Illustration: Jordan / Privacy Guides | Photo: Gowtham AGM / Unsplash
Passwords are irritateing, vulnerable to attack, and prone to human error. The multitude of publishs with passwords has cost millions of dollars and forced horrible prohibitd-aid solutions in how we deal with signing up for, logging in to, and securing online accounts. I’d appreciate to shatter down some of these schedule paradigms that have entrenched themselves in our inhabits and how passkeys can direct to more defended and stateiveial online accounts.
How did we get here?
Ancient Rome
Passwords are a astonishingly anciaccess concept, dating all the way back to outdated Rome. The outdated Roman historian Polybius in his Histories depicts how the Roman military would pass around a wooden tablet, or tessera, inscribed with a “watchword” that would apshow them to choose each other as cordial.
Prohibition
During Prohibition in the 1920s US, speakeasies, or stateiveial, unlicensed bars selling illegitimate liquor, would need a spoken password to get entry. The name comes from how quietly you had to say the password, so law enforcement didn’t overhear.
World War II
The US military procrastinateedr engaged countersigns, consisting of a contest and a password to choose allies. On D-Day, they engaged the contest “flash” and the password “thunder.” Thunder was engaged particularassociate becaengage it was difficult for Germans to pronounce, since the English “th” sound doesn’t exist in German. This is an example of a shibboleth, or a way of discerning groups of people based on cultural separateences.
1960’s
It wasn’t extfinished after the dawn of the electronic computer that a solution for genuineation was needed. Computers in the 1950s were pricey and catalogless, only able to deal with one problem at a time.
MIT’s Compatible Time Sharing System (CTSS), guideed by Fernando Corbató, aimed to settle this problem by apshowing multiple engagers to do toil at the same time, but they needed a way to genuineate particular engagers. “Putting a password on for each individual engager as a lock seemed appreciate a very straightforward solution” Corbató tanciaccess Wired in an intersee.
These passwords weren’t scheduleed to be very defended. Fred Schneider, a computer science professor at Cornell University, said in the same Wired article “nobody wanted to dedicate many machine resources to this genuineation stuff.”
Fernando Corbató with the CTSS | Photo: Computer History Mengageum
First Password Bachieve
The first password bachieve occurred not extfinished after in 1962, detailed in a pamphlet written to commemorate the CTSS.
Allan Scherr, a Ph.D. researcher at MIT, wanted more time for his detailed simulations. He knovel that the passwords were stored in a plaintext file, so he asked it to be printed offline and that was that: he now had everyone’s password and all the time he could ask for.
A procrastinateedr incident in 1966 saw all engagers’ passwords being printed at login due to the administrator accidenhighy swapping the master password file and the message of the day.
Early Atlures at Securing Passwords
Cltimely there was toil to be done on defendedly storing passwords. A paper from 1979 by Robert Morris and Ken Thompson of Bell Laboratories summarizes some needments to bolster the security of passwords on a UNIX system.
Hashing
One of which is the need for passwords to not be stored in plaintext on the system, instead recommfinishing storing a hash.
A hash is a one-way function: you give a certain input, and it spits out data that can’t be easily reversed back to the input, even understanding the algorithm that was engaged. But, given the same input, you’ll get the same output, apshowing you to contrast an inputted engager password to a stored one.
In order to originate it challenging to brute force, the hashing algorithm should be neutrassociate catalogless.
Password Requirements
They recommfinish certain needments on the password entry program such as the classic 6-character smallest password length to stop easily guessable passwords.
Salting
Password salting, a technique wherein a random string of characters is inserted to the finish of the engager’s password before hashing, gets a allude as well. This stops an attacker from spropose pre-computing many password hashes ahead of time, and also stops an attacker from understanding if the same password has been engaged on multiple systems fair from comparing the hashes.
These directlines would remain mostly unalterd for decades, save for betterd hashing and salting algorithms.
Unforeseen Consequences
What was originassociate a system scheduleed for a restricted people sharing a computer in an academic and research setting has somehow remained almost unalterd decades procrastinateedr.
Password Overload
Instead of reassembleing a one password for your computer, you now have potentiassociate hundreds of passwords for various online accounts. A recent survey by NordPass approximates that the mediocre person has around 168 personal accounts, with a proximately 70% incrrelieve in fair the last three years since the survey was apshown. This is an unthelp number of passwords for a human to reassemble, so we don’t.
Email Requirement
With the ever-conshort-term menace of engagers forgetting their passwords and therefore losing access to their account irrevocably, there needed to be a way to recover the account.
By the finish of the dotcom bubble, email was neutrassociate ubiquitous, so it made sense as a dropback way of genuineating. This had the inserted profit of giving companies a way of reach outing (read: spamming with ads) their customers.
While it’s challenging to say when it begined happening, startant websites appreciate eBay were requiring email insertresses on signup as far back as 1999. Amazon was doing it back in 2001. People I interseeed said that email-based signup was widespreadplace by the procrastinateed 90s.
