a secure password for you, don&#x27;t worry, your browser will remember it for you?&quot; I said yes, sure enough a strong password appeared and Chrome offered to remember it. Seemed like a nice introduction to using secure passwords. The next thing I signed up for I manually generated a secure password and pasted it in and that is now stored in my browser too.

A little boring and reactionary, I think. Unguessable capabilities (long unchoosable URLs mostly) have been used to replace passwords. Plenty of systems refuse to let users <i>choose</i> passwords, and many common password problems are totally mitigated by this design.

I always liked the idea of having a password entry system where a single observation doesn’t provide enough information to reveal the password [0].<p>However in addition to creating issues with the secure storage of the password... I don’t think people would be able to use it reliably.<p>Still, some banks still seem to use the “enter the Nth letter of your password” scheme” which seems almostly equally unworkable...<p>[0] <a href="https:&#x2F;&#x2F;41j.com&#x2F;blog&#x2F;2011&#x2F;10&#x2F;unobservable-pin-and-password-entry&#x2F;" rel="nofollow">https:&#x2F;&#x2F;41j.com&#x2F;blog&#x2F;2011&#x2F;10&#x2F;unobservable-pin-and-password-e...</a>

&gt; Despite their respective merits, every one of these solutions has a massive shortcoming that severely limits their viability and it&#x27;s something they simply can&#x27;t compete with:<p>&gt; Despite it&#x27;s many flaws, the one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone.<p>This is (mostly) true, however, there is already evidence that new technology could kill the password indeed. What I am talking about is modern phones which all come with a fingerprint scan or facial recognition which, from my own limited experience and my own observations, has mostly killed of the &quot;passcode&quot; on the phone. Yes our phones still make us pick a passcode, but unless forced to use it nobody does anymore. Even my technology incompetent mother uses the fingerprint scan to log into her phone and I don&#x27;t see why something similar couldn&#x27;t replace the current experience of her having to type an insecure password into her hotmail all the time.

WebAuthn is coming. In fact, it&#x27;s actually already here. There are only two things it needs before it can start to take over the world: a cross-browser, cross-platform implementation with synced credentials, and server-side implementations from a few large companies like Google and Facebook.<p>A cross-browser, cross-platform implementation with synced credentials will solve the one remaining usability issue WebAuthn has; the need for users to register every device with the site they want to sign up on. It&#x27;s not acceptable for users to sign up on their PCs and then have to jump through a bunch of hoops to sign in on their phones; and bootstrapping with passwords eliminates many of the benefits of Web Authn.<p>Implementations from major companies will solve the chicken-egg problem that Troy mentions. Once the system is commonplace, smaller sites will be less hesitant to jump on board with an authentication solution that&#x27;s different from the password-based one that users are used to.

The only password killer is a password manager. And guess what, is password protected.

If done right, passwords are a very powerful and universal auth method, i.e. all credentials can be remembered and no third party or auth device are needed (e.g. you are still able to login even when you lost all your belongings while traveling). However, there are problems when reusing passwords and passwords are usually leaked to the remote party when authenticating, e.g. its trivial for a web service to learn what password or password pattern you are using. I am working on an open source project called FejoaAuth where we are working on a secure authentication solution that does not leak the password during login. This allows to reuse a password, e.g. to use a password for authentication and for data encryption. This makes true one password solutions possible. Its an open source project so please get in contact :) <a href="https:&#x2F;&#x2F;fejoa.org&#x2F;fejoapage&#x2F;auth.html" rel="nofollow">https:&#x2F;&#x2F;fejoa.org&#x2F;fejoapage&#x2F;auth.html</a>

&gt; Netflix requiring... 4. But I&#x27;m hesitant to berate Netflix for what seems like an extremely low number because they&#x27;re also dealing with the usability challenge that is people logging on to TVs with remote controls<p>Amazon handled this great when I set up Prime Video streaming on my Sony Blu-Ray player. I don&#x27;t remember the exact sequence because it was 8 years ago, but it was something like this:<p>1. Go to Amazon on my computer, log in, and tell them I&#x27;m trying to set up a new device for Prime Video streaming. They ask me for the make and model and serial number, which was available on the device in the Prime Video app.<p>2. Amazon gives me an integer. I don&#x27;t remember the length, but I&#x27;m pretty sure it was in the 4-6 digit range.<p>3. On the Blu-Ray player, give that integer to the Amazon Prime Video app, and it completes the setup.

One thing I like about passwords is they live in my head. No one can force to me give it up easily. But with a fingerprint or retina scan, anyone can push me up to a sensor and force me to supply the bodypart(s) needed to authenticate.

