Are we witnessing the death of the password?

Sascha: [00:00:02] Welcome to the day of the podcast that asks whoever said business news has to be all business. I'm your host, Sascha Kelley. We look forward to a password. Less future. Those were the words of Apple's VP of Internet Technologies, Darin Adler at Apple's Worldwide Developer Conference in June. 

Audio Clip: [00:00:21] That's why we've helped create a next generation credential that's more secure, easier to use, and aims to replace passwords for good. 

Sascha: [00:00:29] Apple isn't the only company planning for a Passwordless future. In fact, as far back as 2004, Bill Gates predicted the death of the password. Yet almost 20 years later, it remains undefeated in Internet security. But when Apple sets his mind and considerable resources to something, it's often successful. So maybe now, finally, the passwords reign of tyranny might be coming to an end. It's Monday, the 17th of July. And today, I want to know what does a password less future look like? To talk about this today, I'm joined by my colleague here. It actually means it's Alec Renehan. Alec, welcome to The Dive. 

Alec: [00:01:10] Sascha, good to be here. This is a interesting one, not one that we expected to be talking about passwords, but I promise you, passwords are interesting. And to make it interesting. I've got a few fun facts and a quiz question for you to start off the episode. 

Sascha: [00:01:29] Yeah, because I thought usually I'd ask you, you know, something about a possible, but you can't really do that. On making fun of lots of people, can you?

Alec: [00:01:38] Yeah, well, most people have a common word as the root of their password. So what's your common word.

Sascha: [00:01:43] I am not telling you? Oh, no, that's stupid. 

Alec: [00:01:45] I know what it is already. It's Taylor Swift. 

Sascha: [00:01:48] Oh, okay. Hit me with these facts. 

Alec: [00:01:50] So, a few fun password facts to begin. The average person has between 70 and 80 passwords, according to password manager Nord Pass. I didn't count mine, I'll be honest. Microsoft Reports nearly 1287 password attacks every second, or about 111 million each day. Cyber Security Ventures reports that 44 records are stolen from data breaches every second. I said those are fun. These are kind of just grim. 

Sascha: [00:02:23] I know. I'm like, I don't have anything to say. [00:02:25][1.6]

Alec: [00:02:26] All right, let's have fun facts. More interesting. In 2021 alone, over 24 billion login credentials were exposed, an increase of 65% compared to 2020. More than 80% of data breaches are the result of weak passwords. And on the theme of weak passwords, 51% of passwords are reused. 

Sascha: [00:02:52] I think we're all guilty of that. They're right. 

Alec: [00:02:54] 100%. Yeah. So I think those fun facts also frame the story, which is that cyber attacks are very common and are often driven by weak passwords. Passwords are a weak point in cybersecurity. And to illustrate just how weak, Sascha, I have a question for you. Do you know what the most common password is?

Sascha: [00:03:20] I think it must be like password one, two, three or something like that. 

Alec: [00:03:24] So I asked Simon and Alf in the office before jumping in the studio and they both guessed the password as well. No one has a password as the number one, depending on the list you look at, it's as high as two, as low as five. The data set that I'm going to use is from the United Kingdom's National Cyber Security Centre. They compiled a list of the top 20 most common passwords from the 100 million passwords that were leaked in data breaches in 2019. So pretty robust data set password is number four on their list. 

Sascha: [00:04:01] Okay. So what's number one then?

Alec: [00:04:03] I'll give you a hint. It's not even a word. 

Sascha: [00:04:05] Oh, is it? One, two, three, four. 

Alec: [00:04:07] Close. One, two, three, four, five, six is the most common. So across every list you look at, that's the most common, I guess, character limits. But yeah, one, two, three, four, five, six. Most common password, some other prominently featured ones on those lists. ABC 123,1111111 qwerty, password1. Surprisingly number 14 on this list, iloveyou.

Sascha: [00:04:38] Who's writing that to that computer? 

Alec: [00:04:40] So I don't know. Another one that I've seen on a couple of lists is letmein.

Sascha: [00:04:46] Oh, okay. I don't know what. So it's about humanity. 

Alec: [00:04:51] Well, it says that no one likes remembering passwords. 