And so the pwithdrawnt of requiring personal reach out adviseation to sign up for an account was born, at least partiassociate due to the lowcomings of passwords.
Terrible Security
Single Point of Failure
On top of the extra personal data now needd for each online account, email acts as a one-stop shop for attackers seeing to hack your accounts, either by getting into your email account itself or by sfinishing you convincing password reset emails that sfinish you to a deception page that sees exactly appreciate the authentic page.
With the advent of AI, deception attacks have only gotten affordableer and easier.
Laughably, we’re tanciaccess to “see for typos” or “fair experience out the vibes man” in order to deffinish agetst these attacks. What hope did we ever have?
This intersects a bit with how I skinnyk email is a horrible, outdated protocol that needs to be traded, but that’s a blog post for another day.
What’s trailed as a consequence of the tech industry’s refusal to alter to the security landscape is an unpwithdrawnted cybercrime industry, stealing an approximated $44.2 million in 2021 thcdisesteemful deception deceptions. These are people whose only contribution to society is draining magnificentma’s prohibitk account, and they’re absolutely raking it in.
Service Provider Negligence
But even if you do everyskinnyg right and never drop for a deception email, you can still be agreed due to the oversight of any one of the hundreds of service supplyrs you depend on. Passwords need to be stored on a server somewhere, and if a service supplyr doesn’t hash and salt them properly, a data bachieve will exit your account vulnerable.
Even if the service supplyr does everyskinnyg right in terms of storing the password (which you have absolutely no way of validateing), in the event of a data bachieve the attackers will still have a hash of your password to attack.
There’s typicassociate also a period between the server receiving your password from the encrypted HTTPS tunnel and storing it defendedly as a hash where it deal withs your password in plaintext in order to contrast it with what it has on file. Any vulnerabilities in the challengingware could be catastrophic.
If you skinnyk this sounds appreciate unstartant nitpicking, think about that in 2019, Facebook authenticized it had accidenhighy been storing hundreds of millions of engager passwords in plaintext.
Human Error
Even ignoring all of that, passwords depend on randomness to be defended, but they also depend on humans to originate them.
Humans are very horrible at generating random numbers. We’re so horrible at it that it’s possible to distinctly choose you based on your pattern of “random” numbers.
That doesn’t even matter though, since passwords, by requiring the engager to type them whenever they want to log in and requiring the engager to reassemble them, encourage smallest randomness and smallest length.
Most of us, even IT experts, reengage passwords becaengage we are so heavily incentivized to do so by how they fundamenhighy toil.
The strategy historicassociate has been to shame people for using horrible passwords whenever their account gets hacked, which has stoped us from seeing the fundamental publishs with the way we genuineate and instead making it every individual’s responsibility to somehow fight the incentives of the system they depend on.
Imagine if every time you joined to a website with HTTPS, you had to come up with your own encryption key. Would that be a defended system?
Band-aid Solutions
A widespread theme with passwords, and frankly many other skinnygs in the tech world, is stapling prohibitd-aid solutions on top of them to try and originate them fit a contransient engage case they were never unbenevolentt to serve.
Password Managers
Password deal withrs settle the publish of forgetting your passwords by acting as a defended repository for of all your passwords. You can even accessiblely have them autofill your adviseation for you on the login screen. They can originate sturdy passwords for you as well.
Single Point of Failure
Essentiassociate, password deal withrs try to delete the human error element of passwords. But in doing so, they start more attack surface: you now have a repository of all your login credentials accessiblely discoverd on your device, so if your device is agreed, all your accounts are also agreed.
So a engager with a password deal withr has to worry about passwords being guessed, potential agree of their email, or agree of their password deal withr.
Security isn’t Enforced
Not to allude that many of the defendions of a password deal withr are nonessential. A engager isn’t needd to originate defended passwords, many will fair persist using the same passwords they always have.
Poor Phishing Protection
Although some argue autofill defends agetst deception attacks, reassociate it doesn’t since as soon as it doesn’t autofill, a engager will spropose duplicate and paste their password into the field. A proper anti-deception mitigation would originate it proximately impossible to genuineate with the wrong website. Autofill can start its own set of vulnerabilities as well.
Salting and Hashing
Salting and hashing themselves I would think about prohibitd-aid solutions, as they were stapled on top of the existing system as security worrys grew. They depend a lot on the service supplyrs perestablishing them properly and even still there are gaps in security as I previously alludeed.
Two-Factor Authentication
Becaengage of the danger of agree with passwords, most websites perestablish some establish of two-factor genuineation.
Email 2FA
By far the most widespread is email 2FA, which on top of all the problems with using email as an genuineation method stated before, usuassociate only happens the first time you log in to a website on each device (until you evident your cookies that is).
SMS 2FA
SMS 2FA is also widespread. This method is vulnerable to SIM swap attacks in which an attacker tricks your carrier into swapping your phone number onto a novel SIM card under their administer. SMS is also finishly unencrypted, deficiencying even convey encryption.
