back to article The zero-password future can't come soon enough

Passwords, long a weakness in the tapestry of defenses designed to keep enterprises and individuals more secure, continue to be a problem due in large part to the same issue that has haunted them for years: the users themselves. In a report released today, SpyCloud researchers found that despite the growing sophistication of …

  1. Hubert Cumberdale Silver badge

    Until we reach this magical passwordless future, everyone should use KeePassXC.

    1. Paul Crawford Silver badge

      For most accounts simply using the web browser's option is enough. But of course you have the "computer replaced/wiped and I can't login any more!" problem for most folks who lack a proper backup of that.

      1. Anonymous Coward
        Anonymous Coward

        hitch there is that only covers your browser, and only one browser

        It would be much better if everybody could try to get on the same page this stuff, but that is going to be a big rock to roll up hill. Everything that is currently using a password needs to start supporting some kind of common interface for a password manager. The same interface that will also be used for non web based logins at the OS level, etc. We did it for scanner drivers 30 years ago, we can do it again now.

        TOTP and security keys should be front and center. SMS and email 2fA is cancer and should be deprecated. (why go to the effort to implement the least secure and least reliable methods on the list?)

        And the retarded "security questions" need to just die. One regular password that can be bypassed by any of three or more easily guessable, social engineer-able, or straight up public info is not an improvement. Even after the high profile train wreck that resulted from the high profile break-ins on celebrity accounts by tabloids and porn leaking selfie hunters.

        Part of this should include a basic checklist covering the implementation and data handling, so the whole effort isn't ruined by the same idiots and malicious compliance that have ruined most of the web.

        1. Doctor Syntax Silver badge

          Re: hitch there is that only covers your browser, and only one browser

          "Everything that is currently using a password needs to start supporting some kind of common interface for a password manager."

          It's called copy and paste. I have encountered a few instances of web sites that block pasting passwords but they're rare.

          1. stiine Silver badge

            Re: hitch there is that only covers your browser, and only one browser

            Pulse Secure used to be one of the sites that wouldn't let you paste your password. After I, and probably more important people, complained that typing a machine-generated password manager stored password was a pain in the ass, they changed their web UI to allow cut/paste.

        2. Pirate Dave Silver badge

          Re: hitch there is that only covers your browser, and only one browser

          "And the retarded "security questions" need to just die."

          YES! I hate that crap.

          "What was the favorite meal of the Fifth-grade teacher you disliked the most?"

          "What color was the hair of your best friend's first wife when she was 10 years old?"

          "What did you have for lunch on July 11th, the year you graduated from high school?"

          "What was the odometer reading on your first car when you sold/wrecked it?"

          "Who was your favorite uncle?"

          Like I can remember any of that stuff. And it always seems like the questions were written by someone who is no older than 20 and had nothing bettter to do in life than keep lists of their Favorite Things.

      2. Potemkine! Silver badge

        For most accounts simply using the web browser's option is enough

        I don't trust browsers enough for that. I don't think we can be sure there's no vulnerability exploitable by a crafted website that can access the browser's password database. It's safer to have them in a separate application (Keypass rulz!)

    2. Pascal Monett Silver badge

      If everyone is using the same tool, then everyone is at risk as soon as some miscreant finds a way into it.

      Just sayin'.

      1. Snake Silver badge

        RE: risks

        My concern is if you depend upon this single technology, the password manager, to either generate or remember your unique passwords. Even if you allowed your browser to auto-generate a random password, what happens if the manager crashes? Corrupt database? Failed SSD with poor backup regimen (all too common on home users)? Etc, etc, etc.

        1. Tony W

          Re: RE: risks

          Lose your password: in most cases an inconvenience rather than a disaster. Any system has some risk of locking you out. My fingerprint changes over time, apparently.

          1. Snake Silver badge

            Re: fingerprint

            You'll get me to use biometrics for my logins over my dead, and decayed, body, thank you very much.

            To top it all off, as I've mentioned before, biometrics is not beyond the plod demanding it to get into your data, as an arrest allows and permits them access to use your metrics as they see fit. A password is information held in your brain and, if they don't have it accessible via other means (like said manager...) it is yours to deny them access to, no court [in any civilized country] can demand that you relinquish your passwords simply by demand (as that can invalidate your right to self-incrimination).

            1. doublelayer Silver badge

              Re: fingerprint

              Well, at the risk of causing a debate over which countries are civilized or not, you are not correct. Some countries do protect passwords in the way you state, for example the United States, but in others, such as the UK, failing to disclose passwords, encryption keys, etc is a crime in itself for which you can be imprisoned. This is the case even if you are exonerated from the original investigation.

              1. MachDiamond Silver badge

                Re: fingerprint

                "but in others, such as the UK, failing to disclose passwords, encryption keys, etc is a crime in itself for which you can be imprisoned"

                Given a sentence for not disclosing a password or encryption key might be less of an offense than what they'd have if they could have a nice rummage through your files.

                The fact still remains that your finger print, retinal scan or whatever can be forcibly taken from you as opposed to a password you have memorized (or not, I'd claim not).

                What I'd like to set up at some point is a burn routine that triggers via the wrong finger or retina scan. Something like my right index finger triggers a burn routine while showing an error box that the fingerprint is not valid or something until a particular folder is well and truly wiped. The working print might be the left hand ring finger which isn't the norm. My phone has no password or key since I keep nothing much on it, don't use it for nav and don't install apps willy nilly. I certainly don't use it for financial stuff. On the way out today I stopped for petrol and the terminals were down for plastic payments. Good thing I keep boring, old fashioned cash on hand (and my feathers numbered) for just such an emergency.

                1. Charles 9 Silver badge

                  Re: fingerprint

                  "Given a sentence for not disclosing a password or encryption key might be less of an offense than what they'd have if they could have a nice rummage through your files."

                  But the the problem is, last I read, the offence can be REPEATED.

                  1. Phones Sheridan Bronze badge

                    Re: fingerprint

                    That’s a myth. It’s never happened.

