Forgot Your Password?

This past Friday, March 15th was National Password Day…in Canada (there is a ‘National Day’ for everything). It’s a day when organizations such as the Better Business Bureau and Federal Trade Commission share tips and urge citizens to regularly update their passwords. With all the advances in technology we have seen over the past few decades, the risks of hackers and cyber threats have also increased. Companies are beefing up their efforts to keep customer information safe with certain password requirements, but in the end they need the customers help in order to be successful. So why are there such vast differences in username and password requirements across different sites and applications?

We all have passwords for Facebook, Twitter, Instagram, LinkedIn, WordPress, Netflix, Hulu, Spotify, Amazon, email, work log-in, Apple ID, online banking, Uber, ESPN, Wi-Fi, federal loans, and the BC portal log-in. The list goes on and on. And then there are those who have a password manager, and that requires a unique password…what happens when you forget that password? Some sites require a combination of capitalization, numbers, and special characters while others require a simple length of eight or more letters. One site’s login uses an email address, the next one uses your phone number or personalized username. Then there are those sits which have an extra layer of security and call for users to answer questions prior to accessing your account. Some sites will time-out after a certain period of inactivity, prompting the user to either extend their session or log-out before it is done for them. One site’s inactivity limit is fifteen minutes while others can be weeks long. I understand these are all steps in order to protect users and their information, however there is no universal code for username and password requirements. Every app and service has their own version. Some classmates will recall the day when we only stored passwords in a computer but now there are smartphones, smart watches, tablets, and even smart TVs.

The amount of usernames and passwords one must keep track of is absurd. It’s why some revert to handwriting all their passwords on a single paper or keeping them in a word document. I can honestly say I reset a username or password at least once a month. Clear your browser history or buy a new phone or laptop and be ready to recall the dozens of passwords you may have. The only sites which made it mandatory to change my password over the last year was Boston College and at work. My company requires all employees to change passwords every ninety days and I can say with confidence that at least half, myself included, simply add the next number in line to the end of their current password. It’s just another password to remember and picking the next number makes it simple.

So why are we still typing passwords in? In some cases, we aren’t. Touch ID technology has been a huge help in evolving the everlasting ‘forgot password’ dilemma. Over the past few years we have seen facial recognition expand as an alternative to typing in those pesky password, but has been slow in its growth.

There’s hope to a day where we will not have to worry about passwords as much. A few weeks back, the World Wide Web Consortium approved WebAuthn, which is a mission aimed at a password-free future and phishing-resistant authentication at scale. Essentially, it is an API that allows sites to communicate with a security device, allowing the user to automatically log in to a particular service. Users will have the option to log into web services via computers or smartphones more easily using bio-metrics and/or FIDO security keys. A FIDO security key is a small device which can be plugged into a USB port on a computer. WebAuthn is already supported by most web browsers which is a big step towards seeing a wider adoption across individual websites and applications. One huge advantage of WebAuthn is that passwords never leave the user’s device and are never stored on a server, which eliminates the risk of phishing and password theft.


Now is the time for web services and businesses to adopt WebAuthn to move beyond vulnerable passwords and help web users improve the security of their online experiences,” said Jeff Jaffe, W3C CEO. “W3C’s Recommendation establishes web-wide interoperability guidance, setting consistent expectations for web users and the sites they visit. W3C is working to implement this best practice on its own site.

via W3 press release

Like all technologies the initial rate of adoption is slow, but the fact that Dropbox,Microsoft, and most wed browsers are on board gives WebAuthn the support it will need to continue its expansion. Millions of users today have the ability to log into their Microsoft account without using a password. What is important to note is that some people take longer to partake in new technologies…in some ways there has to be an incentive. Once WebAuthn becomes more widely known as a revolution of simpler and stronger user authentication, there won’t be a need for any sort of incentive. How long will it take for bio-metric authentication to become the “norm”? What makes you most hesitant to commit to this new technology?

12 comments

  1. Really interesting take on something that we all encounter daily. I could not tell you how much password autosave has saved my life. With so many different accounts that we create, especially with the increase of online shopping and creating accounts for new sites, clearly remembering passwords is a huge issue. I have the impression that facial recognition and fingerprints will pave the way for the future of passwords. If our phones can scan our faces, why not our laptop cameras? I am not sure how practical the FIDO security key is because if you lose the usb, that can cause a huge issue. I do think that WebAuthn has a lot of promise so it will be very interesting to see how it evolves as it receives more backing. Passwords are so sensitive and important to us so I really like that you chose to highlight this topic!

  2. I love that you brought this topic up. I find it extremely annoying to continue this password community with banks, social media accounts, email, and more. I have had to constantly change my passwords because I have so many accounts and cannot keep track of all of them. Apple has made innovations in this category with facial recognition, and while that is nice, I still feel like there are still more advances to be made. Even the WWW has excelled in this category where it recognizes and stores passwords from specific accounts. The larger issues regard safety. Is this password adoption safe and how can it work to our disadvantage?

