Passwords work on the simple premise that one way of proving your identity is by knowing a secret. There is a lot of talk about getting rid of passwords, moving to something like picture passwords, facial recognition, biometrics, or even getting a new Kinect sensor to verify that the person in front of the screen has the physical characteristics of the person that has access to the machine.
People don’t like passwords for a multitude of reasons including:
- Good passwords need to be complex, making them hard to remember. If they are hard to remember, people forget them and need to call the service desk to get them changed.
- Passwords need to be changed frequently to minimize the chance of someone other than the owner learning them. Changing them frequently makes them hard to remember. If they are hard to remember, people forget them and need to call the service desk to get them changed.
- That like any secret, a password can be learned by more than one person, making them less secure than other methods of proving identity, such as biometrics, which are much harder to fake.
While passwords are imperfect, the reason that they have stuck around so long, much like the QWERTY keyboard, is that for the most part they get the job done for a lower cost than other solutions. A “more perfect” solution, such as smart cards and biometrics does increase security, but for most organizations the cost benefit of increased security isn’t matched by the cost of increasing the security. Put another way, while it’s worth spending $500 dollars on a safe that protects $2000, it’s harder to justify spending $2000 on a safe that protects $500. In a high security organization smart cards and biometrics may make sense because the cost of someone gaining access that they shouldn’t get is so high. In most organizations the cost of someone gaining illegitimate access isn’t that high so the money spent on improving security could be better spent elsewhere.
The only thing that will replace passwords is a solution that costs the same and provides noticeably better security. Until that happens, things like fingerprint readers and smartcards will only be used by a minority of organizations