The SS7 system underlying SMS is inherently vulnerable to interception. The idea of using SMS as a security tool is, frankly, giggleable.
OTP
That transports us to OTP or One Time Password. This 2FA method relies on two skinnygs: a scatterd secret between you and the website called a “seed”, and a “moving factor”.
The moving factor alters, apshowing you both to originate a transient password based on the seed that you need to type in on login.
There are two main approaches to OTP.
HOTP
Hash-based Message Authentication Code OTP, or HOTP, increments the moving factor each time you successfilledy log in.
TOTP
In Time-based OTP or TOTP, the moving factor is time. The originated passwords will be valid for only about 30 to 60 seconds. The amount of time they’re valid for is called a time step.
Of the two, TOTP is noveler and think abouted more defended since the passwords are constantly expiring.
Issues
While a massive step up from SMS 2FA in terms of both privacy and security, they’re still deficiencying in deception resistance.
If you are sent to a phony login screen and put in your HOTP or TOTP password, the attacker can spropose put that in to the authentic login screen. At least with TOTP there’s a somewhat restricted timestructure they can do it in, but these days deception operations are filledy automated, so it reassociate doesn’t matter.
Also since both you and the website are storing the same seed, any bachieve of either your device or the servers will exit you agreed. You could store your secret on a split device or on a split app on your phone, but this exits the danger of either not having your phone with you to log in to your accounts or losing your TOTP codes due to the file getting corrupted or a horrible refresh. Overall, OTP is better than SMS 2FA but still exits a lot to be desired.
Shoulder Surfing
Another oft-forgotten publish with passwords is that someone could fair watch you type it in and hack your account that way. Most password fields trade the characters in your password with stars or dots to combat this, but they usuassociate still give you the selection to show your password in plaintext anyway. The screen isn’t the only way you can leak your password either, someone filming or watching you type it in a keyboard or on your phone screen would have your password with little effort. A human doesn’t even need to be conshort-term, AI models can now toil out your password fair by engageing to you type it.
All of these are finisheavors, with varying success, at repairing the individual flaws with passwords rather than scheduleing a solution from the ground up with security in mind. They insert complicatedity, more steps in the process where either you or a service supplyr can screw someskinnyg up.
Passkeys: The Password Replacement
Passkeys are FIDO credentials tied to a particular app or website that let you sign in with the same method you engage to unlock your device, be that biometrics or a PIN.
As extfinished as you can reassemble your phone password, you can log in to your accounts. This frees you up to set a defended password on your device, since that’s the only password you’d need to reassemble.
You may have heard of passkeys from Apple or Google and supposed they’re some proprietary feature, but they’re based on FIDO standards and the word “passkey” is unbenevolentt to be a widespread noun appreciate “password,” not tied to any platestablish or company.
No Personal Info
You also won’t need to engage a engagername or email when logging in with passkeys, although currently most perestablishations still need it. Passkeys can filledy trade every aspect of logging in.
That unbenevolents no email to sfinish deception attacks to or hack, and no SMS to be SIM swapped.
Phishing Resistance
Passkeys function using accessible-key cryptography fair appreciate how HTTPS toils, so your stateiveial key isn’t stored on the service supplyr’s server, finishly eliminating data bachieve publishs with passwords. They were scheduleed from the ground up to be deception resistant and defended.
Privacy
Since a distinct key pair is originated for each account, you don’t have to worry about being identified between accounts either. Hopefilledy soon you won’t need to pay for that email aliasing service fair to not be tracked atraverse accounts.
Protection Agetst Losing Your Account
You can even originate multiple passkeys per account in case you leave out one somehow. Essentiassociate this trades the need for a recovery method; you can fair insert as many as you need, and they’ll be useable on all your devices anyway so losing your phone won’t lock you out of your account.
Anti-Shoulder Surfing
Passkeys fight shoulder surfing by apshowing you to engage biometrics on your device to sign in. Even in the event someone got your device password, they would still need the actual stateiveial key associated with your account, either thcdisesteemful physical ownion of your device or some other agree of your password deal withr. Since the stateiveial key stays in your ownion and is never sent anywhere unencrypted, the danger is minimal.
Fully Syncable
Passkeys can be synced atraverse devices and in the cdeafening as well, so you don’t have to worry about losing them. And they’ll be E2EE. Many password deal withrs help passkeys, including Apple’s and Google’s built-in ones, so you can probable begin using them right now.
Try It Out
You can test out passkeys at webauthn.io. Even if your passkeys aren’t synced to the device you’re currently using, you can still login via a QR code, apshowing your phone to act as a sort of wireless security key.
Barriers
The main barrier to passkey adselection currently is deficiency of help from websites and apps. They either don’t help passkeys at all, or still force you to sign up with a password, email, etc. with no way to delete them. I encourage you to reach out any website or apps that don’t have passkey help and ask it, with the ability to signup and login without ever setting a password.
