Why Usernames & Passwords Are A Thing Of The Past, And How To Cope With This

Joel Lee 31-08-2014

Passwords are a way of life now. It’s hard to imagine what the Internet would be like without any passwords, isn’t it? Yet, if we contemplated the idea of a password for even a moment, we’d realize that passwords just aren’t very secure. Indeed, most security experts already know this, yet here we are still using passwords. Why?


With every other hacked database and credit card scandal that occurs, it becomes more evident that we can’t rely on passwords for much longer. But if not passwords, what else is there?

Why We Started Using Passwords

The ancient Romans had a system of watchwords that were used to prove one’s identity and authority. By extension, watchwords were used to gain entry into secret locations or to gain access to private resources. Sounds a lot like modern passwords, right? These watchwords were changed as frequently as once per day and proved quite effective.

Eventually, watchwords evolved into passwords and counter-passwords, where a sentry would present a cryptic question or phrase and expect a predetermined response. Think of a modern website’s security question and you’ve got the right idea.


For example, in the Battle of Normandy, U.S. soldiers uttered “Flash” when encountering unknown groups out in the field. By replying with “Thunder,” soldiers could prove that they were truly allies rather than spies or imposters.


Computers have their roots in the military, so is it a surprise that we adopted the password mechanism for specialized access? We’ve made a few advancements – such as tying a password directly to a username for personal accounts – but the concept has been around for thousands of years.

Passwords: The One Huge Flaw

Passwords have served us well, there’s no doubt about that. However, they aren’t perfect. Not by a long shot. In fact, the concept of a password has one glaring flaw that can never be fixed: passwords are all or nothing.

We put a lot of effort into picking a strong password 13 Ways to Make Up Passwords That Are Secure and Memorable Want to know how to make up a secure password? These creative password ideas will help you create strong, memorable passwords. Read More and making sure that sensitive data is encrypted Not Just For Paranoids: 4 Reasons To Encrypt Your Digital Life Encryption isn’t only for paranoid conspiracy theorists, nor is it just for tech geeks. Encryption is something every computer user can benefit from. Tech websites write about how you can encrypt your digital life, but... Read More , but none of that matters once somebody knows the password itself. Once they have it, game’s over. In essence, password protection is security through obscurity, a security practice that’s universally lambasted as weak and ineffective.



What if we combined passwords with security questions? That seems to be the typical solution used by banks and other places that offer secure accounts, but if you think about it, security questions are just passwords in a different wrapper and suffer from the same issue of using obscurity for security.

That being said, there are plenty of other weaknesses to using passwords in the Internet age:

What Are the Available Alternatives?

Two-factor authentication What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More is becoming more popular these days. Unlike the password + security question combo, which basically asks for two instances of the same kind of information, two-factor authentication requires two different kinds of identity proof, such as password + mobile phone.

And that’s the direction in which security needs to move. Because passwords are intangible, they can be compromised by knowledge alone. Having some sort of physical proof of identity is a stronger measure of security.



For example, USB drives can be turned into physical keys 7 Uses for a USB Stick You Didn't Know About You've used USB sticks to transport files between computers and back up files, but there is much more you can do with a USB stick. Read More . The practice isn’t widespread yet, but it seems like it could have many practical uses. What if USB security certificates were given out and used such that certain websites would only grant access while the USB drive was plugged in?

Biometrics – the use of human characteristics for access control – is another area that deserves more pursuit. One possible route would be to use a webcam snapshot as a password 3 Fun Tools to Get More Out of Your Webcam To be honest, I never understood the big fuss over webcams and video chatting. Sure, it’s nice to chat face to face every once in a while, especially when you haven’t seen your significant other... Read More through the magic of facial recognition. Other routes include fingerprints, iris scans, and voice recognition.



There is a critical drawback, however, and that’s the possibility of losing access due to disfiguration, amputation, laryngitis, or worse. There’s also the fact that authentication would need to be strict enough not to be fooled by imposters/photos/recordings, yet lenient enough to accommodate day-to-day fluctuations in appearance, voice, etc.

Lastly, some suggest using RFID chips or NFC devices in lieu of a password, allowing you to “swipe” your way through security; in other words, a glorified keycard. But these, too, have their drawbacks. RFID can be intercepted How RFID Can Be Hacked and What You Can Do to Stay Safe Hackers using RFID scanners can theoretically steal money via your phone's tap-to-pay app. Here's how to prevent RFID hacking. Read More and NFC devices are insecure Using NFC? 3 Security Risks To Be Aware Of NFC, which stands for near-field communication, is the next evolution and is already a core feature in some of the newer smartphone models like the Nexus 4 and Samsung Galaxy S4. But as with all... Read More .

