The end of passwords? Even Microsoft is trying to get there
The passwordless future is at our digital doorsteps.
In this edition
👎 Passwords suck, here is how to replace them
🖥️ Apple moves on from Intel chips
💬 Other tech & media news
Why do passwords still exist and why it needs to change
If you are reading this newsletter, I am sure you know that the most common passwords in the last decade have been ‘qwerty‘ and ‘password‘. Now, some think only dumb people use those and the rest of us use password managers. Well, think again, if this is used, you are a vast small minority.
In 2016 Pew Research conducted a study in the US and asked Americans how do they keep track of their passwords. The results were underwhelming:
When asked about different ways they might keep track of their online passwords, fully 86% of internet users report that they keep track of them in their heads. Indeed, 65% report that memorization is the method they rely on the most (or is the only method they use) to keep track of their passwords. Around half of online adults (49%) say they keep the passwords to at least some of their online accounts written down on a piece of paper – with 18% saying that this is the method they rely on most heavily. In total, just over eight-in-ten online adults (84%) say that they primarily keep track of their passwords by either memorizing them or writing them down.
Other approaches to password management are far less common. Roughly one-quarter (24%) of online adults keep track of their passwords in a digital note or document on one of their devices (6% say this is the approach they rely on most), while 18% say that they save them using the built-in password saving feature available in most modern browsers (with 2% saying they rely on this technique the most). Most experts agree that saving passwords in browsers is OK if the passwords are unique to each site, however they also agree that password management software outside the browser is preferable. Meanwhile, just 12% of online adults say that they ever use password management software to keep track of their passwords – and only 3% rely on this technique as their primary method for storing passwords.
18% use a built-in password manager in the browser (not great, not terrible), 12% ever used a password manager, and only 3% use password manager as a rule. So keep that in mind, we will come back to that.
A short history of passwords
According to The Conversation, passwords are first mentioned in literature in the Bible and we can find it also in the classic tale “Ali Baba and the Forty Thieves,” invented in the 18th century by the French Orientalist Antoine Galland. The password from the tale, the invocation “Open, Sesame!” serves as a catchphrase today, in the tale though it was meant to open an invisible door in a mountain.
Here is the short history lesson:
Password security was introduced to computing in the Compatible Time-Sharing System and Unics (Unix) systems developed at the Massachusetts Institute of Technology and Bell Laboratories in the 1960s. Today we use passwords to restrict access to our personal computers and computing devices, and to access remote computing services of all kinds. But a password is not a physical barrier or obstacle, like a lock on a gate. Rather, it is a unit of text: that is to say, written language.
Poorly chosen and repeatedly used passwords are easy to guess, either through computational techniques or so-called social engineering (tricking someone into disclosing a password). Once it has been guessed, there isn’t much to prevent a password from being used for unauthorized purposes, at least until the theft is discovered.
Feels outdated and not really secure, right? Well, it’s the best thing we have and security experts have spent years telling people to use better passwords or ‘passphrases’ (A passphrase is a sequence of words or other text used to control access to a computer system, program or data. A passphrase is similar to a password in usage, but is generally longer for added security.).
Then came the password managers that generate and remember your passwords and store them securely. Unfortunately, not many people use them as the Pew Research study above mentioned.
Most people use what you would call poor or even bad passwords and use them everywhere.
In general, technology which makes our lives easier tend to win and I do not mean only in digital. Passwords are ripe for disruption.
I mean, you hear that every time a security expert speaks - passwords are one of the weakest links in security if not the weakest for most.
Who is charting the path to a passwordless future?
Microsoft is probably the most serious among the big tech companies about eliminating passwords and replace them with something more secure and at the same time easy to use by the users.
Microsoft actually published a long blog post explaining it:
At its core, our fundamental philosophy is simple: devalue the password, and replace it with something that eradicates its use for the end user and drains its value for an attacker.
Passwords have been a big part of our digital lives. To fully get rid of them, not only do we need to address all that is bad with them, we also need to acknowledge all that is good; they are familiar, portable, and can be used almost everywhere.
In an interview with Protocol, Microsoft’s chief internet security officer Bret Arsenault put it like this:
Arsenault thinks two-factor authentication was rolled out without as much thought about the user experience as he'd like. "We took our classic approach to solving it: We jam to fit down everyone's throat with those smart cards and smart card readers and everything else," Arsenault said. Two-factor authentication systems have also been shown to have their own security weaknesses, too. Ideally, authentication methods, such as biometrics, would become the norm for accessing corporate networks with personal devices, hopes Arsenault, because they create less friction for users, and they're far harder for criminals to surmount.
The key part is this ‘ideally, authentication methods, such as biometrics, would become the norm‘. This makes so much sense to me as well - biometrics is something you always have on you - fingerprint, facial scan, retina scan…
[For those super eager to explore the underlying protocols of this - FIDO2 - here you will find it.]
Microsoft is not the only one concerned with flawed passwords. Google has been working on making it also easier for you to log in once only from your personal device and decrease the number of times it makes you log in again. The same goes for Facebook.