                    1. Yet Another Anonymous coward Silver badge

                      Re: fingerprint

                      >That’s a myth. It’s never happened.

                      Yet....

                      Remember this law wasn't going to be used to intimidate partners of people foreign governments were currently mad at.

                      We weren't going to have the secret police smashing computers at newspaper offices either

                      1. Phones Sheridan Bronze badge

                        Re: fingerprint

                        It can't happen, it's been discussed to death.

                        In order to get the first imprisonment, the prosecutor (in the UK) has to demonstrate beyond a reasonable doubt that the person withholding the password, is indeed in possession of it. They have to prove that the person accessed a device within a recent period, so recently in fact that it's highly unlikely that the person could have forgotten the password. In cases where people have been imprisoned, the prosecution demonstrated using forensic data that the devices were accessed several times over several days all within the time frame leading up to the arrest and they have actual physical evidence proving that. "It's his device, he must know the password" is not and never has been sufficient evidence that has lead to a successful prosecution.

                        The idea that someone can be prosecuted a second time for the same offence say 2 years after the original prosecution is laughable. Courts have an understanding of the reliability of testimony from memory, and how it becomes more unreliable over days, weeks, months and years. Courtrooms (in the UK) are not like they appear in American TV dramas, where each interaction is tense and full of suspense with sharp back and forth dialogue, each word being met with surprise and an intake of breath from the jury. The prosecution never dramatically pulls out the final piece of damning evidence at the end of the trial that results in an instant "Guilty" from the Judge. No instead courtrooms are dull, methodical tedious places where previous policies, judgements and precedents are all brought up sequentially and legally argued over. Everyone and their dog in the courtroom understands the concept of degraded memory, and none of them would bother to try to argue that someone claiming that they have forgotten a password they last used over 2 years ago is lying. In fact for a prosecution to even begin under section 49 of RIPA 2000 specifically for withholding a password, a judge needs to first give permission to prosecutors to issue the notice of disclosure. Unreliability of memory is already an established and understood precedent so a second prosecution would probably fail at the first hurdle of trying to convince the judge to allow it to happen after such a long time.

                        So yes, it's a myth, In the 15 years since the law came into force it has never happened or been attempted. Where prosecutions have occurred, it has only been after physical evidence has been presented that has proven beyond a reasonable doubt that the person must reliably know the password being withheld.

                        1. jospanner

                          Re: fingerprint

                          I don't understand why you have so much confidence in the British government and legal system.

                          1. This post has been deleted by its author

                2. doublelayer Silver badge

                  Re: fingerprint

                  "Given a sentence for not disclosing a password or encryption key might be less of an offense than what they'd have if they could have a nice rummage through your files."

                  What crimes are you expecting they'd decide you committed by looking at your files? I agree that I don't want them to look at them, but serving up to five years is a strong penalty, exceeding many normal crimes. Having a secret delete password is destroying evidence, another crime they can charge you with. I probably have the same view as you, that such laws are illegitimate and would be better repealed. While they're there, however, it's important to know what the law says so you can act accordingly.

            2. Not Irrelevant

              Re: fingerprint

              Get a hardware key then, it's more secure than biometrics because biometrics has a margin for error and there is nothing guaranteeing fingerprints are unique (they're not, just many, many variations).

              1. Snake Silver badge

                Re: hardware key

                Hardware key is even WORSE, once arrested a simple search warrant, most assuredly granted by the court since the plod had 'reason' to arrest you in the first place, means that the hardware key is both confiscated and usable by anyone else.

                The only authentication system that, in court, cannot be forced from you (in my jurisdiction) is the password / passcode.

      2. hoola Silver badge

        As with all these things, the more widespread a technology the fatter the target becomes.

        In this case a very fat target. It does not matter if it is compromised locally if the credentials are only held on the device or a central repository.

        It is always going to be when, not if that it goes pear shaped. The haul and damage is incalculable. After a compromise of something like this the pretty much the only is a mandatory reset of everything. Oh, but how do you verify the person resetting the password as you now have the email address and credentials for that.

        Even sending a code to a mobile device or app is not fool proof.

    3. fidodogbreath Silver badge

      BitWarden is another solid open-source option.

      1. Graham Cobb Silver badge

        As is pwsafe.

        Or, rather, one of the many, many modern implementations (some open source, some not) which all share the same database format. There are several great implementations for all the main devices, as well as some which will run on almost anything that moves electrons around!

        The downside is that most of them do not include the necessary file sync for the database. But many cloud or file management apps can provide that.

        1. Anonymous Coward
          Anonymous Coward

          I use KeePass which stores my encrypted database on Dropbox so it's available on all my kit.

    4. TeeCee Gold badge
      Meh

      The problem with password managers is:

      1) Guarantee it will always be reasonably priced / free / included.

      2) Guarantee it will sync across devices.

      3) Guarantee that it will work on all my devices and always will.

      Any missing and I'm not going anywhere near it. Needless to say, when I say "guarantee", I mean that the maintainers do not get to just walk away, dropping their users in the shit, without incurring life-changing penalties.

      3 is usually the showstopper. Still waiting for one that works with Roku systems, not to mention one that works with all mobile apps rather than just a select few of them.

      Oh and when it comes to 1, if you're looking at a subscription model you can shove it up your arse. Sideways. Rolled in 40 grit sandpaper.

      1. Hubert Cumberdale Silver badge

        Regarding your points, for KeePassXC:

        1. It is free and open source. It is distributed under the GPL, so it's not going away or going to cost money. There are other implementations. In any case, nothing is forever, and you can just migrate when you need to (just like you do with operating systems).

        2. The sync is entirely up to you. You can store the database file (which is very small) with any cloud provider or roll your own. And before you say this is insecure, the database is of course strongly encrypted before being saved. If you use a strong master password, the risks of storing it in the cloud are very small.

        3. Nothing can be ever guaranteed to always work on all your devices forever. Get pragmatic: you're already compromising because you have to remember your passwords. Reconsider what your compromises should be. There are Android and iThing apps for KeePassXC. They use copy and paste for credentials so are compatible with pretty much any app/browser. In any case, if you're using a smartphone these days (or a Roku thing or smart TV), you've already compromised with your security.

