Authentication is a design problem and we keep giving the wrong answer to it.
Very few things on the internet have survived in their original form since its conception. Passwords are one of them.
Nobody likes passwords. We have learned to tolerate them as a ‘necessary inconvenience’ of the digital age and having to remember, type, forget or share our passwords with people is a price to pay for online security. But it shouldn’t necessarily be that way.
After nearly 30 years of existence in mainstream digital culture, research data and human experience demonstrate how badly passwords perform as a design solution. From a purely human usability perspective, passwords have become a frustrating, ineffective and unsophisticated method for accessing and protecting digital space. It’s time to free people from this burden. This is why:
Passwords (like phone numbers) were a practical idea when you had to remember a few of them. Today, a personal email address is associated with an average of 130 accounts, not to mention offline objects for which we have to remember secret codes (from devices and credit cards to digital door locks). These numbers have been growing as the internet, and technology in general, have become ever more present in our lives.
As with phone numbers, we quickly reached the point where it is impossible to manage this amount of information without the need for external help. Hence browsers than remember your passwords for you, the “remember me” and ‘I forgot my password” buttons and Password Managers. The very existence of the Password Manager market is a symptom of the problem while also being a solution for it. But the idea of storing all of your passwords in one basket protected by… a password (and having to pay for an app to remember things for you) is absurd. The question that needs to be asked is: do we really need so many passwords?
The human response to the problem of having hundreds of accounts is to use the same password for everything even though it goes against security best practices and guidelines. In fact, according to a survey by PasswordBoss, a staggering 59% of users reuse the same password. When companies became aware of this problem, they started imposing password strength constraints, forcing people to deal with multiple passwords, which takes us to the next problem.
Back in 2007, a large scale study by Microsoft on web password habits simply concluded that people have weak passwords and that they forget them, both of which are problems related to human cognitive abilities and not to technology.
An analysis by the UK’s National Cyber Security Centre (NCSC) on breached accounts found that “123456” and “123456789” were the most widely-used password while others in the top five included “qwerty”, “password” and 1111111. Obviously, these passwords are easily guessable by low-tech algorithms and hackers don’t need to make much effort to break into the majority of accounts. You can take a look at the list of breached passwords for yourself.
Coming up with strong passwords is not an easy task, considering that passwords are usually defined while the user is trying to do something else, like signing up to make a payment. This explains why people prefer to go with their usual, familiar passwords instead of making the effort of coming up with strong ones. Password managers allow users to create completely random and meaningless passwords and remember them for you; the price (and the strategy) is user dependence on the tool and losing control over your passwords. You have little choice anyway.
As the extensive PEW report on internet security found out, just 7% of people use Password Managers. For everyone else, password strength constraints have proven ineffective as hacking techniques become more sophisticated and outperform human imagination in coming up with enigmatic strings of characters. Making passwords complicated and hard to remember doesn’t work for people, which is why the National Institute of Standards and Technology (NIST) now recommends that complexity requirements and periodic password changes no longer be forced on users.
As Don Norman explains in his work (Living with Complexity, The Design of Everyday Things) one common solution for dealing with the limits of human memory is to put information in the world to use the world as information when we need it. This is especially applied to information that is needed in precise contexts, like road signs, exit signs, sticky notes, to-do lists, instructions on products, manuals, etc.
Putting your password in the world is the antithesis of security; nevertheless, according to this PEW report, against all security rational, 49% of American users write down their passwords to keep track of them. One-quarter (24%) of online adults keep track of their passwords in a digital note or document on one of their devices.
This is not human carelessness but rather a sign that a solution has become a problem for users.
If we look at how we people use the internet today (considering desktop and mobile usage patterns), it seems that password-protected authentication is stuck in the 90s:
- Passwords were also useful when most people accessed the internet from public spaces and or shared computers at home. In those situations, logging in and out was a frequent and acceptable task. Today, most usage is on personal devices that are or can be protected by passwords.
- Mobile usage has surpassed desktop usage since 2016. In real life, once the user as unblocked their mobile device, they have access to apps and functions without the need for additional in-app authentication. Smartphones basically perform as password managers. Some apps even keep you authenticated even after you delete them.
- Very few online services are used regularly: A study found that on smartphones, people use only 5 apps regularly. On desktop computers, people usually stay signed in on the websites they use regularly. Authentication happens in rare cases like when one uses a different device, changes browsers or deliberately logs out of a service.
- Most online services are used infrequently and user accounts are dormant. You are usually asked to insert your password for these services but since you use them rarely, you tend to forget them.
All this means that people engage in the authentication process at a decreasing rate. In other words, we are typing our passwords less often, giving us fewer reasons to remember them.