Sascha: [00:04:54] Well, that's true. Yes. Well, for many people, the sheer number. Of passwords that need to be remembered is the really overwhelming thing. And they get around that in two ways. Either a password manager like one pass or I use LastPass and remember password settings in your browser of choice. And Chrome has that safari with lots of different internet browsers. But this story about the death of the password, that's not what we're talking about here, is it? 

Alec: [00:05:24] No. Apple and its tech peers want to end the password entirely. Because you know, the irony of your password manager, Sascha, is you still need to remember a password that is just a critical password. 

Sascha: [00:05:38] It's like the stakes are really, really high because I think I counted up once I have 120 different accounts. And yeah, obviously I'm not remembering 120 secure passwords. So yeah, I just know. 

Alec: [00:05:54] Because you use the same one every time. 

Sascha: [00:05:56] No, I have very good cyber hygiene. I'll have you know, I want that on there. That's good. 

Alec: [00:06:01] That's good. But no, these tech giants, Apple, Microsoft and Google are really leading the charge. They want to take human memory out of it entirely. They envisage a future where we have to remember zero passwords. 

Sascha: [00:06:17] Okay, so what has Apple announced then? 

Alec: [00:06:20] So Apple's latest software updates the iOS 17 and then Mac OS Sonoma will automatically assign users unique POS keys tied to their Apple IDs. They can replace individual passwords in accounts across the Internet. Basically, every time we're asked to create a new account on a website or a platform or an app, Apple will give us the option to create a POS key instead, and then we'll be able to log in by using our biometric features, touch ID like our fingerprint or face ID, and this feature is going to be sent across all Apple devices. 

Audio Clip: [00:07:01] Passwords may be a thing of the past with the widespread adoption of past keys.

Audio Clip: [00:07:05] Passwords have been around for a long time. Strong passwords are difficult to remember. So many people don't bother creating strong passwords or they use the same password for everything. 

Sascha: [00:07:15] Alec, can I ask the stupid question? What's the difference between a password and a POS key? Like, is it just a rebranding with like, Oh, it's so different now. 

Alec: [00:07:24] Yes. So this is the critical part of this story. We're moving from a password world to a POSkey world. A password is a string of numbers and letters that authenticates a user and gives them access to a platform or a website where telling the website I'm Alec Renehan and I'll prove it by putting in my secret string of numbers and letters. Yeah, a POS key is when the device that you're using authenticates us as a user based on our generally based on our biometrics. Okay. And then shares that authentication with the platform or website. So the iPhone or our computer says, I know this is Alec Renehan because he's put his fingerprint on my fingerprint reader and I'm confirming that he should have access to Alec Renehan account on Facebook or whatever platform you want to use.

Sascha: [00:08:17] So the difference between a card for your phone and face ID.

Alec: [00:08:20] Exactly. Exactly. That's a perfect example of it. And it's a way to make all of our online lives a lot more secure because it's a lot harder to hack someone's face or finger, like it's a lot harder to hack the devices biometric radar than it is to guess or brute force or find out in some other way someone's password.

Sascha: [00:08:46] Hey, I've seen Mission Impossible. I know it's not completely impossible, but yeah, I do recognise it's harder.

Alec: [00:08:54] It's a lot harder for hackers to chop my finger off and put it on a computer than it is to guess my not so secure password, I think is the point. 

Sascha: [00:09:03] So is this just for Apple devices? Is this a way to lock more people into the ecosystem? 

Alec: [00:09:08] Yes. So interoperability is going to be a really important question when it comes to those keys. Just on the Apple announcement, their pass keys will also be made available on non-Apple computers with the ability to scan a QR code on a website and then remotely unlock the account on the Internet, browsers like Chrome or Edge. So what that means in practice, let's say you have an Apple iPhone and you've authenticated your pass key on the iPhone, and then you've got a laptop that's a Lenovo laptop, you'll be able to use your Apple device, an Apple pass key to then authenticate yourself even on your Lenovo laptop. 

Sascha: [00:09:48] And this isn't a new ambition for Apple. They've tried to do this before, haven't they? 

Alec: [00:09:53] Yeah, it's been part of a years long quest for Apple and for other tech companies to reduce. Consumer reliance on passwords. And you mentioned face IDs. The laptops now have fingerprint readers. They recognise that passwords are inherently insecure and a pretty clunky solution. Customers don't remember their passwords. It creates friction when you have to go forgot passwords and then you have to reset it into something else. It's a problem to be solved for Apple and these tech companies.