      2. Graham Cobb Silver badge

        You can't get item 3 with anything proprietary. If the property owner goes out of business (or just changes their mind) then it will stop working.

        By far the best chance of achieving item 3 is to choose something which has tens or hundreds of different but interoperable implementations, for different platforms, by different people - some commercial, some not.

        That is why I use a Pwsafe-based system. I use different software on my own systems (Linux), my work Windows system (when I had one), my various handheld devices (some Android, some Apple, Maemo, Meego, Sailfish, some old proprietary stuff). It even runs on my toy VAX/VMS system when I can be bothered to boot the emulator! All of them are interoperable so I just need to make sure the database is automatically or easily replicated to whatever device I am using.

      3. Graham 32

        1 and 3 are both asking about the future. Replace those with "has an export option" and you can migrate when something else becomes a better solution.

      4. fidodogbreath Silver badge

        Guarantee it will always be reasonably priced / free / included. etc.

        Obviously you can't guarantee things that are beyond your control. Any company can go out of business, or be acquired, or discontinue a product.

        However, you can verify that (1) the solution stores a local copy of its database, (2) the local copy can be decrypted and opened offline, and (3) its contents can be exported to one or more interchange formats.

        I have hundreds of logins, and I've changed password managers several times with no loss of data.

    5. ITMA Bronze badge

      The fundamental problem is this:

      TOO MANY EFFING PASSWORDS.

      Loads of sites which need or nag you to create a login. Why??? I only want to buy one bloody thing from you.

      1. batfink Silver badge

        Correct! Mandate an option of Guest accounts IMO.

        For every f'n website which unnecessarily wants me to create an account (which I'm unlikely to use again), I use my "burner" email account and some random password like fuckoffanddie which I never bother to record. In the unlikely event I ever need that website again I'll just reset it.

        For everything else there is Keepass. And even in that the important passwords are obfuscated, against the day when that's cracked as well.

        1. Yet Another Anonymous coward Silver badge

          That's why people share passwords

          My password for the account I have to create to download a BIOS update is going to be "password".

      2. CommonBloke

        It's one of the reasons facebook became so widely used, so many sites let you simply login with your FB account instead of going through the whole "create an account". Nowadays, you can also use Google or a bunch of different accounts across many sites.

        For users, it's good because it means you only have to worry about one account. The downside is that you create a very juicy single point of failure: if that account gets compromised, so will anything linked to it.

        1. ITMA Bronze badge

          "The downside is that you create a very juicy single point of failure..."

          The "single point of failure" is giving your personal details (even if fake) to FaceSlap and/or Gaggle who then whore you (in the form of your data) out to anyone and eveyone - in exchange for pieces of silver.

          Judas Iscariot would have been proud.

          The "golden rule" of "free online products/services" is that if what is offered is free, it is because YOU are the product, to be harvested and sold.

  2. Paul Herber Silver badge

    2FA problem

    One problem I've found with 2FA not relying on a password is having the wrong phone number attached to the account. I have a Paypal account like this, all I'm asked for is to respond to the 4-digit code sent to a phone number, which I no longer have access to, it's now a dead number. I can't even get as far as using the password, or any of the secret answers. I've spent an hour on the phone with Paypal support, the one thing they can't change is the phone number. Blah. There's only a few tens of pounds in the account, but it could be so much worse.

    1. Anonymous Coward
      Anonymous Coward

      Re: 2FA problem

      But that's bad 2FA. Or lazy at least.

      Even MS, Google and Facebook allow you to generate a set of codes for that moment you've lost your device.

      A much bigger- and much less addressed issue - are the man+dog outfits that insist on one login per account which forces you to share it among key staff. Which renders a lot of data security directives null and void before you've started. (If you read them that is).

      1. Gene Cash Silver badge

        Re: 2FA problem

        But that's bad 2FA. Or lazy at least.

        In the same realm of bad "authentication" is the captcha shit, and recapcha and all it's relatives.

        It insists that I must upgrade to the latest browser version. Which is 97.0.1... which is what I'm running.

        Of course it boils down to the fact that it's not happy about the user agent and apparently that I'm using Linux. If I paste the UA from Windows, it's happy.

        However, a lot of sites refuse to provide any communications if the captcha shit barfs up a lung. No phone number, no email address, nothing.

        I've already cut ties with 5 vendors because of this.

      2. Roland6 Silver badge

        Re: 2FA problem

        >are the man+dog outfits that insist on one login per account

        Its not just man+dog outfits, there are some major cloud-based security vendors who only provide a single account with no means of creating further 'user' accounts...

      3. ITMA Bronze badge

        Re: 2FA problem

        Ever tried setting up multiple logins on PayPal so staff can be assigned their own logins with their own spending limits?

        It is total and utter shite....

    2. cornetman Silver badge

      Re: 2FA problem

      I had this problem with an account that insisted on sending a 2FA text message to my land phone.

      1. Jamie Jones Silver badge

        Re: 2FA problem

        Doesn't SMS to landlines work anymore? That seems a strange thing to discontinue.

        The issue I had when trying to set up my mobile-phoneless mum with various sites is they would only accept mobile phone numbers.

        EDIT: I just googled, and SMS to landlines still work in both the UK and the US..

    3. Not Irrelevant

      Re: 2FA problem

      That's actually 1FA, only SMS is only one factor.

      1. Paul Herber Silver badge

        Re: 2FA problem

        I'm sure the password would be asked for next ...

    4. Roland6 Silver badge

      Re: 2FA problem

      >One problem I've found with 2FA not relying on a password is having the wrong phone number attached to the account.

      Another is the email account.

      I suspect many have used their ISP supplied email address and discovered on changing ISP just how much stuff they had linked to their previous ISP's email address, which they can't change as they need the old address to verify the change of email address etc..

      It is going to be interesting if MS, Google, Apple et al decide to pull the plug on free mailboxes.

