Can we eliminate passwords, please?

Subramanian Lakshmanan Blog Leave a Comment

Share this Post

The funniest comment I ever read on the web was on an article about the Heartbleed bug,a high profile vulnerability in the OpenSSL library. It went something like this: “If someone can find my password, please let me know. I lost it a few months ago and can’t find it. Willing to pay for it”. On a serious note, soon after the news about the vulnerability came out, I went about changing all my passwords in about 15 sites. Some sites did not even have any sensitive data but then I realized I used the same user name and password as the other sites, with only slight variations. That’s the day all hell broke loose for me!

Before getting into the after-effect of having changed all passwords, I need to talk about my experience with just changing the passwords. These days, different sites have different requirements for a valid password. Some require at least one upper case letter, some require special characters and numbers, some do NOT take special characters, and some need to be minimum 8 characters. Sounds too familiar? By the time I create an acceptable password after a few unsuccessful attempts, I sometimes forget the password I just created! The time my brain hurts the most however is when I usually try to pay all my bills online end of the month in one sitting. Forget passwords (pun unintended), these days I cannot even remember my user names. On that note, creating user names is also becoming increasingly harder given that most user names are already taken. It really bothers me when I think about our future generations. Your great-grandson may be forced to take a user name like, for instance, “sjones2084March24-15hrs:26 mins:24.3819s-with_a_special_$”. What kind of password he will use? Can’t say for sure but he may need to rent a few gigabytes of storage from Amazon S3 to store his password!

The security gods at some of these places want us to change the passwords too, once every few months. And every time I change the password for one of my email accounts, I have to update the password for that account on multiple devices – my phone, tablet and my laptop.

Coming back to the hell after the day I changed all my passwords, I was forgetting and resetting on an average about 3 passwords a day! Thanks to the shift to cloud, it has become extremely easy at our startup to get started with all our IT and engineering needs. However, I still need to log in into each one of these services almost on a daily basis to use them, as I hate to leave browser sessions signed-in.

You would think resetting passwords is easy. It used to be. Put in your email, get a temporary password emailed to you, click on the link and reset it – there you go, right? Not really. You need to answer challenge questions now – some times one, sometimes more. On top of it, you need to solve the CAPTCHA puzzle – that little grid with funny looking or dancing letters and numbers that you are asked to type. My bank likes to challenge me frequently like this every time I log in from a new device or clear my browser cache. I get challenged so frequently now that I get a feeling they simply want to cut off my access and run away with my money! And what if you forget the answers to the challenge questions in the first place? Good luck!

After a couple of weeks, this username and password situation started affecting my overall productivity significantly. I just gave up managing this on individual sites and shamelessly followed what a friend of mine said he did. I wrote down all user names and passwords on Apple notes on my iPhone. To shed some light on my friend’s appalling situation, he manages approximately100 work-related accounts, and he maintains a spreadsheet of passwords that is encrypted with a master password that he remembers. Password managers somewhat help with this issue, but I’m not sure if they truly solve some of the fundamental problems with passwords, like frequently having to change them or phishing attacks.

I know some of you are already asking why not sign-in with Facebook or Google. Would you like to access your bank accounts or your HR site with Google or Facebook? Yes? Fair enough! I will write about my take on these solutions and the FIDO alliance another day. But even assuming that our species evolves to such an advanced state of using only one user name and password across the board, my question is, why even one? Why use passwords at all?

Given the deep connection between authentication and payments, it’s not surprising that passwords show up in payments too. It’s a well-known fact that any friction identified and eliminated in the checkout process will directly result in increase in revenues for e-commerce businesses. The PayPals and Amazons of the world have done a fabulous job replacing lengthy, hard-to-remember and sensitive credit card numbers with a user name and password. I’m sure their sticky user base will stay with them forever and thank them – hopefully no one steals their passwords pretending to be a merchant site accepting one of these payment methods. For the rest of us who are waiting in the side lines for a better solution, and for the next generation growing up thinking that the world would be a better place to live in, I dare to ask – can we just eliminate passwords?

How about password-less payments? That’s exactly what we do at Minkasu. We harness the power, convenience and security of a personal smartphone to facilitate password-less and pain-less mobile payments. I will be back with more about Minkasu soon.

Going back to the original topic on passwords, what do you think? Are you as frustrated as I am about it? I would love to hear your comments.

Leave a Reply