Passwords are dead, writes Steven Furnell FBCS of the Centre for Security, Communications and Network Research at the University of Plymouth. Numerous people have said so (just search for the phrase to see for yourself).

Okay, so passwords being dead is not actually true, but what can we expect in this era of fake news? Imagine for a moment that passwords were dead. What would they be remembered for? What would be their legacy if their oft predicted passing finally came to pass?

For many users, they would likely be thought of as the things that they were forced to have, but struggled to remember. Ironically, they could not remember the passwords themselves, but they would remember they were difficult to use. Meanwhile, in the cybersecurity community, few would mourn their passing. Passwords have hardly distinguished themselves when it comes to upholding protection and, in some cases, they have become a byword for vulnerability. They will be remembered as the things the users got wrong. And for those who see people as the weakest link in cybersecurity, passwords could be the archetype of why.

But, is it fair to blame passwords for the fact that we do not use them properly? Frankly, no. The technology has the potential to be used well, and it is not acceptable to simply blame the users either. Much of the responsibility rests with those offering passwords - or other forms of security - in the first place. If people are expected to use security, we cannot just assume that they already know how to do so.

The ongoing problem

Staying with passwords as our example, looking at them as a technology shows that very little has changed over the years. We have gone from physical keyboards to virtual on-screen ones, but the principle remains exactly the same. We increasingly see the option to combine passwords into two-step or two-factor authentication approaches, but the majority of people do not use them (they are not forced to, and so they choose the path of no effort).

Another aspect that has not changed is our tendency to use them very badly. For the best part of a decade, SplashData has been publishing a list of the ‘worst passwords’, based on those exposed from leaks and breaches1. And some very poor choices are regularly in the top ten, including ‘123456’, ‘password’ and ‘qwerty’. Each year, the findings are widely reported and there is often a tendency to blame or even ridicule the users. Here are a few examples from the reporting of the 2018 list:

  • ‘People are doing exactly what they’re not supposed to do.’2
  • ‘It seems the only criteria their password had to fill was “can my fingers reach it without my brain getting involved?”’3
  • ‘Some people never learn, painting a big target on their backs that the least competent hackers could hit with their eyes closed.’4

We are basically seeing the same sort of comments year after year. But why should we expect any difference from year to year? What has changed in terms of support? According to my own investigations, very little has in over ten years. Most websites offer no guidance and we have password meters that frequently give very misleading feedback.

I have been auditing guidance and feedback on leading sites every three to four years since 2007 – and a decade on, the picture is still poor. During the last assessment in 2018, only one of the ten sites offered upfront guidance on password selection at sign-up and most readily allowed weak passwords to be used5. Meanwhile, an assessment of password meter services found that weak passwords were readily rated as acceptable in various cases, while some meters also rejected credible passwords that were auto-generated by browsers or created by following the latest guidance6. In both cases, the user ends-up being misled rather than helped, being left with a false sense of security in one case, while being directed away from a suitable solution in the other.

Good practice is not a secret. It is known and even enshrined in standards. NIST’s digital identity guidelines are pretty clear on the need for users of ‘memorised secrets’ to receive guidance and meaningful, actionable feedback7. Nonetheless, many sites are blatantly non-compliant – and yet the main focus of attention has been users doing it wrong.

Would better guidance and support make a difference? In fact, yes. Some of our other research demonstrated that the mere provision of clear upfront guidance was able to reduce weak password choices by a third, with the provision of feedback then knocking it down further still 8. And this was without any enforcement of good practice.

In fact, the sites should not be accepting such poor passwords in the first place, when they could and should block them. But doing this alone still will not help people to learn why; we cannot simply brush this away and say ‘people won’t learn’ if we have not made any credible attempt to teach them.

The difficult lesson

This leads us to a fundamental question: when passwords finally are dead, will they be departing with us still having failed to learn the basic lessons about using them better? If so, it represents a double admission of failure - a failure to protect ourselves properly and a failure to accept the advice that might have improved matters.

Having conducted various studies on the subject and criticised the support that users receive, there is a risk of being mistaken for someone who is advocating passwords as good security. I am not. They are outdated and not fit for purpose in the wider context of how we use IT. We may be able to use passwords well on a couple of systems, but the fact is that we use so many devices and services that good practice just will not scale up.

That said, I suspect they will remain with us for some time to come, because they are easy to deploy, perceived as low cost, and (somewhat ironically) regarded as a technology that users are familiar with and can therefore use without the need for training. In addition, they will remain with us in legacy contexts even as newer systems mask them out or move toward alternatives.

But, to talk about the pros and cons of passwords themselves is to miss the point. Our experience with them is illustrative of our wider relationship with cyber security and how people are often left unsupported in understanding and using it. Unfortunately, the main thing that is often clear with cyber security is that users are not clear about it. It is not their natural perspective and if left to work it out for themselves, there is a high probability of users getting it wrong. However, if we cannot get it right with passwords - something that everyone uses personally and therefore has a stake in - what possible chance do we have with anything else?

And where else do we routinely see users failing with their cyber security? How about installing updates? Making backups? Data protection? Falling for phishing scams? Getting infected with malware? Unlike passwords, we are not going to be proclaiming that any of these are ‘dead’ any time soon; so, we ought to be doing something about them. Of course, some points are easier to support people with than others, but how often are we really doing anything more than dealing them some related technology and hoping that it does the job? If that is all we do, then we are basically left with the same problems that we could not shake with passwords:

  • the technology cannot do it all
  • we need the user on board
  • people will not buy-in if we do not help them to understand the what and why.

If we really want cyber security to be used effectively, it is time to join the dots and learn that one piece of the picture does not solve the puzzle. People need the tools and the support. Without it, we will continue to see entirely preventable failings leading to an ever-growing list of breaches. This is not just a lesson for those using security; it is a lesson for those wanting and needing it to be used. If they do not act, there is little chance of anyone else doing so either.