IE 11 is not supported. For an optimal experience visit our site on another browser.

New security measures won't kill passwords anytime soon

With the iPhone 5S and its fingerprint scanner selling well, one is tempted to say that we may soon no longer have to remember a 4-digit PIN or 10-character phrase with which to access your device or apps. But considering the well-publicized weaknesses of biometrics and the tried-and-true nature of passwords, it looks like we'll be using the old methods for while longer — and with good reason.

Of course, many who dislike passwords also do so with good reason. Who wants to remember "Yank33*d00dle1979" and five or ten other variants to comply with various sites' rules and length requirements? And plenty of people don't even try, meaning the most common password is, of course, "password."

So it's no surprise that we would welcome a quick, easy security system like Apple's fingerprint reader (likely to come to other devices, from iPads to MacBooks, in time) as a breath of fresh air.

But is that really it for passwords? It doesn't seem likely.

"Personally, I don't think passwords are dead," said Corey Nachreiner, director of security strategy and research at the online security firm Watchguard, in an interview with NBC News. "No matter what method you have, biometrics, a password, a special piece of hardware, it's not infallible."

And when you get down to it, biometric security is really just a super-complicated password that you can't forget — nor, of course, can you pick it in the first place or change it if someone gets hold of it.

Many high-profile hacks expose usernames and passwords stored improperly by online services. Such a hack could reveal biometric data as well, and once your fingerprint (or retina, or DNA sequence) is out there, that's that.

Furthermore, as the recent NSA leaks have shown us, security is as much about trust as it is about good encryption. A fingerprint, retinal scan and special security dongle mean nothing if the company holding your data isn't secure — or gives up your data without a fight.

"Is it possible to extract and obtain fingerprint data from an iPhone?" asked Sen. Al Franken, D-Minn., in a letter to Apple (PDF). His concern is that the company makes absolutely clear how and where the newly collected biometric information is kept and transmitted. Another key (and as yet unanswered) question from Franken: "Does Apple have any plans to allow any third party applications access to the Touch ID system or its fingerprint data?"

Those potential menaces are significant, but out of the user's hands. If the object is to prevent a phone's unauthorized use by thieves, co-workers and jealous exes, simple alphanumeric passwords still have several advantages over a biometric one like a fingerprint:

  • They can easily be made device or site specific, keeping security breaches in one area from leaking to others
  • They can be shared with others simply and easily
  • They require no special hardware or software
  • They are well-understood and already implemented all over the world
  • They can be as long or short — and as simple or complex — as the situation demands

Such advantages are not to be underestimated as digital devices become more ubiquitous. However, we could discuss the merits and shortcomings of individual systems all day long — but the real question is how to use them together.

"We should be talking more about having multiple factors and making those factors easier for people to use," said Nachreiner. "Passwords aren't perfect, fingerprints aren't perfect, but together they're pretty strong."

two-step
Apple was actually one of the later big tech companies to adopt two-factor authentication.Apple

Indeed, the most effective new form of security is what's called "two-factor authentication." It's a fancy way to say that a website or service is making sure you're you not just by checking something that you know (a password), but also something that you have (like your phone, which will also be contacted). A thief may steal your phone, or may acquire your username and password, but it's very unlikely that they'll get both.

A password is the best and simplest option for the "something you know" part of the equation. And a fingerprint or other biometric factor is a great choice for "something you have" — instead of a phone or dongle you could easily lose or have stolen.

In the end, what's happening is that the password is becoming just one of many security systems that keep our data safe. Biometrics will add an unobtrusive second measure to the average login, but security-conscious people will likely want to use passwords as well. (Password management software helps keep your many accounts in line.)

It's important to note, however, that security is and always will be a work in progress as long as there are bad folks out there trying to get at your data. "Unless you unplug yourself from the Internet," concluded Nachreiner, "nothing is perfect."

Devin Coldewey is a contributing writer for NBC News Digital. His personal website is coldewey.cc.