Why Big Tech Wants You To Ditch Your Password

Why Big Tech Wants You To Ditch Your Password


Passwords are like the
cockroaches of the internet. They really, despite all of our best
efforts, are very hard to kill off. And companies have been trying
to do it for years. The average office worker in the United
States must keep track of between 20 to 40 different username
and password combinations. With so many passwords to remember, it’s no
wonder why many of us use the same ones over and over, or have
a running list of passwords saved somewhere on our computers, phones or notebooks. Passwords are a very serious
and expensive security risk. It’s why companies like Microsoft, Apple and
Google are trying to reduce our dependence on them. But the question is,
can these companies break our bad habits? Passwords, by themselves,
are just not that secure. In a 2015 interview with
John Oliver, Edward Snowden explained just how easy it is to
crack a typical password. Bad passwords are one of the
easiest ways to compromise a system. For somebody who has a very
common eight character password, it can literally take less than a second for
a computer to go through the possibilities and pull
that password out. I think we’re going to have a no
passwords future because it just gets rid of a lot of problems. You never know when the bad guy has
your password, at the end of the day. That’s Kevin Mitnick. He’s pretty well
known in the hacker community. I started off many, many years
ago as a black hat hacker. I wasn’t hacking to cause
harm or to make money. It was all about the intellectual
challenge, curiosity and seduction of adventure. And then I pushed the envelope, and
I pushed it so far, I became the world’s most wanted hacker. And I was pursued by
federal law enforcement agencies. And they eventually caught up with me and
I ended up serving five years in federal prison. Nowadays, Mitnick says
he’s an ethical hacker, assisting companies to identify their security
vulnerabilities and helping to fix them. And finding your usernames and
passwords, it’s much easier than you might think. There’s a site
out there called weleakinfo.com. So what weleakinfo is, it’s a site
that has aggregated a bunch of data breaches. And so what happens is
the data, namely your username and passwords that are on these data
breaches, get aggregated because they’re publicly available. And there’s sites like weleakinfo, that kind
of make it like a Google, where you can actually just put in an email
address of yourself or a friend, and all the prior data breaches that
contained your username or your email address, it actually
reveals the password. All it takes to find the site is
a quick Google search, and users can get access to more than 10,000 data
breaches for as low as $2. And it’s not even the only
website to offer these services. Simply put, passwords are not fit
for purpose for today’s networked economy. They present challenges to consumers in
the sense that they’re either hard to remember or they’re too easy to
remember, in which case are easier to mimic and steal. For businesses, they
represent a huge liability, in the sense that the vast majority of
data breaches are caused by passwords, either passwords that slip from an employee
and expose a database or allows other bad actors to
get into their systems. So passwords present challenges
across the board. A report that looked at 2,013 confirmed
data breaches found that 29 percent of those breaches involved the
use of stolen credentials. In another study, researchers found that the
average cost of a data breach in the U.S. was more than $8 million. And even when passwords are not stolen,
companies can lose a lot of money resetting them. Our research has shown
that the average fully-loaded cost of a help desk call to reset a password
is anywhere between $40 or $50 per call. Generally speaking, a typical employee
contacts a help desk about somewhere between six and ten times
a year on password-related issues. So if you just do the simple multiplication
of six to ten times times $50 per call, times the number of
employees in your organization, you’re talking significantly hundreds of thousands of
dollars or even potentially millions of dollars a year. And that’s just
really the IT operations costs, that’s not really factoring necessarily the productivity
cost that gets lost by the user having to wait for maybe 20
minutes, 30 minutes or even longer to actually have the password issue
resolved to their satisfaction. In large companies like Microsoft, Apple
and Google with upwards of 100,000 employees each, these costs
can quickly add up. A former Microsoft executive told CNN in
2018, that the company spends more than $2 million dollars each month in
help desk calls, helping people to change their passwords. With the details of our
personal and professional lives increasingly residing in the digital realm, those
costs are likely to grow. The first use of the computer password dates
back to the early 1960s at MIT. At the time, computers were these
huge contraptions that could only manage the work of one person at a time. This limitation frustrated Fernando Corbató, who
came up with the computer time sharing system. CTSS was an operating system which
distributed a computer’s processing power so that multiple people could
use it at once. This naturally led to
the issue of privacy. So Corbató created the password. Ironically, the first computer to use passwords
was also the first one to be hacked. One of the researchers in Corbató’s
lab found that he needed more time to complete his work than
the weekly hours allotted to him. So he printed out all the passwords stored
on the system, and used them to log in as his colleagues. The conventional rules of password
