Discussion about
dave

Is the password *really* dying? And is it really an inconvenience?



Christopher Mims of the Wall Street Journal believes that the password is dying. Thanks to things like two-factor authentication, he's so confident in how irrelevant passwords have become, that he's sharing the password to his Twitter account:

The password to my Twitter account, which has been mine since 2007 and through which I have published more than 51,000 tweets, is "christophermims." Knowing that won't help you hack it, however. In fact, I'm publishing my password to make a point: The password is finally dying, if we want it to.

It'll be fun to see if anything happens to @mims on Twitter in the next few days!

That said, two-factor authentication is an especially important feature that helps make our most valuable accounts a bit more secure. Obviously, nothing is 100% foolproof, but hey! I'm happy to do whatever I can to try and lock things down.

Despite how much I like two-factor authentication, I don't necessarily agree with Mims -- I don't think I'd give out my password at all. I think it's kind of a frightening thing. The whole method relies on the fact that it's a two-step process, both of which are equally important:
  1. Knowledge factor: This is your standard password that you type in and proves that you at least may be who you are.
  2. Possession factor: A second step that verifies who you actually are based on having an authenticated device in your possession.
Sound confusing? It kind of is -- I don't think it's something my parents or grandparents would want to setup!

Anyway, what are your thoughts on Christopher Mims post? Is two-factor auth enough? Would you feel comfortable enough giving your password out? Is he crazy? Or am I crazy?

By the way, here are a list of sites that support two-factor auth: twofactorauth.org/

Via: online.wsj.com­/articles­/the­-password­-is­-finally­-dy...
Google link to jump paywall: https:­/­/www.google.com­/­?gws­_rd­=ssl­#q­=http:%2F%2Fon...

sort by

9 replies
Dignan17

OK, I must be really confused. I drew the same conclusion, Dave. He seems to be following this string of logic:
  1. two-factor authentication is the best
  2. but passwords suck
  3. so lets get rid of passwords
  4. and just use devices
  5. ...which is one-factor authentication...
3 like dislike
frankspin

What bothers me with relying solely on two-factor is if you ever lose your phone or have it break, you're a bit screwed until you can get it going again. This is a big reason I moved away from relying on the Google Auth app, and switched over entirely to SMS tokens. I had a phone break on me and getting into my accounts was a nightmare until I could get the auth app working again.
0 like dislike
Dignan17

That isn't a complaint about two-factor authentication. Google Auth and SMS are both examples of the second factor of two-factor authentication. They just work differently. Mims is saying that two-factor is great, but we should get rid of the password part, which means just one-factor, whether that's an app or SMS. I think that's silly.

I agree that receiving an SMS is better, but I can't imagine that it's a good thing if the only thing that someone needs to log into your account is your phone.
0 like dislike
frankspin

I was speaking more to relying entirely on two-factor isn't smart because that device can be easily lost or compromised. I've thought about getting a Yubikey or something similar, but again, it can be lost.
0 like dislike
wonderfulspoon

This is why google offers backup codes, you can find them in your settings for your 2 factor authentication. There are 10 backup codes you can use, print them off, keep them in your wallet, or a safe place if you are paranoid. If you loose your phone then you can sign in using one of the codes as verification. Once you use a code it can't be reused. You still need your password to sign in with, but instead of entering the 2 factor code you enter a backup code.
0 like dislike
baileylo

I'd say passwords should be going into retirement, but not extinct. Most sites implement their own log in flow, which I think is overkill. Sites should just rely on existing authentication methods, be that Twitter, Facebook, Google+, or PeronsaBrowserID.
1 like dislike
frankspin

I use two-factor where ever possible, on top of using an Alfred workflow to auto generate a 15-character with capitals, symbols and numbers. I just think it's naive to rely entirely on two-factor authentication, especially given the possibly of your device being lost at some point.
1 like dislike
baileylo

I wonder if Christopher Mims is related to this guy:

0 like dislike
groovechicken

I am praying that everyone latches on the system Steve Gibson has devised... SQRL.
0 like dislike
share:

6 users following this discussion:

  • groovechicken
  • ADMIN120
  • dave
  • baileylo
  • frankspin
  • wonderfulspoon

This discussion has been viewed 4623 times.
Last activity .