Sascha: [00:10:26] Yeah, and crucially, just then you said these tech companies, because zooming out, this isn't just Apple walking on on the death of the password. 

Alec: [00:10:34] Yeah, that's right. Let me introduce you to the Fido Alliance started in 2013. It is a coalition that includes some of the most influential tech companies, Apple, Amazon, Microsoft and Google.

Sascha: [00:10:47] What does Fido stand for then, Alec, Because that's not an acronym. 

Alec: [00:10:51] It is. It is for.

Sascha: [00:10:53] Identity. 

Alec: [00:10:54] Online. It's Fast Identity Online, FIDO, which is an acronym.

Sascha: [00:11:00] They could have gone with GAM, though. Google, Apple, Amazon and Microsoft, which could have been more fun.

Alec: [00:11:05] No, I think the alliance is more about what it's trying to do. That who is in a fair fight. So fighter the Fido alliance has stated mission is to develop and promote authentication standards that help reduce the world's overreliance on passwords. So they were founded in 2013 and they spent the last decade working on log in systems that would kill the password once and for all. Last year, Microsoft, Apple and Google all signed up to the FIDO two authentication standard created by the Alliance. And since then, all three of those tech giants have launched some iterations of signing with pass key on certain devices or platforms. They're mainly delivering it to developers at this point, which is why Apple announced the developer conference. Google have launched it to developers as well, with the intention that over time, hopefully more and more app and website developers will integrate sign in with pass key alongside sign in with your traditional password, and then eventually the password will fade into oblivion. [00:12:14][68.4]

Sascha: [00:12:15] Now the important thing to understand though, is that these are device centric IDs. Can you just explain what that means? 

Alec: [00:12:23] Yes. So right now most of our authentication is platform or website based authentication. We go on Facebook.com and we authenticate ourselves on that platform.POS keys change that a little bit. We are authenticating ourselves on the device that we're using to access the Internet or whatever else rather than on the website itself. So we'll be authenticating ourselves on our iPhone and then going to Facebook.com and the iPhone will be telling Facebook already authenticated, open it up and what that will mean. And Sascha is, once we've authenticated ourselves once on our iPhone, we'll have access to everything on our iPhone. We won't have to log into each individual app or anything like that. But it will mean that if we then go to a different device, we'll have to authenticate ourselves again. Sometimes if we're using the same browser on our computer in our phone, that log in will carry over because Google will carry it across Chrome. But that won't work because it will be device centric rather than platform centric. 

Sascha: [00:13:31] Okay, I can hear how this might be an improvement in many ways, but I think there's some more things there that I want to dig into. And of course, Alec, my worrywart brain is concerned about the security risks. So let's talk about that in just a minute. 

Audio Clip: [00:13:51] Smith. This was my password. I have lost my password. What's your password? Password. 

Sascha: [00:13:57] Welcome back to The Dive. Today, I'm joined by my colleague, Alec Renehan, and we are talking about the death of the password, not something that we thought we'd be talking about, but it's pretty fascinating what's happening in this space. But, Alec, this isn't the first time that someone's tried to do this to the password. 

Alec: [00:14:16] Yeah, that's right. Bill Gates predicted in 2004 that the password would slowly die. And there have been a number of different proposals in the years since the University of Cambridge has looked back at two decades of proposals for alternatives to passwords and assessed them on deploy ability. How businesses and individuals could use them, set them up. And basically they found that every offered alternative did worse than the traditional password. Probably not worth going into all of them because none of them are going to exist in the new world of past cases. But yeah, look, this has been a decades long effort and the password to this point remains undefeated. 

Sascha: [00:14:59] So you talked a little bit about what fighters are proposing this time. Why do you think it's going to succeed where others have failed? 

Alec: [00:15:07] Well, number one, because Apple, Microsoft and Google are putting their weight behind it. 

Sascha: [00:15:13] They're big giant like, you know, that's the Goliath of the tech world. 

Alec: [00:15:17] Yeah. Where they decide things together, the rest of the technology industry will often follow. But I think inherently passwords are a sub optimal solution for security. And the reason being is the burden is put on the user rather than the technology or the device. And we are the weak link in the chain to put it bluntly and as much as possible, if the device can be in charge of security, can be in charge of authenticating us and then managing that security, that is a better and more secure option. 

