ᕕ( ᐛ )ᕗ Herman's blog

Passwords are fine

I've spent too much of my professional life trying to build a better means of authentication.

For a while I was fixated on Magic Links, then I built a few prototypes of authentication using a combination of token passing and TOTP. And finally, I built a storage-less password manager (another story for another day). When proposals for systems like WebAuthn or Apple Passkeys were published I got excited. To see the world move away from the dated and insecure email/password combo would have really made my day.

But after a while I lost my fervour. There was a lack of implementation of these strong password-less authentication methods across web-services and apps. There was no transition. Also, my opinions around authentication changed...somewhat.

I had an article pop up on my feed recently titled "WebAuthn is great and it sucks" which describes the problem succinctly. While the tech is great, the problem is that nothing supports these new-fangled methods of authentication. I've run into a few other problems as well:

  1. Multi-devicing for authentication is a poor user experience. Even having to go click a link in your mailbox sucks.
  2. People don't have their phone on them all the time (and some don't even have a smartphone).
  3. New users don't understand these methods of authentication.
  4. They're generally much more complicated to implement than a basic email/password combo.

As a side note, I'm not a fan of single sign-on using Twitter/Google/Facebook due to the inability to migrate to a different service if need be. If Twitter locks you out of your account you're locked out of all your connected services as well. This is a broader topic, but I just wanted to touch on it before continuing.

Passwords are simple and affordable. We were using them prior to computers ("Open sesame!") and their understandability transferred easily. "But wait!" you say. "Aren't passwords insecure and easy to compromise?". Well yes...if managed poorly.

Let's explore the common pitfalls of passwords:

  1. People can't remember passwords for their dozens of services.
  2. Due to #1 people tend to re-use passwords, which makes one compromised service a more wide-spread problem.
  3. People can have their passwords stolen (generally also due to #1 since they write them down or store them insecurely).
  4. Services can have their user's passwords stolen if not stored as a hash (this is a solved problem though, services need to do better).

Notice that all of these problems are solved by fairly simple password hygiene.

I personally have one obnoxiously long and complicated password for my password manager, but then all of my other passwords are random lengthly strings which are impossible to guess.

I don't ever see them.

The passwords also aren't re-used, which solves #2 and my login flow is a super convenient fingerprint scan on both my phone and my laptop. And if I have to manually enter my password on a different device (which is very rare) I can easily pull up my password on my password manager and type it in.

Not only does a good password manager make people safer, it makes logins much easier since you don't have to remember "which password I used for this service", then follow the "forgot password" flow.

I guess the point I'm trying to make here is that the problem with passwords is password hygiene, not with the method itself.

When ebola was wreaking havoc in Central Africa the most effective intervention was to implement a culture of hand-washing. The UN send healthcare workers out to cities, towns and villages armed with plastic basins and soap, but most importantly, knowledge. It was an effective intervention and the culture of hand-washing persists to this day.

Password hygiene is imperative for our digital world. Fact is that even if we create the perfect new authentication method, passwords will persist on the vast majority of services. If it ain't broke...

Finally, when sharing passwords, it is important to do so securely. Slack is not a secure channel for these kinds of things. I've written about this before and built out a completely free service to share passwords and API keys securely, but any good password manager should have similar functionality.

Recommendation time:

If you're an Apple user, then the built in Apple password manager is probably the best solution for you. It's close to perfect since it allows biometric authentication, syncs between your devices, and is well integrated into their products.

Alternatively, there are also a bunch of great apps that have similar functionality. 1Password is a good choice. So is Dashlane. There are others.

Good passwords combined with an authentication app for 2FA like Authy or Google Authenticator are great security. You'll probably never have an issue. On this note, SMS 2FA is bad. Not only are SIM-swap scams prevalent and fairly easy to execute, but it is also a fragile system and breaks easily ("Didn't receive the SMS? Click here to retry.").

On top of that, SMS isn't universal. My bank only supports SMS 2FA so while I'm travelling I'm effectively cut off from certain functionality. I hate it and have tried to change it, but banks move slowly.

It's important for us to get this right. If you have parents (or grandparents) who aren't particularly tech-savvy, sit them down for an afternoon and teach them about password hygiene. Let's create a better authentication culture. It will keep everyone safer.

Enjoyed the article? I write about 1-2 a month. Subscribe via email or RSS feed.