creation adopted by companies, federal agencies and universities were attributed to
a document released by the National Institute of Standards
and Technology in 2004. The documents suggested that users should
have a minimum of eight character passwords and that those passwords should
include at least one uppercase letter, one lowercase letter, one number
and 1one special character, and be changed regularly. But in 2017, NIST
rewrote the password rules. This time, the agency suggested using
long, easy to remember phrases instead of crazy characters, and only changing your
password if it might have been hacked. Passwords have come a
long way since the 1960s. With innovations such as fingerprint
readers and face scanning on smartphones, verifying your identity now often
goes beyond just entering a password. This comes in the form
of two-factor and two-step authentication. There’s three forms of authentication. One is what you know, such
as a password or a pin. The second thing is what you have. So possession of a
device in your hands. And a third means of authentication is
who you are, like a biometric. The password alone is the
highest risk way of authenticating. And that that leads to phishing and
data breaches and all the nefarious things we see on the web today.
Any form of two-factor authentication is better than passwords alone. What I want
to note, though, is that not all two-factor authentication is
created equal. Things like getting SMS messages, so a text
message with a pin code, is both inconvenient but also can be spoofed and
is not a foolproof means of second factor authentication. NIST even restricted
the use of one-time passwords being sent over SMS as
a means of two-factor authentication. For something to be two-factor
versus two-step, the authentication elements must come from
two separate categories. An example of two-factor authentication is
withdrawing money from an ATM. First, you insert your bank
card, something that you possess. And then you were asked for
a pin, something that, you know. Biometrics are the newest form of
authentication and have risen in popularity thanks to smartphones that
include fingerprint readers and face-scanning cameras. Meanwhile, digital assistants like Siri,
Alexa and Google Assistant have advanced voice
recognition technologies. In fact, a number of banks, including
Chase and Barclays, now allow their customers to verify their
identity using voice biometrics. When customers call in, their voice
is automatically matched to a previously recorded voiceprint, that’s made up of
more than 100 characteristics such as pitch, accent and shape of your mouth. One organization that’s been at
the forefront of bringing two-factor authentication standards to the masses
is the FIDO Alliance. The FIDO Alliance, which stands for,
Fast Identity Online, is a consortium of more than 250 companies who are
working together to reduce the industry’s reliance on passwords by
standardizing two-factor authentication. This past year, we’ve seen FIDO become
a core part of the Android and Windows operating system, meaning that any Android
7 or later handset or any Windows 10 machine can leverage actual
onboard biometrics for that device. So a fingerprint reader, a face scanner,
whatever it might be, to log in rather than using passwords. Other companies that work with the
FIDO Alliance include eBay, Facebook, Twitter, PayPal and Bank of America. Even the U.S. government
has adopted the standard. FIDO’s big advantage over other standards
comes down to where it stores users’ personal information. The core problem with passwords is
that they reside on a server. The problem with that is that when it
sits on a server, they can be stolen by a hacker. Additionally, someone can
impersonate you quite easily, either by phishing your credentials or by buying
your credentials off the Dark Web and then trying to stuff
them into the account. Everything FIDO does is local on the
device, which does a couple of things. One, it’s easier. But perhaps most important,
it protects your privacy. So you can always change
your password if it’s hacked. But you really can’t
take your face back. You can’t take your fingerprint back. So it’s very important that companies
that are using biometrics use local-match biometrics, meaning match-on-device, which
is what FIDO supports to protect user privacy and
have enhanced user experience. Microsoft has been hinting about getting
rid of the password for years. Let me move over to my Surface Pro 4. I don’t know if
you noticed what happened. It recognized that I was just standing
in front of the computer and it logged me in. And this is
the power of Windows Hello. Where it does the face recognition
and logs you right in. I mean, think about one of the
biggest issues of security is passwords. So one of the things that we are
working on is a world where passwords are not going to be the ones
that, you know, get hacked. But you really have other biometrics
that really help us secure our computing interfaces. Microsoft sees 6.5 trillion hacking incidents per year. That’s why 90 percent of its employees
can now log into the corporate network without a password. We are on a mission
to be password less. We’ve built password less
technology into the OS. And we tell customers, of course, that
it’s much more secure than actual passwords because about 70 percent of
phishing attacks today still are caused by stolen passwords. So what we’ve recommended is
that customers use biometrics. At Microsoft, we use
Windows Hello for business. I look at my computer to
log on in the morning. That’s how I authenticate. If I’m on
my phone, I’m using my thumbprint. We don’t see our passwords anymore because
