It’s been said in the Halls of HYPR that — since in 2004 when Microsoft’s Bill Gates declared the traditional password dead because it fails to “meet the challenge” of securing data — we haven’t come nearly far enough in our passwordless journey. There were also some ironic sidestepping along our journey, illustrated by the fact that our passwords now have passwords.
How so? Legacy two-factor and multi-factor authentication (2FA, MFA) are akin to passwords because they too use shared secrets, but a clearer example of this is the use of password managers, which are generally opened with… yet another password.
Let’s be clear, I think password managers are pretty clever. They are a step ahead of more common password security improvements by automatically making these character strings more complex or changing them. There are a number of reasons these products are useful and cool. Here are a few of them along with some gentle misgivings we and others may have.
Password managers make all of our passwords available with just one password or passphrase.
This is a great feature. Want to access four dozen 36-character passwords that mainly consist of open braces, carets, and ampersands? Let me type in my favorite Depeche Mode lyric. Wrong password. Or maybe it was The Cure. Wrong, again. Now I’m locked out. Are you for real? I think I saved the rescue kit but did I keep the email or hide the PDF somewhere on my drive?
The Holy Grail of addressing password hassles: Password managers work on mobile!
Look at that, my vault is now also on my handy mobile. Although it competes with my mobile OS and browsers for who gets to create and manage my passwords — it’s still convenient. It’s helpful that I can use face recognition for that Radiohead lyric to open the vault. Or were they lyrics by Muse? I am now reliving the pain of fat-finger typing a long passphrase on mobile, complete with pop-up emoji and GIF keyboards. This can’t possibly be progress.
Password managers help us carry the solemn burden of passwords, storing them and making them available on all our devices.
These are the heroes we said we deserved or needed, but didn’t ask for. (Or, they’re Mando saving Baby Yoda from turning into a science project.) If they truly are The Dark Knight, they are always there when we send our signal up into the…cloud? Yes, these digital vaults are convenient and the security they do provide is well-intentioned. Merely organizing what was a messy collection of closely similar passwords is helpful. But, since all of our credentials, bankcard data, loyalty numbers and — in some cases 2FA details or rescue codes — are stored at the service provider, they are vulnerable to attacks.
Password managers are a leap forward from sticky notes. It relieves people from remembering passwords as services require more complex ones. However, they are still vulnerable to the attacks that make passwords and other shared secrets unsafe for authentication. Password managers are a security Band-Aid just as legacy 2FA, MFA and other technologies layered on top of passwords are. We love the features that try to address passwords’ poor usability but even these harken back to the problem at hand: passwords, passphrases, typing them in on devices, and the like. It’s not scalable from a security standpoint, and it’s certainly not user-friendly.
Ask us about having just one password to rule them all and we’ll say, let’s not. A little overzealous? Maybe. That being said, all of the things we love and dislike about passwords, incremental improvements to their security and their usability, do not make us want to see a manager. We want to see the whole landscape evolved to a truly passwordless