So what’s the take away? Be sure to use strong passwords 6 Tips For Creating An Unbreakable Password That You Can Remember If your passwords are not unique and unbreakable, you might as well open the front door and invite the robbers in for lunch. Read More , maintain good security habits Change Your Bad Habits & Your Data Will Be More Secure Read More , and help educate others. Though we’re stuck using passwords for now, we wait eagerly for the day when passwords become old news.

What do you think? Do you embrace the use of passwords or would you rather we move away from them completely? What other alternatives are out there? Share with us in the comments below!

Image Credit: Password Field Via Shutterstock, Security Through Obscurity Via Shutterstock, USB Key Via Shutterstock, Iris Scan Via Shutterstock

Related topics: Online Security, Password.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Henare Howard
    October 11, 2018 at 9:44 pm

    Given that cybercrime has now become bigger than the global drug trade and no organisations in the world are impervious to hacking attacks the architecture behind accounts and passwords is now inherenty insecure. In my opinion we need a paradigmn shift from accounts and passwords to a verifieed entity. A person is not an acount but they may subscribe to many services, so the solution is to create a single online and offline identity (blockchain would be perfect for this) which can be trusted, unalterable and validated and used by everything from email providers, to banks, employers and financial institutions. As it is a global identity it could do away with the notion of accounts and passwords, passports and reduce the occurrence of fraud and increase equity / break down digital barriers if it was picked up globally by all governments and countries. It would however mean that people would struggle to be anonymous which would possibly lead to the creation of an underworld black market for identity creation/trade.

  2. mrs_potato
    May 27, 2017 at 9:20 am

    how about app messages like whatsapp, telegram, wechat, etc? can they also be retrieved from internal memory after factory-reset ?

  3. Milan
    April 9, 2017 at 9:22 am

    Thanks for the information, i will bookmark this site,when the time to sell my phone is come iwill visit again. :)

  4. Andrew
    September 10, 2014 at 6:39 pm

    I have a fingerprint scanner on my 10 + year old Toshiba that works 95% of the time to unlock the HD. I don't understand why that method with a user name is not used for web sites. Unless security is simple and useable it won't be used. You need good passwords for ordering the broccoli as the bank because you are probably using the same password. These occasional use accounts we have forgotten about are usually at places where it is easy to hack into. Then the crooks can go after your Bank accounts.
    Realistically chip and pin credit cards will stop a lot of this and severe penalties for firms being hacked . Tj Maxx we're sending CC info in the clear from branch to Headquarters. Recent penetrations have come from intense work into employee accounts to travel into the data centre of the company. Our data is jeopardized by companies too cheap or stupid to protect it

  5. David
    September 3, 2014 at 1:50 am

    There is just nothing that will as easily replace the password. Not everyone has a cell phone, so that's not universal. You can use biometrics, but not everyone has a good iris scanner or fingerprint reader. The most secure solution is probably a usb key, that you keep on a chain around your neck. You can keep your password list on there, and encrypt it with, of course, a password.

  6. J. Benjimin
    September 2, 2014 at 9:29 pm

    The only way I would think of using biometrics is as secondary authentication. Law enforcement can compel you to swipe a finger to unlock your phone, but they can't compel you to enter/reveal a password.

    • dragonmouth
      September 2, 2014 at 11:34 pm

      Yes, they can and they do.

  7. Kelsey T
    September 2, 2014 at 1:23 pm

    "For example, USB drives can be turned into physical keys. The practice isn’t widespread yet."

    Ummmm...I remember back in the 1980's reading advertisements in Computer Shopper magazine for dongles that plugged in the (I believe) parallel port on the back of a computer to prevent unauthorized access. Different codes could be programmed in with a line of DIP switches on the dongle.
    Where I work we have USB dongles on the back of each terminal which allows access to our inventory software, and we've had them about 10 years now.
    This isn't new's been around so long that I think people have forgotten about it. Kind of like when platform shoes and bell bottom jeans were "discovered to be cool" a few years ago. :D

  8. Buffet
    September 1, 2014 at 5:24 pm

    Unless it's my banking or credit card accounts, I couldn't possibly care less about secrecy!
    Why should I care if someone finds out what video I watched on You tube or what book I ordered from Amazon?
    If you ask me, it's gotten out of hand. Why should I have to have a username and password to a site I order broccoli sprouts from?

  9. DaveB
    September 1, 2014 at 1:48 pm

    Passwords are insecure as you mentioned. Biometrics can be flighty; they don't always work properly. Two factor authentication works better but is cumbersome and requires personal discipline. If someone has enough knowledge, motivation and resources, there are ways to gain access to information even if the computer system is not physically connected to the internet.
    Even if someone came up with a more secure way of preventing anyone from getting at information illegally, it would only be a matter of time before some genius came up with a way of getting around it.
    The best way to protect information today, (even though it is infallible), is to make it make it difficult, time consuming or costly enough for the hacker that it's not worth their time.

