Google and others try to get rid of the password. But why?

Google is the latest to join the wave of companies trying to eliminate the need for passwords. By using context-aware settings, password managers, biometrics, and two-step verification, we may no longer need a barrier to access our accounts.

Passwords may be inherently flawed. With an insecure passphrase, it's easy for attackers to gain access to an account. So how do we improve authentication?

Illustration by Jake Turcotte/The Christian Science Monitor

June 12, 2015

Disdain for the password is not new. At best, they’re inconvenient. At worst, they’re insecure and compromise sensitive information. So it’s no wonder that software companies and computer scientists have been trying to kill the password for several years.

But passwords are ubiquitous and changing that system is going to be difficult for one main reason: companies are struggling with how to remove the inconvenience of passwords while maintaining security. Congruently, they're wondering how we can increase security without being inconvenient to the user.

Google says it has figured out the balance. This May at Google I/O, the Internet giant’s annual developers conference in San Francisco, the company unveiled a feature for Android-based devices known as Smart Lock.

Ukraine’s Pokrovsk was about to fall to Russia 2 months ago. It’s hanging on.

This system would work with Google’s context-aware tools to use alternative measures of user identification. Instead of you needing to memorize several extended strings of characters, your apps can confirm your identity through a number of biometric, location-based, or two-step verification factors. Google advertises Smart Lock as being currently able to work with voice recognition, geospatial sensing, and proximity of Android Wear or other devices owned by the user.

In essence, if you’re logged into your phone and using it, your nearby computer can confirm your presence.

Android users can adjust what they deem to be a “safe location” to unlock devices, as well as the other metrics and information they’d like Smart Lock to use.

In addition to its secondary identification features, Smart Lock would build off Chrome’s existing password storage system and integrate it with Android devices. This password management system would allow users with Chromebooks or devices running Android M – Android’s new operating system – to store device passwords to access on other devices they own. Users can also access their passwords through their Google account’s Web interface, though some are skeptical about that method’s security, especially after previous flaws in Chrome’s password storage system.

Google’s push toward eliminating the password comes in tow with other companies and services doing the same. Microsoft is highlighting biometric capabilities to replace passwords in Windows 10, and Apple has worked on augmenting password security with TouchID, not to mention the company's push toward full encryption. In addition to the tech giants, smaller companies such as LastPass and 1Password have been trying to solve the problem of the password for years.

Howard University hoped to make history. Now it’s ready for a different role.

And there’s a reason companies are getting rid of passwords: they’re difficult. Many see them as cumbersome trivia and others see them as antiquated security measures that have become either unnecessary or dangerous.

Let’s focus on the security side of passwords. Passwords themselves, despite the cultural connotation, are not intrinsically a gateway for security, but rather a reinforcement of relative identity. Proper authorization practices are part of security, but there is a distinction. Passive protectors, such as passwords, work not by securing the data, but by requiring that only those with the key can enter. Like the concierge at an apartment building, their job is to ensure that no one unauthorized gets into the building, not that all your stuff is safe.

The two usually complement each other, but if someone tricks the guard...

What would people need to know to pass as a relative, significant other, or old friend to gain access to your apartment? Would they need things such as your dog’s name or the street where you grew up? Or could they just get by with your mother’s maiden name or favorite sports team and birthday? Could they find this information online or by talking with you for a few minutes?

The problem with conventional passwords is that they’re easy to guess, and not just by people. Password security has changed, and there are many reasons why a password wouldn’t be secure: length, character diversity, or even just having real words. The most secure passwords are those that a computer wouldn’t be able to guess.

But as computers have become better at – well – computing, the optimal password has gotten more complex. In order to really beat the bots, your password is going to have to be long, and include a random assortment of letters, numbers, and symbols, and even then, it might not be safer.

Even if your password is completely “secure” on its own, it becomes insecure if you use it for everything. All you need is one breach in a database that poorly stores passwords, and you could lose your information across other platforms. So in addition to that one 40-character random password that you have to memorize, you’ll need to memorize 10 more just to make sure your bank account, e-mail, and credit cards are secure. So you’re “secure,” but in a very difficult way.

Information security is difficult to manage for consumers. It’s challenging to balance convenience and ease with security. Though something can be mathematically secure, it can come at the cost of being unusable for many people.

That’s why password management systems such as LastPass and others have been trying to do the work for the consumer. Password managers take the trouble away from the user, and can even give you auto-generated, hyper-secure passwords for accounts, which Google’s Smart Lock as of yet cannot. But the industry is still building and the issue of the secure, convenient password is still trying to be answered.

There is skepticism about the merits of password management systems. Some worry that the centralization of passwords makes them easier targets for malicious actors, and that many password managers are just “not secure.” To opponents of the system, they create a critical risk and don’t address many of the problems passwords pose.

But for a growing number of security experts and consumers, password managers are a way to keep the user secure in an easy way. Cybersecurity expert, cryptographer, and privacy advocate Bruce Schneier believes that password managers are a good option for consumers, but also notes that it’s interesting that so few have researched “the security problems of things that are supposed to increase security.” Password managers have their flaws and, to Mr. Schneier, it’s important that they be reflexively secure if users are going to trust them.

Though there is debate about the tools to use, the growing consensus is that passwords are on their way out. Even the White House wants to try something else. With biometrics, two-step verification, and password managers, there are a lot of ways that people can protect their security and kill the password. But so many methods may mean more complexity for the consumer, not to mention privacy concerns.

Google is not the first to try its hand at solutions for the password, and it won’t be the last. The industry is rapidly pushing to make security and privacy easy for consumers, and one of the biggest obstacles in its way is the password.