      1. Anonymous Coward
        Anonymous Coward

        Re: 2FA problem

        Yeah, a rug-pull by any of the major "free" email providers always has an outsized impact. People signing up with an ISP email account should be warned and allowed to enter a backup email.

        Also, what the hell is it with the way some of these idiots handle backup email addresses? I have had several cases where if you enter a backup email address, and the backup address has a problem, you can't fix it using the primary address, as to change the backup address, you need to be able to receive an email to the backup address. How is it that people that can't see that will be a problem keep getting the job of implementing account security.

        1. Doctor Syntax Silver badge

          Re: 2FA problem

          "How is it that people that can't see that will be a problem keep getting the job of implementing account security."

          It's not their problem so it's invisible to them.

          It's an instance of a wider problem with fragile development. The happy path's coded so there's nothing else to do, or at least nothing that can't wait for a few sprints. And a few more...

    5. MachDiamond Silver badge

      Re: 2FA problem

      "I've spent an hour on the phone with Paypal support, the one thing they can't change is the phone number."

      Will they send a check to the address listed for your account or deposit the remaining balance to a linked bank account? I stopped using PayPal when they decided to pass judgement on who sends me money and where I spend it. Since I can't use it to accept payments on eBay anymore, they are dead to me.

    6. Jamie Jones Silver badge

      Re: 2FA problem

      I've had that, it's a pain in the arse, but PayPal reset it after a quick phone call. To be honest, it was too stupidly easily reset.

      Also, am I the only one who dares leave their phone at home? I wanted to do something when visiting my mum, but as my phone isn't surgically attached to me Amazon missed out on that order.

      Don't get me started on trying to do grocery home deliveries online for my mum, who dares to have a bank account and credit card, but no mobile phone...

      1. MachDiamond Silver badge

        Re: 2FA problem

        "Also, am I the only one who dares leave their phone at home?"

        Being self-employed, I try to keep my phone with me to keep from losing work but I'll sometimes run errands with it still on my desk. I don't turn around and drive home to get it if I notice it missing unless I'll be out for most of the day or will need it to communicate with a customer I'm going out to service.

  3. DarkRookie

    Biometrics are immutable,

    Security keys are expensive,

    Authentication apps are usually made by people I wouldn't trust with codes. Or keeping the app updated.

    Verification codes take too long.

    If you want to replace the password, replace it with something that can do the same things.

    1. Arthur the cat Silver badge

      Biometrics are immutable

      One hopes they're immutable because changing them often tends to involve a hospital visit.

    2. Charlie Clark Silver badge

      Everyone knows that good passwords should only be used once…

      As you say, we've yet to come up with anything better that is as universal.

    3. DS999 Silver badge

      Security keys aren't expensive

      There are free apps for iPhone and Android to implement that.

      What's missing is wide uptake of such options. I wish Apple and Google built that functionality in (and endured the whining from companies that have those apps now) as there would be a single (or at most two) standards for that that would be easy for everyone to get on. Have it communicate by bluetooth so you don't even have to enter the code, the biometric verification on your phone would cause it to be transmitted to your PC or whatever.

      I suppose that's a less than ideal solution for logging into something running ON your phone like a banking app, but it serves the purpose of a security key for logging into everything else.

      1. Charlie Clark Silver badge

        Re: Security keys aren't expensive

        There are free apps for iPhone and Android to implement that.

        That implement what exactly? One of the points about confirming identity is that it isn't a purely technical problem. The risks are well understood and none of the proposed technical solutions is without its problems as the post attempted to spell out.

        And are you seriously suggesting that Apple and Google be given even greater power over devices?

  4. Paul Crawford Silver badge

    Is your no-longer-patched phone authenticator more secure than a paper record of good passwords kept at home (especially if 'modified' in written form)?

    If your phone or key fob is lost/stolen how easy is it to replace it and keep all logins still working? Could the bad guys do the same?

    Yes, 2FA helps a lot, but not so much if accessing a site from the same device (e.g. phone web and text/app), also some sites like Feacesbook can go jump if they think I'm handing phone numbers over to them!

    1. Adrian 4 Silver badge

      Relying on a phone that may be compromised, discharged or out of signal is asinine. I have no confidence in vendors that use it for 2FA. I have the same expectation of security and usabilty in phone-based systems as reused passwords.

      1. Anonymous Coward
        Anonymous Coward

        I think your worry is valid, but not for most sites.

        Your level of caution makes sense for accounts with high risk/impact but is overkill for most of the accounts people access. Protect the hell out of your key accounts, but a phone based authenticator with easy backup/recovery is ideal for the majority of peoples accounts. The risk of a hijacked account for your subscription to Green Valley Lake bridge club newsletter isn't in the same risk category and your tax returns or your online banking accounts.

        And a paper backup in a secure location isn't bad, but provides terrible usability unless you are stuck where its stored, and you still need secure account recovery methods in case your lair, and the little black book, burn up in a fire.

        Also, an oft missing fact of life is that as we age out, many of us will lose the ability to manage, remember, or recover our accounts reliably. So designating trusted contacts should be a painless and non-humiliating process that people can opt to use when and if needed.

        There are so many sneaky edge cases to this, we really need a public checklist of best practices to beat people over the head with in meetings to shut up the idiot who says "this will be easy, have it to you next week" and decides to use ROT-13 to handle password security.

    2. Doctor Syntax Silver badge

      Unfortunately if you do want to practice "good password hygiene" it seems that businesses are seeking to make things more difficult. I've just signed up with a different building society which I've wasted half the morning over trying to set up a log-in & now discovered it seems to assume I'll use a mobile app to confirm on-line use. Of all the electronic devices in the house the mobile phone is the one I trust least. For those who don't have their phone surgically attached to their face it's also about the least convenient means to use any service as it's apt to be off/flat/left in the car/somewhere else in the house when it's needed.

      I doubt this growing reliance by businesses on assuming their customer have (that cuts out SWMBO anyway) and prefer to use a smartphone is nothing to do with security or customer convenience. It's for their convenience and, I suspect, especially the convenience of their marketing departments.

