IEEE comment on World Password Day

​​​​​​​​​​

This year’s World Password Day is set against the recent announcement from GCHQ’s National Cyber Security Centre (NCSC) that passwords should be cast aside in favour of passkeys to reduce security risks.  We talk to Steven Furnell, senior IEEE member and professor of cybersecurity at the University of Nottingham for his thoughts.

“The NCSC’s recommendation to use passkeys ‘wherever a service supports them’ is good from both security and usability perspectives.  Passkeys have been specifically designed to overcome our primary problems with passwords.  However, the ‘wherever supported’ aspect is a potential challenge because many users won’t be able to follow the guidance uniformly or consistently across the services they use.  Many sites and services still don’t offer passkey support, so users will find themselves with a mixed login experience.”

“It’s still the correct advice, but no matter how good passkeys are, we need to recognize that this is going to be a long game rather than flipping a switch.”

“Where passwords are still in use, it’s far too easy to find sites that fail to support the user in two significant and fundamental ways, by asking them to create new passwords while providing little or no tangible guidance on how to do so securely, and/or allowing them to get away with making choices that would generally be regarded as weak.”
 
“While some might argue that it’s the user’s responsibility to protect themselves properly, they need to know how to do it.  Where are they supposed to get this knowledge if the sites don’t offer it?  Why would the user even suspect there’s a problem if the site lets them choose a poor password without complaint?”
 
“This World Password Day, the main message ought not to be to the users, who often have no choice but to use passwords anyway, but to the sites and providers that are requiring them to do so.”