that is, the user and the password or the weakest link
in your security system. Microsoft introduced Windows Hello to customers
in 2015 with its devices running Windows 10. Windows Hello allowed
users to ditch the password and log into their devices with just
their face, fingerprint or pin. Like FIDO, Microsoft has said it
stores user biometrics on the device instead of on a cloud. In 2018, Microsoft announced that it
would support logging into Windows 10 with FIDO2 compatible devices, such as
hardware keys made by Yubiko. We’ve been on a mission
to eliminate passwords altogether. And, you know, we’re focusing on
passwordless log in experience that’s both secure and the user friendly. And we’ve seen a lot of success
with our authenticator app for consumer. And so we’ll bring that to Azure AD. Microsoft Authenticator is an app that
allows users to take advantage of two-factor authentication on any device, not
just those running Windows 10. Alex Simmons, Vice President of Microsoft’s
identity division, said in a tweet that the company has more than
80 million unique monthly users that sign in with a passwordless method. Apple’s been encouraging the use of
biometric authentication since it came out with Touch ID on the
iPhone 5S back in 2013. The company called Touch ID the
gold standard for consumer device biometric protection until it introduced Face ID
on the iPhone X in 2017. And the data for Touch ID has been
1 in 50,000, meaning that the chance that a random person could use their fingerprint
to unlock your iPhone has been about 1 in 50,000 and it’s been great. So what are the similar
statistics for Face ID?1 1 in a 1,000,000. Back in 2016,
Apple also introduced Auto Unlock, a feature for MacOS. Today, when you first approach
your Mac to use it, the experience is something like this. You open it
up, you’re confronted with a password field, and you type and then maybe
mistype, and then retype your password, and then you’re in and using your Mac. But you know, for many of us,
we already have a device securely authenticated to our wrists that already knows
who we are and could tell our Mac. And so then, when we open our Mac,
it could be a little bit more like this. In its guidelines to app
developers, Apple stresses that apps should support biometric authentication whenever possible
and that apps should only ask for a username and password as
a fallback, if the first method fails. Google has also been working to make
passwords a thing of the past. The company has required its employees
to use physical security keys since early 2017, and has seen
a huge reduction in phishing. In August of 2018, the
company released Titan to consumers. Titan is a physical key that allows
users to take advantage of two-factor authentication on their
computers or smartphones. In 2019, Google announced that phones running
Android 7 would all come with a built-in security
key using Bluetooth. A few months later, Google extended
that function to iOS devices, meaning that iPhone and iPad users could
now use their secondary Android smartphones as a security key whenever logging into
their Google accounts on an iOS device. While Microsoft’s Windows 10
devices and Google’s new Android devices are FIDO2 certified, Apple has been
slower to adopt the standard in its products. Even though Touch ID
and Face ID made biometric authentication the norm for unlocking our phones,
Apple’s devices are still not FIDO certified. But Apple
is making strides. Of late, Apple’s been supporting FIDO technology
both on iOS and on MacOS. So the latest versions of their
operating system support FIDO, meaning that if you’re accessing a website that supports
FIDO on an Apple device, you’ll be able to leverage
FIDO authentication as well. The Department of Justice has also
been moving away from password authentication. The agency adopted a
single-sign-on method back in 2017. One of the reasons why passwords persist
is that they are universal, they can be used by anyone. There are no limitations. There’s no special
hardware requirements. You don’t have to have a certain kind
of phone or certain kind of laptop. Anyone can use passwords. There are a
few key challenges to really moving beyond being dependent on passwords. One of them is technical, and that’s
FIDO has been seeking to address. And we’ve now created the technical
standards that are web standards for authentication that does not
depend on passwords. Another challenge is behavioral. And we’ve been trained with this
risky way of authenticating using passwords. We’ll have to be untrained to
use simpler, but new mechanisms for logging in. So I think there’ll be
some behavioral changes that need to take place, some education. You know, the good news is these are
changes are for the better and for the simpler. And so, we think that people
will embrace these changes at the same time as new technologies roll to market
to enable us collectively, on the whole, to move beyond passwords. Experts say that getting rid of the
password will be a long journey, especially when it comes to getting
people to ditch their bad habits. The consumer approaches will
be very much opt-in. In other words, if users actually
want strong authentication, companies will be able to provide it to them,
but just because it’s available, doesn’t mean that every customer is going
to go for it. You may now need to start collecting
information about the user like a mobile phone number that you need
to use to communicate with them. And perhaps users don’t want to
provide that information or they’re reluctant to. On the consumer side, I
believe passwords will be slower to get rid of. Which also means that
the risk of breaches of consumer sites will persist for
the foreseeable future.