    3. fidodogbreath Silver badge

      @Paul Crawford: If anyone who has your phone number has ever installed any Faecesbook app, then Faecesbook already has your number -- and all of your other contact info associated with it.

      1. Paul Crawford Silver badge

        What, you think I use my real name of FB?

        1. scrubber

          GDPR?

          It's not about you. If someone else has your real name and phone number and installs a meta app then you are toast.

          1. Paul Crawford Silver badge

            Re: GDPR?

            That is still not linking any FB account I may (or may not) have to a phone. After all if such a FB account is not in a name my friends know then there is no link from their contacts to my account.

            Should I give FB my number for that account it does!

            1. fidodogbreath Silver badge
              1. Paul Crawford Silver badge

                Re: GDPR?

                Of course. Why do you think I use Chrome for FB or Gmail, and Firefox for all other browsing? Add to the ad-blocking and the use of a VPN (so shared IP source address with many users) and it seems to keep the crap down.

    4. batfink Silver badge

      Easy. Just get one of these...

      https://www.whsmith.co.uk/products/whsmith-black-soft-touch-a6-internet-password-book/5013872006228.html

  5. Anonymous Coward
    Anonymous Coward

    Keeping customers happy....NOT!

    Quote: "...text messages sent to a cell phone are techniques that have been around for years..."

    Yup....but just to quote NatWest as an example:

    (1) Request a text message for authentication on the Nat West web site

    (2) The NatWest web site TIMES OUT before the text message arrives!!!

    Yup...."around for years"....and the CORPORATE END of the solution DOES NOT WORK!!

    Keeping customers happy?? Guess!!!

  6. Pascal Monett Silver badge
    Stop

    "the charge into a passwordless future"

    This charge had better have a solution that is as easy to manage as passwords are.

    It's not my fault that the Joe User can't be arsed to manage his passwords properly.

    I do, and I do not want my fingerprints, eye scans or tongue surface spread all across corporate databases managed by the summer intern.

    If one of my passwords gets compromised, I can change it. I can't change my fingerprints.

    So, what's the passwordless solution ? I haven't heard of one yet and, if somebody had an actual solution, I'm sure we'd be hearing about it and seeing it implemented already.

    1. alain williams Silver badge

      Re: "the charge into a passwordless future"

      If one of my passwords gets compromised, I can change it. I can't change my fingerprints.

      +1

    2. thejoelr

      Re: "the charge into a passwordless future"

      I went to their website expecting some product and didn't find one surprisingly.

    3. Martin Gregorie

      Re: "the charge into a passwordless future"

      So, what's the passwordless solution ? I haven't heard of one yet and, if somebody had an actual solution, I'm sure we'd be hearing about it and seeing it implemented already.

      Devices like the Yubico dongles seem to work painlessly enough, at least when used for passwordless access to sites like GitLab.

      However they they do have drawbacks, such as their price and availability, being small enough to lose easily unless you've attached them to a fob of some sort, and requiring the device you use them with to have a USB socket .

      1. Gene Cash Silver badge

        Re: "the charge into a passwordless future"

        requiring the device you use them with to have a USB socket

        Mine doesn't... but then it will require me to type in the number on the key's display.

      2. Roland6 Silver badge

        Re: "the charge into a passwordless future"

        >However they they do have drawbacks, such as their price and availability, being small enough to lose easily unless you've attached them to a fob of some sort, and requiring the device you use them with to have a USB socket .

        It is these drawbacks that effectively mean there will never be a total replacement for memorable passwords.

        Yes, I use password safes etc. but really critical stuff (like the key to the password safe) is in human readable and memorable form.

    4. Anonymous Coward
      Anonymous Coward

      Re: "the charge into a passwordless future"

      The problem isn't a lack of solutions, it is intertia, incomptetnce, and greed. The reason the garbage systems that are common place now became entrenched was that as cell phones became common place, companies REALLY, REALLY wanted to be able to link your cell data with your account.

      Many of those companies then sold, traded, or shared that data with third parties, social networks et al along with troves of other data.

      The real fight is to force the big compliance frameworks to mandate fixing this mess. Once it makes it in a couple of big ones like PCI or the GDPR, industry momentum will shift pretty fast. And unless they botch the deployment, TOTP, oauth, hardware tokens, and al that should be easier to use than the current hot mess of deranged password complexity and expiration, security questions, email resets, and SMS/Push/email codes that break usabily and/or never arrive at all.

      1. Pascal Monett Silver badge

        Re: The problem isn't a lack of solutions

        Oh, so what brilliant idea do you have to replace passwords ?

        Please share, the world needs to know.

  7. karlkarl Silver badge

    I am going to assume by passwordless they mean that terrible "SMS the user a one time password" crap rather than proper asymmetrical encryption keys like SSH.

    1. vtcodger Silver badge

      Passwordless

      I am going to assume by passwordless they mean that terrible "SMS the user a one time password"

      Probably. Most likely what they really mean is that they haven't any more idea than anyone else how to balance security versus usability, so they'll go with whatever is popular. And what's popular today is 2FA using SMS with one time codes that are a monumental PITA for many (very likely most) users. But they can pretend that's a user problem, so it's someone else's problem and therefore OK.

      Personally, I was paying bills on line 30 years ago. But about 25 years ago, I came to feel that computer security is so difficult that paper was not only safer, but overall probably less effort. It's REALLY hard to straighten things out on-line on the rare occasions when things go wrong. I do keep a couple of minor conventional accounts with passwords and 2FA. If they ever become both secure and easy/convenient to use, I'll consider going fully digital. I do not expect that to happen any time soon.

      1. MachDiamond Silver badge

        Re: Passwordless

        "I came to feel that computer security is so difficult that paper was not only safer, but overall probably less effort."

        I still do most things with paper. Even payments I make online get printed with confirmation codes and a handwritten note on when I paid and what account was used. If I ever have to prove my payments in a dispute, having a real paper trail might be important. The company I have the dispute with might also decide to find in my favor quickly if they see I'm keeping good physical records.