If nobody understands anything other than passwords, how has 2FA taken off at all? How have password managers taken off at all?<p>What if the password manager were in charge of logging you in _directly_, through some new protocol between browsers and PW managers? How could that _possibly_ be more friction? It would be strictly less. Hell, it could be done without even informing the user that this new feature was being rolled out, and they sure as hell wouldn&#x27;t complain about inconvenience because of a step removed from the login process.<p>Asking people to deal with more and more and longer and longer passwords is a usability nightmare. It&#x27;s a absurdity.

I just wish there were a more universal acceptance of entropy. I.e.:<p>Use at least one upper case letter and symbol<p>OR<p>Use a password that is at least 20 characters long<p>Passwords are fine, it&#x27;s the differing standards that are nutty. Especially when you don&#x27;t know them until after trying.

What is wrong with magic links exactly?<p>Email already is the single point of failure, password resets. People are already used to looking at their email, account verification etc. People are already used to looking at their email after signing in, 2nd factor with email exists on some sites.<p>Downsides are that they might be scanned by security software and visited, but surely that&#x27;s also a problem for verification links? I can&#x27;t imagine that people would appreciate accounts being automatically verified...<p>All other reasons I can think of indicate a problem with password resets as well, which also gives access to the account anyway.

Passwords, if used correctly, are extremely secure. However 99% of my accounts are just not important enough to warrant that level of security. I don&#x27;t worry about someone cutting off my finger in order to steal my Reddit account. My Github account doesn&#x27;t have any projects that aren&#x27;t forked elsewhere. Temporarily losing access to Steam for a day or two would not be the end of the world.<p>I have two-factor authentication for email, cloud storage, and banking. For everything else just give me convenience over security, please.

Related, looks interesting, generated QR on login pages.<p>A big thread:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=14459537" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=14459537</a>

Closest to a password killer I&#x27;ve used so far is the built-in iCloud Keychain. My iPhone and MacBook both have access to the same passwords and most of the are randomly generated.

&gt; <i>The point of all this is that usability is an absolutely essential attribute of the auth discussion. What I often find when I have these discussions is a myopic focus on technical merits.</i><p>This problem is ubiquitous to all of tech, pretty much. It&#x27;s particularly iconic to FOSS grognards like Richard Stallman. Software that respects people&#x27;s rights is fantastic, and we need more of it, but if you&#x27;re not making that software <i>usable</i> then you&#x27;re wasting your time.

I think that a lot of the problems that are inherent to passwords might be mitigated by not allowing the user to choose a password. A strong, randomly generated password being given to the user and changed periodically would almost force the user to use some sort of password manager.<p>If this were adopted industry-wide (a big ask, I know) then users would be able to use the familiar &quot;enter username and password&quot; system while being protected from common mistakes&#x2F;misjudgments.

This is an interesting argument, given that my phone over the past few years has moved from passcodes to Touch ID to Face ID. Most apps and sites on my phone that want to prompt me for a password are intercepted by the OS, which generates a one-time code and authenticates me via the same Touch&#x2F;Face ID. The number of passwords I actually key in has been dropping steadily to near zero.

Here&#x27;s the &quot;password&quot; killer: generating random passwords on the server and never letting users input their own passwords.<p>All issues with reused passwords, password strength, hashing passwords with slow hashes, etc. instantly solved.<p>Also improves conversion rate since there&#x27;s no risk the user gives up signing up because he can&#x27;t be bothered to think about or generate a password.

At ClearCoin, we use a stored private key in the user&#x27;s browser extension to sign every authenticated request. The signature is verified on the server, checking that it matches the Ethereum wallet address listed in the payload.

Ancient Egyptians probably made the same argument &quot;Keys just won&#x27;t work - <i>everyone</i> knows how to use a door knob, but these new dangled keys, no one carries them, we have not invented key rings yet so people will fumble. Best not to.&quot;<p>No people dealt with keys and locks because they did not want their stuff stolen.<p>As more and more valuable stuff is kept behind our passwords we will accept more and more cost to protect them.

Sign up for monzo and some of the new banking apps and try to find really hard a password field anywhere.

Has anybody made a list of [Insert Thing Here]s? I&#x27;m curious what kind of trade-offs they offer.

still blows my mind how companies like medium think they use a superior system by making you log in to email in order to log in to medium.com<p>makes my 1password app useless and I just don&#x27;t bother to login to medium =&gt; irrelevant articles =&gt; less time spent there.

Passwords can always be used.<p>You can forget a password, but you can&#x27;t drop it down a storm drain, or have it all of the sudden fail to boot, or forget to bring it when you&#x27;re at a friends house and now you can&#x27;t answer your user&#x27;s calls to fix the site that went down for some reason.

What about forcing some set of users to change their password if it shows up in a breach?

I can&#x27;t help but think that browser vendors could have at least made an effort to make client certs and Kerberos authentication more user-friendly on the web. Perhaps not so useful for private consumers, but it would sure come in handy in enterprise.

Password is like email, even slack would not be able to kill it.