Are We Witnessing the Death of the Password?
Once considered a near iron-clad weapon of defense against cyber criminals, the password has begun to fall from grace.
Effective passwords often require human efforts that many users can't or simply won't take the time to make. Many organizations have adapted new security tools that make accounts and sensitive information harder to penetrate using emerging tech with a combination of factors.
Are passwords outdated? Government Technology surveyed a range of cybersecurity experts, including John Evans, chief technology adviser for World Wide Technology and former CISO of Maryland, to find out if the password has outlived its relevance.
Do you think the password is dead?
Mark Weatherford: "If you would have asked me this question 15 years ago, I would have said, 'Yeah, passwords are on the way out.' If you would have asked me this question 10 years ago, I would have said. 'Yes, it's definitely on its last legs.' If you would have asked me this question five years ago, I would have said, 'Any day now.'
"But now I feel like no, passwords aren't dead. We're always going to have passwords. I think we're going to have complementary authentication systems, but in many cases the passwords are going to be there."
Omar Sandoval: "I don't think it's dead, I think it's here to stay. I think it's the most simplistic way to give end users access to the resources that they need. In that same vein, because it is simplistic, that's why it's such a danger. More and more, you're going to be asked to make more complex passwords that have different characters and all these things. I also think their time to stay alive is going to shorten.
"One of the reasons why it's dangerous but still here to stay is that it creates a simplistic way for everyone to access what they need to, but we make the mistake of using the same password for everything."
Kelly Moan: "The password is on its last legs. It's inherently insecure because it's often too weak, too short or not rotated enough."
John Evans: "It probably should be, but it's not dead yet. We still have a lot of legacy systems, systems that probably can't handle the integrations that would be needed to move toward something passwordless. ... Some of them will probably be a while until we can fully get some of those types of systems to go passwordless. Any new system that's being developed, they should probably be looking at things like passkeys or risk-based authentication and not using passwords."
Dan Lohrmann: "I think the password is dying a slow death, but it is not dead yet. There are still far too many applications out there where passwords are used. But slowly but surely, for bank accounts, financial institutions and more sensitive data, the password is going away."
Valecia Stocchetti: "Is something ever really gone? I still use my old iPhone and iPad. But I think for passwords, they provide strong user authentication, they help keep attackers out of the system. They're still used in a lot of different frameworks and standards so I think that speaks a little bit to the idea that the cybersecurity community is not ready to shift as a whole. But even the strongest password does require other protections to be in place to be the most effective."
Are there any instances where passwords will always be the most secure option?