    2. Anonymous Coward
      Anonymous Coward

      Yubi keys?

      https://www.yubico.com/

    3. Anonymous Coward
      Anonymous Coward

      I know it's not exactly a web browser or anywhere mainstream, but the Gemini protocol uses a client certificate to define who they are. You can either create a new (self signed) certificate to act as a 'session cookie', or keep hold of it and be identifiable again. The user is in control of its lifetime and could even store it somewhere portable/cloudy.

  8. scrubber

    Business Opportunity

    Hi, is that Lasik? Yes, my computer got hacked. Again.

  9. fidodogbreath Silver badge

    Four Yorkshire IT men

    Consumers now can have more than 100 accounts in work and personal lives that need passwords.

    "You only 'ad a hundred? We used to dreeeam about only having a hundred!"

    1. Anonymous Coward
      Anonymous Coward

      Re: Four Yorkshire IT men

      I just scrolled through my password manager. I personally have 240+ passwords, not counting the client system psaswords (in separate managers). My total is probably around 700..I can only remember 3 of them, and 2 of those are very, very hard to type correctly...

    2. batfink Silver badge

      Re: Four Yorkshire IT men

      There's an error here: the bit that says "NEED passwords".

  10. Anonymous Coward
    Anonymous Coward

    Dementia

    I am at the onset of dementia. I cannot remember names and faces, nor passwords and telephone numbers. Bitwarden helps me, but not every time. Now I am expected when creating a new password to use figures, letters, symbols, caps and the sex of my dog - by the time I have entered all this rubbish I have forgotten why I wanted to log into the site in the first place.

    Now if someone invented a USB key that could send the password and my shoe size from whatever device I am trying to use I would welcome it. My car has responded to something similar for years.

    Remember the aged and the disabled.

    1. Charles 9 Silver badge

      Re: Dementia

      Or just people with really bad memories. Now was that "correcthorsebatterystaple" or "donkeyenginepaperclipwrong"?

    2. Roland6 Silver badge

      Re: Dementia

      >I am at the onset of dementia.

      Life is going to get very tough!

      Much will depend on the particular form of your dementia and the speed of its progression. My commiserations.

      My only advice is to ensure those close to you know and do some reading on the subject, as their response to your process failures - which you will largely be unaware of - can make a huge difference to how you and those around you feel. It has taken some effort to get others in my family to grasp that our mothers' 'madness' is the dementia not her, so there is no point in getting worked up when she gets things wrong, or tells you the same thing multiple times because she has forgotten she has already told you. And then we have days of total clarity.

      .

  11. Mike 137 Silver badge

    "passwords should be dropped in favor of [...] biometric technology"

    Once again (and for the gazillionth time for years and years) a biometric is not an authenticator - it's an identifier.

    An authenticator must be private, rescindable and changeable. Biometrics by definition have none of these characteristics. Therefore a biometric can legitimately replace an identifier (e.g. a user name), but not a password. However I've given up waiting for this fundamental truth to sink in.

    Furthermore, using the same biometric to access "hundreds" of accounts is just as bad a principle as using a single password for the same. As soon as someone finds a way to replicate the biometric or its digest (and they will) all the accounts will be vulnerable just as for the password - with the exception that the biometric can't be changed. The only effective solution here is robust private credential repositories containing multiple independent credentials for different accounts.

    What's really been needed all along is education - of users so they understand the real purpose of passwords (to keep others out not to let legitimate users in) and of those setting password policies so they actually understand what they're doing. Practically all current "password rules" result from wild guesswork based on complete ignorance of the principles underlying code spaces, the statistics of cracking trials and the realities of modern attack types. This is typified by the "password strength meters" of two hosting services we tested. What qualified as strong on one was branded excessively weak for acceptance on the other.

    It's long overdue to abandon the mantras and learn the facts.

    1. Anonymous Coward
      Anonymous Coward

      @Mike 137 - Re: "passwords should be dropped in favor of [...] biometric technology"

      It seems to me this is more about surveillance than it is about password security. If you're getting used to your phone scanning your face for access, then you'll have no objection to surveillance cameras doing the same.

      It's not that companies care about people losing their password or having them compromised. Google decided to block me from accessing my email because they suddenly are no longer sure that it is me who's using it. They keep pestering me with "someone's trying to access your email" each time I'm trying to access it because they have no problem at all with the email account I gave for password recovery. Worst thing is that there's no support phone number or email which proves they don't quite care about your password.

      1. Anonymous Coward
        Anonymous Coward

        Re: @Mike 137 - "passwords should be dropped in favor of [...] biometric technology"

        "Worst thing is that there's no support phone number or email which proves they don't quite care about your password."

        FTFY.

    2. Charles 9 Silver badge

      Re: "passwords should be dropped in favor of [...] biometric technology"

      "An authenticator must be private, rescindable and changeable."

      The problem being that ALSO (by default) makes it easy to lose, easy to mess up, and easier to get stolen. And human minds are fickle things. Try a solution for people, for example, with really bad memories (now was that "correcthorsebatterystaple" or "donkeyenginepaperclipwrong"?), and yes they exist all over the place; I deal with them regularly.

  12. Barry Rueger

    Way, way, way too much hassle

    Enough with finger-wagging at end-users. We're just struggling to get through an average day without wasting hours battling arcane log-in sequences.

    First of all, 80% of the places that I visit don't merit a big, complex, unique password. And honestly I'd include El Reg on that list. An awful lot of sites pose no risk to me even if my log-in is somehow snatched.

    Second, Two factor authentication is ALWAYS a pain in the ass, and often as not doesn't work the first time you try to log in. Then there are the idiot cases. We just moved to France and discovered that at least two companies demand a North American phone number for 2FA.

    Third - HSBC. Dear god. Getting online involved three different numbers and secret codes, one of which was delivered by mail. And logging in on my PC still involves a cel phone. The real problem though is that none of the multiple numbers have really distinct or consistent names, some are only used infrequently, and the French and Canada HSBC sites operate entirely differently. I swear to god I keep a page of written instructions beside the computer just for them.