    - Regular, easy to remember passwords for information that you don't care whether it's made public,
    - Strong passwords for information that can cause harm but is easily deflected (think excess spam),
    - Very strong passwords for information that is not so easily deflected, (personal information, credit card information, etc.),
    - 2 factor authentication for information that can ruin you financially or cause you enough trouble or embarrassment to make you move to another city.

    Amrit K above is right. Protect information according to sensitivity.

  10. dragonmouth
    September 1, 2014 at 1:41 pm

    "two-factor authentication requires two different kinds of identity proof, such as password + mobile phone."
    There are still many people that do not have and/or do not wish to have a mobile phone. Therefore, no two factor authentication for them. What happens if you lose your phone or it malfunctions. No two factor authentication for you.

    " USB drives can be turned into physical keys"
    Didn't we have this with dongles several years back? It wasn't accepted then, what makes you think it will be accepted now?

    As Readandshare said, you can change your password easily but you cannot easily change your biometrics. Keyloggers were developed to capture key strokes. Something analoguous can be developed to capture biometric information. Retinal and fingerprint scans can be gamed by scanning the required body part of an unconscious or dead owner.

  11. Brian Tkatch
    September 1, 2014 at 8:12 am

    There are two ways to deal with threats: refusing and accepting.
    - Refusing can be further split into protection and deflection.
    - Accepting can split into not showing and always showing.

    Passwords and encryption are protection by refusing access.
    An example of deflection is a honeypot.
    Not showing (or storing) sensitive information is not always an option.
    Always showing is to show information in a way that is only useful to the intended.

    I believe this last method, always showing, can be the best method. Show information to anyone that asks, but in a way that is only obvious or understandable to the intended.

    • Joel L
      September 10, 2014 at 1:04 am

      So basically "hiding in plain sight" or something like that? Interesting idea! I'm going to have to look into that some more because I'm now intrigued. :)

    • Brian Tkatch
      September 10, 2014 at 1:54 am


      And i'm curious to see what you find. :)

  12. Olaf
    September 1, 2014 at 4:58 am


    concerning the actual use of passwords, I always recommend this:


  13. WoolyBully
    August 31, 2014 at 10:41 pm

    Unless the data servers are physically isolated then it's all still security by obscurity right?

    • Joel L
      September 10, 2014 at 1:03 am

      Yeah, at the root of it all, credentials must be stored somewhere and that storage could always be hacked. Solutions like two-factor authentication add an extra layer of security, so maybe that's the direction we should be looking?

  14. ReadandShare
    August 31, 2014 at 8:28 pm

    Biometrics has a second critical flaw not mentioned in this article. Be it fingerprints, iris scans, or voice recognition -- all are digitized and stored at host computers for logging-in authentication. And of course, we all know about systems being hacked and databases stolen!

    Right now, when user data are stolen, we are asked to change our passwords. But we can't easily change our fingerprints, iris shapes or voices!

    • Joel L
      September 10, 2014 at 1:01 am

      Ah, good point! Certainly tougher to crack than text but not impossible by any means. Is it possible to have access credentials that aren't stored anywhere? Seems impossible, but it'd be fascinating to see in action!

  15. Jamieg
    August 31, 2014 at 8:23 pm

    I really like 2 factor with my mobile phone. Now they need a good back up solution in case you lose your phone.

    • Daniel E
      September 1, 2014 at 1:14 pm

      You can ask Google to generate back-up codes, which you would then print out and keep in a safe place.

  16. Amrit K
    August 31, 2014 at 7:06 pm

    We always want simplicity when it comes to use no matter how complicated process is in the background.
    Evey tech has it's drawback.
    We don't just have to see quality of the security but also the fact that how economic it is.
    Biometrics are good choice but for something which deserves that kind of security NOT for our Facebook accounts.
    It's like replacing watchman or security guard with the United States Secret Service.
    So instead of implementing a common security system a security based on sensitivity of data should be implemented.

    Btw I always get confused between Joel Lee and Jackson Chung. ;)

    • Joel L
      September 10, 2014 at 12:59 am

      That's a good point. Top-notch security is only necessary for critical data, like bank accounts and such. Passwords are fine for mundane stuff. :)

  17. Zhong J
    August 31, 2014 at 4:57 pm

    You could also get an Q&A question such as certain info that others don't know. It's easier than remembering passwords.

    • Jamieg
      August 31, 2014 at 8:20 pm

      If the answer is stored on a server then that is still not secure..

    • Joel L
      September 10, 2014 at 12:58 am

      In many ways, that will probably be less secure than a password. However, a pass-sentence (a full sentence being used as a password) could be more secure than a password as the sheer volume would be harder to brute force.

      As Jamieg mentioned, all of these pass-related inputs still reside on the server and all it takes is one incidence of compromise to be rendered broken. :(