100 comments

  1. FIDO DOES THE OPPOSITE IT SPY ON YOU FOR THE CORPORATIONS OF THE NEW WORLD ORDER.
    THE POINT IS PRIVACY IS A FANTASY IN THE CURRUPT NEW WORLD ORDER. AND IT ALSO TELL
    THE COMPANY YOUR PERSONAL BUSINESS BECAUSE YOU ARE A
    SHEEP THE BACKBONE OF THE
    NEW WORLD ORDER.
    Captain Jesus Incarnated Son of Jesus Christ God of gods
    END OF LINE

  2. ANOTHER POINT IS SPECTRE WOULD BE ABLE I.D. YOU SPECIFICALLY BY USING I.D.
    TECHNOLOGY. SO THEY KNOW FOR CONFIRMATION ITS REALLY
    YOU USING A SMART PHONE OR COMPUTER. SO MUCH FOR THE VERY
    LITTLE PRIVACY WE HAVE.
    ITS PROJECT GODS EYE
    IN FULL SWING.
    Captain Jesus Incarnated Son of Jesus Christ God of gods
    END OF LINE

  3. After watching this video I agree no password is safe and I like what people and companies are doing to make digital security better.

  4. 9:00 Passwords usually don't sit on a server. What's on the server is only a hash. Even if the server is hacked, the hash still has to be solved to get the password.

  5. I prefer to use electronic ID on my smartphone (eID) instead of passwords or physical ID-cards (in my country it is called Bank-ID and used by around 90% of the population).

  6. They’re using “your online safety” as an excuse to steal your rights and information. I don’t trust any of these companies.

    I’ve always used passwords and have NEVER had a problem. I don’t want anyone having my Face ID or fingerprints. These satanic companies want all of your biometric information.

    Pretty soon you’re gonna have to submit a blood sample to unlock your phone.

    Two-factor authentication (where you enter a password and then a code is sent to your phone or you answer a security question) is almost foolproof. You don’t need any more of my information. Sorry.

    WAKE UP, FOLKS!

  7. what if i my friend want to use my profile, pc, laptop, …. and i'm not nearby? how is he/she going to enter is you get rid of password?

  8. US courts have ruled that you cannot force a crime suspect to give up his password, but the government can legally make password manager companies give them the access to your password.

  9. Its stressful even for a moment to have to look on the screen or touch to unlock and data companies and app companies already have everything about me, so i've kept my phone and laptop unlocked for years now.

  10. So that corporations can know where we are, what we do and what we want.

    Oh wait they already know all those things.

  11. Biometrics aren't that secure for personal devices though. I can unlock a person's phone when they're asleep by placing their thumb on their device.
    Iris unlock is too slow and inconvenient. Thought it's great when combined with fingerprints and you're wearing gloves in the winter.
    Face ID means cops can unlock your phone without your permission by pointing your phone at your face😂.
    Fido keys can be stolen physically. Bad idea.
    So passwords are still the best for mobile devices🤷‍♂️

  12. In other words as long as you are in the room everyone can unlock your staff. It's a dilemma, for me you need others to enter with your permission and vice versa not entering without. Password is a must, it sits in your brain and they have to torture u to give it up

  13. Funny, my bank froze my account on the 3rd wrong password attempt. How can a computer guess my password in 3 tries in just a few seconds? Magic?

