Why you might never have to remember your password again
We all hate them and can never remember them, quantum computing could make them obsolete – and now AI can guess them by listening to your keyboard. Now technology companies are trying to come up with something to replace them – and might already, quietly, be some of the way there, writes Andrew Griffin
It is 1961 and MIT computer scientist Fernando Corbató has a problem. The university has large computers stored with large files, and anyone can access them.
The solution was a technology that has gone on to proliferate across computers and annoy their users for more than 60 years since: the password. Corbató’s solution was to build a system that would only open files with the right set of letters, and was used both to secure files as well as share out computing resources at a time when they were valuable and limited.
It is a year later, in 1962, and Allan Scherr, another MIT computer scientist, has a problem of his own. The work he is doing is using far too much computing resources, and he is going to have his programs deleted; he had come up with a trick to steal more computer time, but it was not enough to fully run the simulations he wanted to.
He, too, came up with a solution that prefigured an issue that computer users are still facing today: he hacked the passwords. Some 25 years later, he would admit that he had found a way to print out the passwords that were securing the system, and use them to get access to the time he needed.
Corbató and Scherr are perhaps the earliest two examples of a dynamic that has persisted throughout computer history: one side attempting to secure a system, and the other looking to break through. And for almost all of that history, that security has revolved around passwords – a short set of characters that are required for access.
The modern-day Corbató’s have found a host of new ways of making passwords more secure: encrypting them so that they cannot be stolen, storing them in password managers that ensure they are complex and cannot be lost, and much more besides. But Scherr’s much more malicious successors have always found new ways to get around them, by stealing passwords with techniques such as “phishing”, where attackers pose as the legitimate website to trick people into typing their password.
In recent years, however, technology companies might have found a way to get rid of those passwords. With a host of technologies – from biometrics such as the fingerprint and face scanners in phones, to new standards that let devices verify each other – we might finally be doing away with that 60-year-old technology.
Passwords might be as old as language itself. In Ancient Rome, the job was done by a soldier known as a tesserarius – who took their name from the block of wood on which passwords were written – and were responsible for securing what the army called “watchwords”.
Similarly, the word “shibboleth” comes from a Biblical story in which people were asked to pronounce it: the dialect of the tribe of Ephraim meant that they pronounced it as “sibboleth”, according to the Gileadites who were hunting them. Those who pronounced it wrong were taken and killed, which according to the Book of Judges left 42,000 people dead.
Today, passwords are still used in war and peace, to protect lives and to take them. Thousands of years on, the stakes are just as high as they have always been.
This week, it became clear once more that passwords have a whole host of potential downsides. The latest is the threat from artificial intelligence: a new preprint paper demonstrated that it is possible simply to listen to a keyboard and work out what password is being typed using it, allowing a hacker to piece it back together.
Those working on passwords might also be facing a race against time, and the threat from quantum computing.
Currently, the encryption tools that protect the data that hides behind a password do so using intensely complex mathematical problems that are only practically solvable if you have the right keyword. But quantum computers could make those previously very hard calculations into very easy ones, and in doing so make it much more simple for people to breach that encryption.
But passwords are also weak in the most old-fashioned of ways, since they rely on human memory and can be broken by our own fallibility. Users tend to use the same phrases in their passwords – annual reports show the prevalence of passwords such as “password” – and then reuse those passwords across a variety of websites, meaning that a breach on one can give access to people’s whole digital life.
In recent times, computer scientists have looked to address this with two-factor authentication, which relies not just on a password but also a code sent to a separate and already authenticated device, such as a phone. That makes it far more difficult to hack into an account since an attacker in theory also needs access to a users’ other device, and not just a stolen password.
In recent years, companies have been looking to take this and make it the central way of getting into accounts: those authenticated devices will become the key way of logging in. Last year, Apple, Google and Microsoft committed to the “Fido standard”, which aims to accelerate the adoption of that technology.
“Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services,” Apple said when that collaboration was announced. “This practice can lead to costly account takeovers, data breaches and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.”
The new improvements would allow for “passwordless sign-in standards”, Apple said, such as the use of passkeys that are stored on devices or by allowing people to authenticate using a device that is nearby. The cooperation of the various companies involved should mean that it is possible to use it across different platforms: to unlock a Microsoft PC with an Apple iPhone, for instance.
Much of that work has been done quietly, with the awareness that the best way to shift customer behaviour is to do so in a way so easy that they might not notice. Apple will introduce passkeys with the upcoming iOS 17 update, for instance, but it has been intentionally built to not get in the way, which experts say will help with adoption.
“The complete shift to a passwordless world will begin with consumers making it a natural part of their lives. Any viable solution must be safer, easier and faster than the passwords and legacy multi-factor authentication methods used today,” said Alex Simons, corporate vice president of program management in Microsoft’s identity division, last year. “By working together as a community across platforms, we can, at last, achieve this vision and make significant progress toward eliminating passwords.”
Many of the alternatives to passwords come with their own issues, however. Biometric security can refuse to recognise its actual owner because of error rates, or can be spoofed with fake fingerprints and other information; those parts of our body are used because they do not change, but that also means that once someone has stolen the information, it will be good forever, and cannot be changed like a password.
And experts have been promising the end of the password for years. In 2004, Bill Gates told a security conference in San Francisco that the technology was on the way out.
“There is no doubt that over time, people are going to rely less and less on passwords,” he said then. “People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
Nearly 20 years on, Gates was more correct in his diagnosis of the problem than his prognosis about how quickly it would be fixed. But new technology might still prove him right.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments