Gates predicts death of the password

Gates predicts death of the password

Summary: Bill Gates has said the days of the password are numbered because it is not used properly


During his keynote speech at the RSA Security conference in San Francisco on Tuesday, Microsoft's chairman Bill Gates predicted the demise of the traditional password because it cannot "meet the challenge" of keeping critical information secure.

His comments came at the same time that RSA said it had been working with Microsoft to develop a SecurID solution specifically for Windows. Both companies agreed there is a need to remove the vulnerabilities associated with employees using weak passwords.

SecurID is the best known two-factor authentication system and is used by many large enterprises. It generates a constantly changing sequence of numbers that the user has to type in alongside their normal password or a pin number. Creating a specific system for Windows should mean that rolling out strong authentication across an enterprise will be far easier and cheaper.

Gates said: "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."

However, Gates also admitted that Microsoft would not be using the SecurID system internally because it had opted for a smartcard-based system -- with the help of RSA. "Microsoft recently moved to a smartcard approach and a key partner in this was RSA," he said.

Microsoft also demonstrated its own "tamper resistant" biometric ID-card software that can be used by both small and large companies to create ID cards using a digital camera, an inkjet printer and a business-card scanner.

The tamper resistant ID-card software has been developed by Microsoft's research arm and was demonstrated during Gate's keynote. To create an ID card, the software requires a photograph and some basic information about the user, for example, name and date of birth. This information is put through an algorithm to create a digital signature in the form of a barcode, which is also printed onto the ID card. If any of the information on the ID card is altered, it will not correlate to the signature and the card is rejected.

Gavin Jancke, development manager at Microsoft Research, who demonstrated the product, said one of the key aspects of the system is that it does not require a database because all the information is already stored on the card: "The authenticity ID is stored in the printed information in the card itself. There are no user privacy issues because we know that what is stored on this card is stuff that they can actually see," he said.

Jancke said the system could also be used to store fingerprints or an eye scan: "This system is also extensible, so we can include other biometric information, such as iris or fingerprint. It will still maintain the same tamper resistancy on ordinary paper or plastic printed media," he said.


Topic: Operating Systems

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Gates predicts the death of the password, probably as successfully as he predicted the death of IBM, the success of tablet PCs and that 640KB would be enough memory for anything.

    This is probably a spoiler until MS come out with their own password replacement - maybe we will all need to phone Seattle to have our voiceprints verified?
  • 20 years ago there were systems around that were based on 10-15 "facts" - and would prompt on loggon for what could be "inferred" from these. The accuracy of this was astonishing, and far better than anything developed since.
    Where are these now?
    (People will soon find a way of faking everything from fingerprints to retinascans) - but a suprise question - and the capability to intercept in the middle of a session, trace usage pattern - is wanted back!
  • I think losing the password is stupid because if people want to put their information on the line with a weak password than it is their fault.