  3. dilillomelissa · · Reply

    Just yes! I cannot imagine a world without passwords. I know it’s terrible to use the same password more than once, but can anyone honestly say they haven’t ever done that? All the combinations are getting out of hand. A while back I posted on Twitter about biometric identification actually being hacked because of something as simple as taking a screen shot of a Facebook photo and zooming in on someone’s eye. While I think overall biometric identification is a safer method, it looks like there are still some kinks in it as well. I have to say, not having passwords stored on a server will make a big difference. Once again, I’m sure we’re all guilty of storing some passwords in places that are not ideal. It takes a hacking attempt against us personally to take these things extra seriously.

  4. I recently had to restore my iPhone and re-download literally everything I use on a daily basis. Since i had to restore it the apple finger ID was useless and I reset just about every single app/saved website I have on my phone and besides being really annoying, it took forever. So I definitely see the value in a service like this. However, my concern is if this technology is hacked/stolen or whatever criminals figure out to do to WebAuthn, they will have access to literally every single part of you (banks, email, work/school, social media) and that is a huge risk. I’d love to hear more from WebAuthn about how they can be sure a breach like this won’t happen.

  5. I most certainly fall into that category of employees who only slightly change their password every 90 days due to company requirements. I think this is an important topic that is going to gain more attention as we expand how many things are going digital, today we have banks that are strictly online and technologies like these may be a good use for this. I think this is a step in the right direction, but I believe there is steep change management journey before we get to a password free world.

  6. On my laptop, all my passwords are saved on Google Chrome, and on my iPhone, all my logins that aren’t Touch ID enabled are listed in a note. Probably not the safest place for them, but it’s very convenient! I would be hesitant to have everything controlled by biometrics simply because that is a whole other set of personal information that would be available to hackers. While the ease and convenience would be a major plus, I don’t know if it’s worth putting a decent portion of your identity at risk while it is in the early adoption phase.

  7. Very interesting — seems like passwords could use some emerging-tech-enabled disruption. I wonder how long it will be until all devices, then IoT devices, have Touch/Face ID rather than passwords. I also wonder how two-factor authentication plays into this. There is nothing more annoying than having to prove to a robot that you are not a robot by clicking all the pictures with traffic signs, then storefronts, then traffic lights. I know it’s for added security, but it’s hard to see the point of this after I’ve already made a password more complicated than I wanted, confirmed my email address, typed in the code that was sent to my phone, etc, etc….Also, with all the major recent leaks, it seems like hackers can get into most websites regardless of the level of security, and that websites are just trying to constantly outrun them. There has to be a better way!

  8. Nice post! I confess that I went to Dashlane a few years back, with mixed results. It’s really great when it works (and I’m sure my passwords are far more secure), I just wish it worked more reliably than it did.

  9. Great post! We deal with passwords on a daily basis but its importance and function are oftentimes overlooked. I’ll be honest, I’m guilty of not changing my passwords as frequently as I should be. It’s overwhelming to keep track of the countless passwords I have to create for every single application or website I use. I wasn’t previously aware of the existence of WedAuthn, and its mission for a password-free future seems ideal but also a bit alarming. Touch ID and face recognition have made massive advancements, but there is still a lot of progress and innovation to be made in this security realm. I look forward to seeing how things unfold!

  10. Very relevant post! I can still see the long printout sheet my Mom uses to keep track of all her passwords… And as you mentioned, requirements to change them has seen this sheet crossed out and scribbled over countless times. I myself have always been skeptical of saving my passwords on chrome or other platforms – this is probably without good reason, i’ve just never taken the time to look into how secure this is. WebAuthn seems like an excellent way to combat all of these shortcomings and stop me from simply resetting my passwords when I forget them. TouchID and facial recognition have been my favourite additions to my Apple products. I’m glad Canada was able to inspire you to write this post… great topic!

  11. Very interesting topic, and pretty crazy to think of all the innovations that are happening around us, and passwords, which have been largely the same for a very long time, are just now starting change. This made me think of the meme that says wrong every time you try your password, and then when you reset it it says “new password can’t be the same as old password”. I rely so heavily on my passwords autosaving on all of my accounts, and I am for sure guilty of using variations of the same password for almost every account I have. This is definitely an area ready for some disruption, and I’m glad technologies addressing this are beginning to gain some traction.

  12. I, too, am guilty of simply adding the next number on the keyboard to my “baseline” password at work when we are prompted to make an update every couple of months, and if it weren’t for Google Chrome and my iPhone storing the passwords I use most frequently, I would spend way too much time trying to remember and/or reset them. However annoying it is when I run into an issue, though, I can’t imagine not having to use a password to log into a website. I tend to be a slow adopter to new technology, so while the idea of WebAuthn sounds really useful, it would probably take me a while to trust an application like that. With that said, it sounds like they are getting some good traction, and it might be the next big thing for passwords.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: