Experts: We're stuck with passwords – and maybe they're best

Late last year IBM reckoned biometrics would finally replace the password within the next five years. The prediction was part of a series that also speculated that the digital divide would cease to exist and that mind-reading technology would become a possibility. But, at least on the subject of passwords, new research from Microsoft's Cormac Herley and computer science professor Paul van Oorschot explains why, despite the tech industry's best attempts, this is not the case.

Herley and Van Oorschot say that because a succession of rival technologies going back over 20 years have failed to fulfil their potential – even password tech has not really improved during this time – memorising secret strings of characters is here to stay.

IBM Fellow and Speech CTO David Nahamoo said last year that: "Over the next five years, your unique biological identity and biometric data – facial definitions, iris scans, voice files, even your DNA – will become the key to safeguarding your personal identity and information and replace the current user ID and password system."

He predicted that biometric data will be used even to withdraw money as the technology becomes sophisticated enough to detect if a user is acting under duress. "Yes, we’ve all seen the thriller sci-fi movies where a person is forced by the villain to scan their eye or finger to unlock a door. But that’s fiction. In reality, ATM cameras using facial and iris recognition may be able to detect stress, pupil dilation, and changes in heart rate and breathing patterns to establish a confidence level that the user is not in danger."

However, in a joint paper, Microsoft's Herley and Van Oorschot, a computer science professor at Ottawa’s Carleton University, argue that passwords are here to stay because alternatives such as PKI and biometrics have come up short. They added that lessons had not been learned from these failures, and said that as a result, the industry has become stuck in a rut.

"Despite countless attempts and near-universal desire to replace them, passwords are more widely used and firmly entrenched than ever," they argue. "Our exploration of this leads us to argue that no silver bullet will meet all requirements, and not only will passwords be with us for some time, but in many instances they are the solution which best fits the scenario of use."

At least attempt to make passwords more efficient

They argue researchers need to revisit the subject of how to get passwords to work efficiently rather than assuming the approach is about to be written off as hopelessly flawed and unfixable. Passwords are here to stay, even though they certainly not appropriate in all cases, because "no other single technology matches their combination of cost, immediacy and convenience that many scenarios require". The researchers are, however, careful to note that there are many cases where passwords are not the best-fit.

"Passwords have proved themselves a worthy opponent: all who have attempted to replace them have failed," the two boffins conclude. "It is fair to say that little progress has been made in the last 20 years: usability has degraded significantly, while security has not improved. The reasons, we suggest, are widespread confusion about why we are trying to replace them, what is required of a replacement, and what improvement is expected once they are replaced."

Herley and van Oorschot's controversial paper, A Research Agenda Acknowledging the Persistence of Passwords, was published in the IEEE Security & Privacy Magazine and can be found here (PDF). ®