    Fourth - a lot of 2FA systems pretty much demand that you have a recent model cel phone, preferably with fingerprint identification. I don't know how people without mobiles function these days. Much less anyone without email.

    I'm sure that some kind of new log-in system is possible, but I have no faith in the ability of any of the established players to figure out how to do it. Instead I'm sure they'll just add more layers of irritations and redundancy to an already broken system.

    And if you think that none of this is damaging your business you're wrong. I've been on-line for 30+years so I'm no beginner. I'll happily drop a web site or service if it feels like the hassle is more than I want to bother with.

    And finally - pictures of bicycles or busses? Indistinguishable squished letters and numbers? Sorry, I just walk away.

    1. Yet Another Hierachial Anonynmous Coward

      Re: Way, way, way too much hassle

      And finally - pictures of bicycles or busses? Indistinguishable squished letters and numbers? Sorry, I just walk away.

      If I am trying to make a one off purchase from a website, and they do not let me "checkout as guest" but insist I create an account, I just walk away and spend my money elsewhere.

      1. Charles 9 Silver badge

        Re: Way, way, way too much hassle

        But eventually you run into the ONE place that has that thing you need. It WILL happen eventually, at which point you either bend over or lose business...

    2. MachDiamond Silver badge

      Re: Way, way, way too much hassle

      I went with my mum to set up a couple of new bank accounts at a branch next to the senior community where she lives. You know what? They have programs that aren't massively complicated and don't demand that every account backs up every other account. Her accounts don't have an online banking option. She has to physically go to the bank to move money between accounts which she loves to do that way. They have nice tellers that are very patient. There are Power of Attorney declarations in place so I or her executor can access the accounts if something happens to her. The big upside is that scammers would have a hard time getting her to go online to transfer money since it can't be done. If they claim they're me, my mum knows it's a lie. If I did need to borrow some money, she could go to the bank and make a transfer to my account. The same goes for my sisters.

      If there are programs for older bank customers, all of the faff they put younger people through is there to collect data or fees.

      1. Anonymous Coward
        Anonymous Coward

        Re: Way, way, way too much hassle

        Then the bank gets bought out and they close the local branch...

      2. Roland6 Silver badge

        Re: Way, way, way too much hassle

        Sounds like traditional, before telephone and Internet, banking...

      3. batfink Silver badge

        Re: Way, way, way too much hassle

        That's excellent MachDiamond. What country is that in?

    3. stiine Silver badge

      Re: Way, way, way too much hassle

      re: bicycles, buses, fire hydrants, traffic lights, boats, and bridges.

      It always takes me 8-16 tries to pass (fail...) captcha because I NEVER EVER click all of the correct images and ALWAYS click at least 2 incorrect images.

      When it was just words (and i was younger) i used to stay up all night on friday and saturday just solving captchas because if was fun and challenging, and in my mind advanced the preservation of ancient books.

      1. Anonymous Coward
        Anonymous Coward

        Re: Way, way, way too much hassle

        Captcha uses images from foreign countries and expects me to recognise objects that I have never seen before, like traffic lights in North Korea or America. It has a tool called Tic Tac Toe - why can't they name the game in English? And that original trick of theirs to display squiffy letters which I am meant to read - first find my spectacles, click to see the next sample, try again, Oh hell! off to another on-line supplier who doesn't want to put me through the hoop.

        1. doublelayer Silver badge

          Re: Way, way, way too much hassle

          The other problem with captchas is the set of users who don't appear to have a clue what they're for. They put them in weird places. I had one that required me to fill out a captcha on every login. Not even just logins from new places (that is also not a good use), but every single one. I think they viewed the captcha as a 2FA solution. That business lost me as soon as I could migrate my stuff off them.

    4. Ian Johnston Silver badge

      Re: Way, way, way too much hassle

      Second, Two factor authentication is ALWAYS a pain in the ass, and often as not doesn't work the first time you try to log in. Then there are the idiot cases. We just moved to France and discovered that at least two companies demand a North American phone number for 2FA.

      The Royal Bank of Scotland insists on using a text sent to my phone to validate transactions. The number in that text is valid for ten minutes. It takes me almost exactly ten minutes to drive to somewhere I have phone reception and back. My record is five trips to validate a single transaction.

  13. Big_Boomer

    Here we go again

    Every few months some idiot states the obvious, but still does not have a solution that works for most people. Yes, for us techies we can use password managers for the hundreds of passwords we need to manage the systems we work with, but John/Jane Doe does not want a password manager, or to have to remember 30 different passwords, or to have to enter a code sent to him/her after logging in. What they want is to login and do their work or order their pizza, or read Farcebook. Until a new authentication system is devised that is as easy as passwords, more secure than passwords, and practical, we will continue to use passwords and John/Jane Doe will continue to use the same passwords for just about everything they have to login to. Oh and can we please not see another one of these pointless articles for at least a year, unless they actually HAVE a workable solution to the problem?

  14. tiggity Silver badge

    Passwords are fine for me

    I'm not welded to a mobile phone (wrong generation & my phone is an old model) & live out in the sticks in an area with awful mobile reception so codes sent to a mobile are a pain.

    Fingerprints for security? Where's my gummy bears.

    ... A shout out to people with genetic quirk of no fingerprints...yes it is a thing.

    .. Plus biometrics may change over time - couple of one fingers missing a lot of print due to a bit of careless handling of a soldering iron that I thought was unplugged but turned out not to be! Burn scar was such that prints did not "regrow" - area remained smooth) .

    Age causes issues too, skin gets noticeably less elastic with age and so fingerprints, although "the same" can be more difficult to read due to those changes.

  15. Anonymous Coward
    Anonymous Coward

    Passwordless solutions are great, until the passwordless system is also compromised!

    Authentication remains a thorny problem with no particularly good solutions. Which is also why password managers aren't generally on corporate IT stacks.

  16. Ian Johnston Silver badge

    "However, in practice, especially looking at some of the data in our report, it's clear that bad password habits are still very much prevalent. Part of it is laziness. Another part of it is a sense of the average consumer of, 'Why would someone go to the trouble to target little or me? What's interesting about me?'"