  14. Well guess what. This video might have caused FBI to seize weleakinfo website. Waiting for it's mirror to pop up.

  15. One thing this report failed to say…
    The same Password still required to reset, change or even remove biometric security

  16. Wow, 1 to 1,000,000 for Face ID? I can unlock my brothers iPhone using Face ID and we aren't twins… and I don't think we look alike, so something is wrong… 😂

  17. i dont even have to watch this video and i know its about bio locks, big tech wants to archive and sell every single bit of information about you down to how many hair follicles you have on your head.

  18. GAFA: Password are a very serious security risk give us your face and fingerprint
    Banks with 4 digit debit card password securing trillions of dollars: ??

  19. Essentially this is an AD piece for everyone to giveaway their bio-metric data to big corporations who are not accountable for anything.

  20. Lol, “no bad guy can have your password”. You mean the government is the bad guy. Soon, no man can buy or sell…it’s coming. Start worshipping King William of Britain as your god and you wonder why his inbred family is always in the news…

  21. Biometrics are what they want a Retina or Fingerprint once they have it they OWN YOU if they get stolen your security is gone till the day you die. And Spy or Police agencies can use it against you. You work for someone they dislike they use your information to commit a crime you swear you never did and they can prove you do.

  22. Again and again, we blame the object, not the person. PASSWORDS are not the problem, the PERSON using the password incorrectly, ineptly, or carelessly is the problem. It's possible to create a program that will not accept any password that's not adequate – but that's "too hard" for lazy people to use, so we make it easier. People don't remember their passwords, so they store them in available places. The only non – hackable system in the world is very, very simple: a hand-written notebook somewhere on your person: purse, pocket, ? But nobody knows how to write by hand anymore, so that's "too difficult", so people are allowed to store their passwords on…their computer, protected by…a password. Stupid, stupid, stupid.
    The real ways to make passwords secure is to make them more byzantine: A) all or part of the password is dependent on something contained in the protected site itself.
    Further explanation & more ideas available upon payment of a consulting fee.
    CyberCraft, LLC.

  23. Smart unlock using face id has been functional on Android devices since 2013 on the Google Nexus 4. This was coming for a long time.

  24. no passwords will mean information is public that means information has no value and that makes a hacker useless

  25. I really hate to remember 10 different passwords just for work purposes. Then you have to remember your personal ones. I really hope we can move past this password login soon. It is just getting ridiculous.

  26. The primary problem is not the password, it's the companies that can't contain the data. How will biometric data solve this? it won't. Instead of your password, your fingerprint will now be leaked… Great!

  27. Passwords are still necessary because sometimes more than one person needs access to an account like a spouse or surviving relative. Forcing everyone to log in with their face and thumbprint will lock people out and may even cause a lot of awkward situations at funeral homes across the country. That said, my grandpa died last year and if my mom didn't already know all his passwords we would've had to fight the bank to get access to any of his funds as they'd gladly lock it up behind a bureaucratic nightmare instead of releasing it their only surviving relative.

  28. Apolgy for bad english:
    “Where were you when password dead”

    I was at home eating doritos when phone ring

    “Password is kil”

    Noooooo

  29. I was happily married, evolved to using fingerprint reader instead of a password. My wife used my finger to unlock my phone while i was sleeping.
    Conclusion: Now I'm single 😂

    As for Google and such companies, they just want complete access to your life, your DNA your privacy, everything you know and own. They want it all.

  30. How the hell are companies like Microsoft, Google, Samsung, Intel, visa, and more on board with “Fido“…
    But Amazon is not? Once again putting profit over security? I’m assuming that’s the only motivation? Why else wouldn’t they join the fight unless they’re trying to profit from this problem?

    I have no problem with them profiting from developing and maintaining a worthy solution. But many of the worlds biggest companies have joined together to help standardize this… So Amazon will only be adding chaos? I don’t know the answers…. it’s just odd

  31. Facial recognition security can be hacked with a photograph. That was demonstrated more than a year ago…I don't remember where I saw it done though, but it was in a video on YouTube.

    Now they want to tie corporate logins to a physical keychain that people can lose, or leave on their desk when they walk away for a few minutes, have Google authenticate logins on Apple devices, or some other means of security that is completely out of control of the user. I'm not sure how this makes sense.

Leave a Reply

Your email address will not be published. Required fields are marked *