Passwords Are Dead

Joe McCann

Ask yourself this question: Is entering your username and password on your smartphone to log into your Facebook account a pleasant or annoying experience? The latter is typically the response from most people. I would agree.

Passwords Provide a Poor Experience

On a desktop computer, entering your password to log into any number of your accounts is as common an interaction as any; however, on what is effectively a 4.3 inch piece of flat glass, the experience is cumbersome, tedious and annoying.

Okay fine. I launch the Facebook app once, I enter my email address and my password and from then on I never have to enter it again...right?

Wrong. If someone sends you a link to an event that is in fact an event that was registered on Facebook, when you tap on that link, your phone's web browser opens up and guess what, you have to enter your username and password again.

In most cases, Facebok will plant a cookie in your web browser so you don't have to re-enter your username, effectively the "Remember Me" checkbox that we are so familiar with on the web.

However, it doesn't stop there. Have you ever been perusing your Twitter feed only to tap on a link that happens to be a Facebook link?

Guess what? Since the cookie that was planted in your browser isn't accessible inside your Twitter client (in my case, Tweetbot), you get to login all over again.

This interaction is highly disruptive to the short attention spans of Twitter users and fails to embrace the "content snacking" routine that is common when one is browsing their Twitter feed. Frankly, this experience is broken across the board.

And this is not just on iOS. The same problem exists on Android.

Passwords Are Ineffective

How many times in the past couple of years have major (and minor) websites been hacked and had all or most of their users' passwords or other personal information exposed? Here's a quick list:

But the blame shouldn't solely be placed on these companies. Individuals are their own worst enemy as well.

Splashdata, a password management and online security company, recently released the top 10 worst passwords of 2012. These passwords are embarrassingly bad.

But creating strong passwords themselves isn't necessarily the solution either. It turns out that programmers have developed sophisticated algorithms to crack passwords in record time.

At Passwords^12 Conference, Jeremi Gosney recently presented his latest custom built, password cracking machine which contained 25 GPUs thus enabling him to crack MD5-hashed passwords at 180 billion attempts/second and crack the much more robust bcrypt-hashed passwords at a mere 71,000 attempts/second.

It gets worse (or better depending on your perspective). Every possible Windows password can be attempted in less than 6 hours.

So where do we go from here? Biometrics of course.

Biometrics Are The Future

With such a poor experience and arguably an ineffictive solution for securely storing character-based passwords, hardware and software-based biometrics seem to be an obvious alternative.

Imagine if you could simply have Facebook "scan" your thumbprint to log you into your account? The screens of our smartphones, tablets and now PC's are already touch-enabled and are so sensitive that the granularity of a thumbprint wouldn't pose a real problem.

Imagine if the sound of your voice could confirm a purchase on Amazon? With Siri and Google Now, the behaviour of speaking into your phone is already here. Why not extend this to authentication?

Lest we forget televisions! Have you ever tried logging into your Netflix account with the Apple TV, remote? An awful experience to say the least. What if the TV simply recognized your face and logged you in to your account instead?

With the growth in sensors, cloud-based computing (Siri doesn't work offline) and the issues surrounding passwords and authentication it appears biometrics being introduced to smartphones, tablets, TVs, and PCs is inevitable.