    And another part of it is stupid password requirements: all the "at least one upper case, one lower case, one number, one symbol" crap which ensures that compliant passwords are so hard to remember that they will either be re-used or written on a post-it note on the monitor. Remarkably few sites will accept CorrectHorseBatteryStaple, despite its demonstrable security. Well, not CorrectHorseBatteryStaple, obviously, but passwords formed along the same lines.

    1. batfink Silver badge

      Plus you have to guess what the actual requirements are...

      1. Ian Johnston Silver badge

        Only yesterday I signed up to a website which helpfully popped up a list of their four requirements and ticked each one off in green as the password I entered met it. It was genuinely helpful, and I was impressed. Luckily the same password I use for everything else worked fine.

  17. Plest Silver badge

    2FA and one-time passwords

    Hate passwords but 2FA and one-time password tech is everywhere now, it's also free service within a lot of password management tools and apps on phones. seriously no reason new sites and services shouldn't have 2FA/one-time passwords in place as standard now.

    1. Roland6 Silver badge

      Re: 2FA and one-time passwords

      Bet the websites will still store the credentials in plain text on the web server...

  18. Allan George Dyer
    Pint

    There is a place for biometrics...

    but it is not for online authentication.

    The server trusts the client to truthfully report what it "saw", whether that is the finger on the fingerprint reader, or a face in front of the camera etc. An attacker has complete control over their own client, so they can introduce fake biometric data.

    icon - used glasses are a great source for fingerprints.

  19. Pirate Dave Silver badge
    Pirate

    Passport

    Wasn't this some of what Microsoft's "Passport" service was supposed to address 20 years ago? But it never caught on in a big way, although I'd guess it's what they use for Office365 now, so it does have some traction. None of us were fool enough to trust a maker of swiss cheese with our credential management, and laughed heartily at the thought. Plus, MS didn't (and still doesn't) need any more power in the IT world than what they already had, and putting them at the center of the Login universe just seemed like a Bad Idea(tm) all around. So I guess the question is - would we trust ANY single vendor to become the dominant player that the world relies on for authentication? Hell, for the "important" stuff, I don't even trust KeePass over the old bound ledger book I've got with all my passwords scribbled in ink.

  20. R.O.

    Passwords are only part of the problem

    Why do I need 2FA, a biometric ID or a machine generated random password to read an article on the internet?

    So many sites want you to have an account, not for security reasons, but to target and track you for ads and data mining.

    Any reform of the password paradigm needs and must have parallel reform of corporate and government hyper-manic tracking and surveillance of us targets.

    1. Charles 9 Silver badge
      Devil

      Re: Passwords are only part of the problem

      The only thing powerful enough to enforce such a scheme is one of the entities seeking the goods.

      IOW, good luck...

  21. Jim-234

    Perhaps maybe we could ask people to stop leaving the back doors to their systems open so the crooks can come in and harvest all the passwords?

    That's really the root of this, sure blame the users for re-using the same passwords sometimes, but why not crack down on those storing all the passwords a bit more. If they were doing their job most of this wouldn't be a problem.

    It appears the solution to corporate types loosing all the customers passwords is to trust another corporation to keep it all safe and it will be all better like because they are so much smarter than the users. Okay so what happens when the corporations that the other corporations make you use to get access happen to get hacked one day? My guess is they will blame it on the users again.

  22. Chris Evans

    When miscreants get a password file (like in the Bitly, Disqus,Gravatar,Kickstarter & TalkTalk hacks) and they have to use a brute force attack or similar do they get the password for just one customer at a time or every customer in one go?

    1. doublelayer Silver badge

      It depends what data is included. It's usually a database of all the users passwords, but if those passwords are hashed, they need to break each one independently. They get them one at a time, but since they have the cracking computer running all of them, they can get many done in a day if they're starting with the low-hanging fruit. If the company was stupid enough to store them in plaintext, then they get all of them without doing any work.

  23. CommonBloke
    Flame

    Cell phone auth

    I abhor the idea that I'm being forced to authenticate everything via a cell phone.

    That little POS is a lot more likely to suffer fall damage and become unusable or impossible to repair than any other electronic.

    If the cell phone doesn't have a biometric/fingerprint scan, I can't even use it.

    If the system "requires" a facial scan, that POS will fail and won't even say the reason.

    And, if that thing ever gets stolen, the only thing keeping the thief from immediately looking at my stuff and using my GoogleAuth or whatever is a 1FA password on the screen. What's next, gonna force me to 2FA whenever I want to unlock my phone?

    Meanwhile, some apps' "2FA" is a 6 digit pin that I set myself... In other words, a password, since the other part of the authentication is the hardware.

    So, when people complain that passwords aren't secure, the problem is that every stupid site forces me to make an account that is "at least 8 characters long, has 1 upper case, 1 lower case, 1 number and 1 special character". Oh, but not -any- special character, you can't use spaces! Or quotes! Or whatever they deem "non printable", so tough luck if you want to use a polish, swede or spanish specific character. Change your stupid database encoding and let me use them! Or, better yet, make the password "at least 16 characters long" without the upper/lower/number/special mix. Idiots will still use 123456789012345, but that's their problem, not mine.

    Besides, when databases get compromised, it's not MY fault my password gets exposed.

  24. Anonymous Coward
    Anonymous Coward

    Easy - all passwords apart from the reg should be Arse123!

  25. Charles 9 Silver badge

    I suppose the crux of the mattercis...how do you attest something you know...when your memory is so poor you practically know NOTHING?

    Everything else is basically the First Contact Problem...

  26. Neoc

    As someone previously said:

    "If my password is cracked, I can change my password. How do I change my fingerprints?" So far as I know, no-one has yet come up with a satisfying answer to that question.

    And for those young 'uns who think this is a hypothetical question, this has happened. https://www.theguardian.com/technology/2014/dec/30/hacker-fakes-german-ministers-fingerprints-using-photos-of-her-hands

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like