Microsoft and Apple are killing the password: Thumbs up to that

New technologies are moving us away from easy-to-guess passwords, but we still need to be careful about how we use fingerprints and other biometrics.
Written by Steve Ranger, Global News Director
Image: Shutterstock
Let me see if I can guess your password. 12345? Qwerty? How about abc123 or Dragon or trustno1 (yes, I see what you did there), or Master?

If I guessed right, then shame on you: all of those feature in the top 25 worst passwords -- along with plenty of other all-but-impossible-to-crack strokes of genius like 111111 and letmein (yes, I see what you did there, too).

Passwords: Decent ones are impossible to remember; easy ones are hardly worth having at all. Passwords: An alphanumeric-must-be-changed-monthly-with-no-repetition plague on all of our houses.

This is not a new problem, of course, and nor is it the first time that the death of passwords has been announced. Over a decade ago, Bill Gates was predicting the end of passwords, and yet millions still have a Post-It note stuck to their monitor with '1234567' written on it. And so passwords still leak, by the billion.

But this time around, could the end really be in sight for passwords? Microsoft has confirmed that it is working to kill off passwords in Windows 10, introducing a whole new set of options by adding support for the Fast IDentity Online (FIDO) standard.

That means you could be logging on with your face, voice, iris or fingerprint (or your dongle) depending on which method your organization chooses.

And it's not just on the desktop: similarly on the consumer side, Apple's Touch ID for the iPhone 5s, 6 and 6 Plus, and iPad Air 2 and Mini 3, replaces a passcode with a fingerprint. Samsung's flagship Galaxy S5 also has a fingerprint reader. While no technology is entirely secure, fingerprint readers have improved dramatically in recent years: Apple claims you would have to try 50,000 fingers to find a random match -- which it argues is much more secure than the one-in-10,000 chance of guessing a four-digit passcode. This week two UK banks announced that they will use Touch ID to allow customers to access their bank accounts.

It's a lot easier to forget a password than it is to forget your fingers or your eyes, and you can't write either of them down. That should help with some of the more boneheaded security lapses. Apple's system and the Microsoft-supported FIDO standard also have a different architecture to the old password-based model: rather than one central store of fingerprints or other biometrics, they are stored locally, which makes it much harder for hackers to swoop in and bag millions of credentials as commonly happens now.

The move away from passwords certainly removes a horrid security vulnerability that we have been living with for decades. But we should still move cautiously when it comes to biometrics, for several reasons.

Passwords are mostly abstract (unless you're one of those fools who uses names of family or pets) and impersonal. Biometrics, by contrast, are deeply and definingly personal, and the uses to which they're put ought to be carefully monitored. The intelligence services' insatiable hunger for all kinds of data would make such information an irresistible target, for example.

In some ways, biometrics may be a too perfect a way of proving our identity. For many services, a vaguer sense of identity is more appropriate: most people would be uncomfortable about an auction site or an once-visited online retailer having access to such intimate details. Online identity has often been ambiguous, fleeting and shifting for all sorts of reasons. Biometrics provide an absolute level of identity that must be used carefully.

Right now, part of the wonder is that on the internet still nobody knows if you are a dog. If we have to provide fingerprints -- or paw prints -- for every transaction, then some of that magic will be lost.

ZDNet's Monday Morning Opener is our opening salvo for the week in tech. As a global site, this editorial publishes on Monday at 8am AEST in Sydney, Australia, which is 6pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and the US.

Previously on Monday Morning Opener:

Editorial standards