Sascha: [00:15:56] The weak link in the chain. I mean, I don't want to name names in my own life, but I think we all know someone whose way of keeping their passwords safe makes you stressed just by saying, like, whether it's all written down in a little book or in their notes or it's all the same word, it's like you just go, Oh, you're just one step away from a massive identity hack. 

Alec: [00:16:17] Yeah, yeah, yeah. And that changes in a world of POS Keys in fighters Passwordless world, we are the password. And yet because it is our face, it's our fingerprint. Over time, it might be our eye scan. And you can't steal the password if the password doesn't exist. 

Sascha: [00:16:39] So Alec, we joked about the Mission Impossible style, like hacking off your finger before. I mean, jerk is a strong word. It's not that funny actually happens. But are there still security risks? Like is there a genuine everyday threat that we should still be aware of? 

Alec: [00:16:55] Yeah, there still are security risks short of fingers being chopped off. 

Sascha: [00:17:01] But how we got there, I don't know. You know. 

Alec: [00:17:05] I think the biggest one is and there's a slight irony in all this, when you first need to set up your Apple ID, let's say you buy a new phone or a new computer to set up your pass key with your face or your finger, you still need to put a password in to first log in to your apple ID so the death of the password may be a little premature or maybe a little overstated. If you need to put a password in to then set up your password less entry and it doesn't completely eliminate security issues, there will still be ways to, I guess, spoof authentication. You know, say that a user has authenticated their finger or their face or whatever. There will always be security vulnerabilities. But I think the overwhelming consensus from the cybersecurity industry is it just massively raises the bar for hacking. It makes it a lot harder to get access to people's devices and people's platforms, and that is a good thing.

Sascha: [00:18:09] So I'm on board. I think this is a great idea. What is stopping this happening everywhere? 

Alec: [00:18:16] Yes, as I said earlier, Microsoft, Google and Apple have launched it to their developers. And developers have to embrace this as a solution because as much as those three companies own the platforms, in many cases, if they're authenticating our identity, but the websites or the apps that they're then communicating with don't take a pass and still want a traditional password, then we still need to use a traditional password. So the big question will be how the websites and apps embrace this new. The other challenges, interoperability. You know, not everyone is just purely in Google's Android ecosystem or Apple's iOS ecosystem. And so there will be a bit of friction if people are, you know, using an Apple iPhone. And then a Lenovo laptop was the example I was using earlier, But it's not a massive point of friction. And that is kind of the reasoning behind the Fido alliance to get these big technology companies to agree on standards and to make this technology interoperable. But, Sascha, one thing to leave you with, this isn't going to slow down the adoption of the pass. In fact, if anything, it will speed it up. But here's a way that it's going to suck for us. It's going to make password sharing obsolete. You know, take Netflix, for example. They're trying to cut down on password sharing because that one person has an account and they pay for it and then they give the username and password to six people. If all of a sudden Netflix adopts this pass case standard, then each account is going to be tied to those like biometric authentication. So it will be like Sascha's account is authenticated with Sascha's face or Sascha's finger, not Sascha's password that she can give to everyone else. So it will slow down and eventually stop password sharing, which ironically will actually speed up its adoption. I imagine because companies like Netflix and Disney are going to love it. 

Sascha: [00:20:23] Yeah. So hypothetically, if I was in a group of family members who all shared passwords so that we paid for one streaming subscription each and didn't have to bear the brunt of four different ones, that might suddenly be a way of the dinosaur. 

Alec: [00:20:40] Yeah. Or if we were a small media Start-Up that sometimes had one log to an account that many of us used for whatever reason. That is going to become difficult as well. 

Sascha: [00:20:54] Seems like a real shame for those hypothetical people who have that of. 

Alec: [00:21:00] Yeah. So I feel sorry for them, whoever they are. 

Sascha: [00:21:03] Yeah. Well, on that note, maybe I'll go think about the future of my internet use. We might leave it there for today. Look, if you're enjoying The Dive, get in touch with us. Links are owned by our tools, but you want us to look into next. And one small favour to ask from me and the rest of the team. And that is, Please send this to a friend. Send it to someone who you think might enjoy it. Word of mouth is the best way for us to get in front of me. And we really, really appreciate you being ambassadors. Alec thanks so much for joining me today. 

Alec: [00:21:34] Thanks, Sascha. 

Sascha: [00:21:34] Until next time.