The long and lingering death of passwords

By Steven Furnell, Professor of Cyber Security, University of Nottingham

Almost two decades ago, Bill Gates predicted the death of passwords during a talk at the RSA Security conference[i].  However, despite this, and despite having been proclaimed dead many times since then, passwords are still very much a part of our daily cybersecurity experience.  Indeed, the average user now estimated to have 100 passwords linked to the various accounts and services that they use – which is actually a 25% increase on the estimate back in 2019[ii].  So, far from dying, they have grown unabated and a technology that we don’t use effectively is still very firmly embedded in our IT culture.  Meanwhile, although some aspects of our password use may have changed (e.g. they may increasingly be supplemented by 2-Step Verification, or masked by biometrics), they are still there and they remain troublesome.  Compromised passwords are a route into systems, accounts and organisations, and they are often what our most prevalent cyber threat – phishing – is seeking to target.

Choosing and using passwords is a fundamental element of cyber hygiene.  If we look at The UK National Cyber Security Centre’s ‘Cyber Aware’ guidance[iii], it quickly becomes apparent that the key guidance is very password-focused, with advice to protect email accounts with strong passwords (based on three random words), to harden accounts using 2-Step Verification, and to save passwords in browsers or password managers to make them manageable.  However, the reality of password usage suggests that many still have difficulties in practice.  For example, only 70% of businesses and 55% of charities responding the UK’s Cyber Security Breaches Survey 2023 reported having a password policy that ensures users set strong passwords[iv].  Even though this is a majority in both cases, passwords are such a fundamental and long-standing area of vulnerability that one would hope to see the enforcement of strong passwords being a baseline that all organisations would meet.  In practice, the fact that 11% of organisations found themselves updating passwords as a response to their most disruptive breach suggests that they are still very much contributing to incidents.

The problems with passwords are long-established and do not appear to change over time.  Once of the most fundamental, that we make bad choices, is highlighted on an annual basis by NordPass’s publication of the 200 most common passwords[v].  The fact that the most recent list, from late 2022, is topped by the word ‘password’ paints a sorry picture – not just in the terms of users electing to choose it, but also of those permitting the choice to be made.  Indeed, although it is commonplace to find sites and services insisting that passwords be used, it is rather less typical to find their usage being supported by clear guidance and comprehensive enforcement of good practice[vi].  Indeed, despite weak passwords being a clear route to compromise, many leading websites continue to permit weak choices to be used.

Additionally, we even see variations in what ‘good practice’ is considered to be.  Back in mid-2017, NIST revised its Digital Identity Guidelines[vii] with two important changes to past practice:

  • Not to force automatic password expiry, and recognise that passwords should only be changed when there is a reason
  • Not to impose rules for complex passwords (i.e. requiring a mix of characters involving alphabetic, numeric and symbols), the basis being that length matters more in terms of delivering password strength and allows users to adopt passphrases.

Both changes were motivated on the grounds of usability.  Forcing users to change passwords for no reason increases the burden of creating and managing them.  Forcing complexity results in passwords that may be less easily memorable.  Both aspects increase the chances of passwords being written down.  However, over five years on from the release of the guidance, it is easy to find password systems that still firmly insist upon complexity and many organisations persist in requiring regular password change.

Returning to the Cyber Security Breaches Survey, only 37% of businesses (and 27% of charities) had introduced any form of Two-Factor Authentication (2FA) for networks/applications (i.e. leaving the vast majority to rely on passwords alone, and in many cases not ensuring they were strong passwords).  Although 2FA is something of an Elastoplast onto a bad approach (and also complicates the usability to a degree that some users find frustrating), it at least helps to ensure a more credible degree of security – which is after all what the password is meant to be providing.

The upshot of all this is that, while we have additional technologies that can strengthen or supplement passwords, and recent approaches such as Passkeys[viii] that may genuinely replace them in some contexts, the continued prevalence of passwords leaves quite a hill to climb.  We have had little success in getting people to understand and follow good practice by default, and there is little prospect of getting everyone onto 2-step verification unless they are forced to adopt it.  This means we still need to take ownership of the issue at individual and organisational levels.  If we want to ensure we are using passwords correctly, we have to know and follow the good practice.  If we want our users to do so, we need to ensure that we actively provide the support for them to do so, and not just assume that good practice has somehow been acquired elsewhere.  By introducing 2FA in the workplace, organisations can help users to accept it as normal (and expected) to adopt elsewhere.  At the same time, we need to be mindful that it represents a potentially unwelcome change, and so need to consider the usability of the implementation and help users through the transition as smoothly as possible.

There is little doubt that passwords will eventually die out. The availability of biometrics on many of our devices already means that we directly deal with them less often.  But the technology has a long tail, and so it will be some years yet before we can confidently carve the date of their passing onto a gravestone!

[i]     Kotadia,M. 2004. “Gates predicts death of the password”,  CNET, 25 February 2004. https://www.cnet.com/news/privacy/gates-predicts-death-of-the-password/

[ii]     Rowe, A. 2023. “Study Reveals Average Person Has 100 Passwords”,  tech.co, 21 March 2023. https://tech.co/password-managers/how-many-passwords-average-person

[iii]    NCSC. 2023. Cyber Aware. National Cyber Security Centre. https://www.ncsc.gov.uk/cyberaware/home

[iv]    DSIT. 2023. Cyber security breaches survey 2023. Official Statistics, Department for Science, Innovation & Technology, 19 April 2023. https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023/cyber-security-breaches-survey-2023

[v]     NordPass. 2022. “Top 200 most common passwords”. November 2022. https://nordpass.com/most-common-passwords-list/

[vi]    Furnell, S. 2022. “Assessing website password practices – Unchanged after fifteen years?”, Computers & Security, https://doi.org/10.1016/j.cose.2022.102790.

[vii] NIST. 2017. Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management. https://doi.org/10.6028/NIST.SP.800-63b

[viii]   FIDO Alliance. 2023. Passkeys – Accelerating the Availability of Simpler, Stronger Passwordless Sign-Ins. https://fidoalliance.org/passkeys/

Hot Topics

Related Articles