Security is a good business so it’s no surprise there are independent players trying to emerge and corner the market before one of the big tech companies does.
One such example is Beyond Identity. Co-founders behind the startup are Tom Jermoluk, the longtime Silicon Valley inventor and investor, and Jim Clark, Netscape co-founder. Their solution is based on tech they were working on at Netscape in the ‘90s.
Beyond Identity's big idea is to turn every person into their own Certificate Authority. (Here's a detailed explanation of what that means.) Basically, rather than send your password to some server that says "yep, that's David," your computer or phone can validate you to the whole internet.
It's the same cryptographic idea that lets websites securely communicate with each other, only instead of running on a server your certificate and private key live on your device. Back in the Netscape days, Jermoluk said, "we didn't really have the technology to figure out how to do certificates for individual users and extend that technology down. And so we punted and just had passwords."
🤔 Final thought: In the end, it will all depend on how successfully will the transformation. For example, on my iPhone I rarely type in the password, just use FaceID and I am sure it is somewhat similar for Android phones. Computers are a real pain.
And what about smart TVs? Do you remember the last time you set up a smart TV? I did recently and it was such a pain typing through that remote all the passwords for the apps I could not believe it. Yes, there should be a better more user-friendly way.
At the moment we can choose - either you decide passwords suck and will replace them as soon as possible (I mean, the CISO of Microsoft thinks so…) or you can stick with the password and spend endless time explaining users they should be using passphrases instead, have a password manager and use various passwords for different accounts.
Well, good luck with that second one, I want my passwordless future asap.
In other news
FIRST, WATCH THESE TWO VIDEOS
✊🏿 ✊🏽 ✊🏾 The latest episode of the Last Week Tonight show by John Oliver on Police.
✊🏿 ✊🏽 ✊🏾 Chris Rock on “bad apples” among cops.
🖥️ Apple moves on from Intel chips. Apple plans to announce the move to its own Mac chips at WWDC (week of June 22nd). It will be using ARM-based chips technology (Arm Ltd. is part of Japanese tech conglomerate SoftBank). This marks a significant move by Apple, which announced using Intel chips in 2005 (famously introduced by Steve Jobs, btw podcasting in iTunes was announced at the same presentation). Inside Apple, tests of new Macs with the ARM-based chips have shown sizable improvements over Intel-powered versions, specifically in graphics performance and apps using artificial intelligence, sourced told Bloomberg. Basically the whole deal means that developers will need to revamp their apps to work with the new ARM architecture. [Bloomberg]
Go deeper: Steven Sinofsky, the former president of the Windows Division, has some thoughts on the transition. [Here you can read the Twitter thread as a blog]
📱 Google released Android 11 Beta 1 for Pixel phones. There are a lot of updates: messaging notifications, the ability for message threads to pop out in bubbles, media controls, new screenshot features, permission changes, and more. Actually, being an iPhone user I quite envy the upcoming notification changes in Android, makes so much sense to prioritize messaging. [The Verge]
🎧 Podcasters, go on YouTube. Tom Webster, SVP of Edison Research, says the popularity of Joe Rogan’s show is not matched by far. He also points out that both Spotify and YouTube are the biggest drivers in podcast listening. [I hear things]
In fact, two of the most important services for podcast consumption, and two of the fastest-growing services period, are YouTube and Spotify, which by definition do not actually count as podcast clients, but streaming services. And sure, it’s easy to get hung up on definitions about what is and isn’t a podcast, but my interest here is on your show, and I’m here to tell you that the most straightforward way to grow your show is to get it on YouTube.
😕 Top New York Times editor leaves after turmoil. James Bennet, the editorial page editor, resigned after an op-ed by Republican Senator Tom Cotton's article "Send in the Troops" caused revolt in the newsroom. After the op-ed was published more than 800 NYT employees signed a letter denouncing the article's publication, saying it contained misinformation. The opinion section within the Times is actually separate from the newsroom run by editor-in-chief Dean Baquet but maybe after this incident, this will change a little bit. Bennet was considered a top candidate to replace Baquet in 2022. [BBC]
⚽ The future of sportswriting may depend on one publication. The Athletic was praised by bringing the paying for content attitude to local and national sports. Gained quickly almost one million subscribers and then the pandemic happened. The startup seems to be in talks with future buyers. [Washington Post]
✈️ People are starting to travel. Airbnb is seeing an uptick in domestic travel, with more nights booked in the U.S. between May 17 and June 3 than it had in the same period last year. The company is seeing similar demand in Germany, Portugal, New Zealand, and South Korea. Airbnb had to cut 25% of its workforce due to the pandemic and global lockdowns. [Bloomberg]
🤗 This is genius. The Anyline Keyboard lets you scan text instead of typing. It functions like any normal keyboard, but with an extra scanning function, and it's particularly helpful when you need to grab voucher codes, serial numbers, or wifi passwords. And it’s free in both the App Store and Google Play. [Inside Business]
Here’s a thought which led me to set up davidtvrdon.com.