Passwords turn 65 this year. They became a feature of computer users’ lives in 1961, with MIT’s Compatible Time-Sharing System (CTSS). Before then, sysops were real sysops. All jobs went through them, one at a time, and access by others was forbidden by laws written on blocks of stone.
There are many, mostly sysops, who consider the introduction of direct user access as an abomination that has brought plague and chaos. They may well be right. Nevertheless, we are now stuck with this godless world. Passwords have hit retirement age, yet show no signs of going away, voluntarily or forcibly. They are, unhappily, getting worse at their job.
In the past couple of weeks alone, three new wrinkles in password security have appeared. Too-clever-by-half compilers can optimize away protection against time-based password attacks, password managers that are supposed to be architecturally invulnerable to compromise are less than perfect after all, and if you ask your AI to generate a strong password, you may get something that looks right but isn’t. You might not ask an LLM for a password, but if your password manager offers one, how’s that generated?
That’s not the only issue with password managers. Most people use those provided by Apple and Google. Both companies are American and must withdraw your access to their services if you annoy the wrong person. Digital sovereignty means never having all your passwords vanish, and you don’t have it.
To be fair to our superannuated security strings, none of this is inherent to passwords. A properly specified and implemented password system, used by properly educated and motivated people, is as secure as anyone could want. You see the problem.
It is, of course, getting worse. The whole idea of agentic AI is pinned to the donkey by the assumption that your agents need your access rights to act on your behalf. There being no industry-wide best practices, no inherent management principles, or indeed inherent anything, this means giving AI agents your passwords – something that in a sane and godly world you would not do. Instead we’ve just seen agentic AI vibe-coded polycules like OpenClaw wink into existence to facilitate a global orgy of info-swapping among the robots, without a single silicon condom in sight. We only had time to say the first syllable of “What could possibly go wrong?” before it did.
The answer to keeping agentic AI secure is not to use it – let alone declare your OS as agentic from top to bottom, Microsoft. If you want to use it, then you’d better understand and properly implement privilege isolation, security segmentation, and all the other good things that you need when sharing your digital environment with a universe of mischievous djinn. Rewatch the Sorcerer’s Apprentice scene from Fantasia for a refresher.
For everything else, the good news is that since the early 1960s, there has been considerable progress in making passwords much safer, even in the hands of humans, or not needed at all. Most of us use these techniques multiple times a day with local fingerprint or facial recognition on our devices. The weakest of passwords, the PIN, is plenty good enough when backed by three-strike or rate-limited locks.
So far, implementation and availability have been good enough that most users can use them reliably, mostly because it’s quite hard to mess them up. Extending them into online services, however, is a different matter, as is managing service security on multiple devices. Two-factor authentication and passkeys are fine in principle, but far less so in practice.
Take two-factor auth. There are lots of options such as SMS or authenticator apps, device biometrics, or physical security keys, but all have different problems connected with social engineering, device or account loss, or spotty compatibility. Even availability isn’t guaranteed where you might expect it. Your sparkling new Mac mini might sport a processor of unrivaled brilliance, but Apple forgot the fingerprint sensor. This is a complicated landscape to navigate for a naive user.
Passkeys, as currently implemented, are worse. Not because the underlying technology is flawed, but because they are hard to explain, easy to misunderstand, and typically offer options that can confuse not just the naive. They are a challenge-and-authenticate channel between a service and a device that relies on previously agreed cryptographically signed tokens. They can’t be stolen or duplicated, and are strictly a per-device system. That’s something that can be explained to anyone, although probably with different words, and the advantages made clear. Use passkeys, and you won’t need passwords and you’ll be safer.
What, then, does it mean when a system offers to store the passkey in the cloud-based password manager? What should you do if, as per usual, the system offers you a choice of passkey and some don’t work? What if a service doesn’t use passkeys at all?
When it all works, it can’t be beaten. Go to an online service, the system fills in your username, dab the fingerprint sensor, and you’re in. Getting to that stage when so many of the processes, vocabulary, and options aren’t standardized isn’t standard, and quelling the fear that if something goes wrong you’ll be locked out is hard, even for those who’ve been authenticating since CTSS.
Like so many security woes, this is a solution that needs to be fixed itself. What’s needed is a common message across the industry, a standardized user experience, and a commitment to customer education. But the industry – platform makers, service providers, app builders alike – is so high on the smell of its own flatus that it’s completely in thrall to Apple Lightning Syndrome. There is no sin greater than voluntarily agreeing to a common standard just because it makes everything better.
Well, tough. Passwords are broken, the better technology is being pointlessly obfuscated, and instead of taking the time to sit in a room for a month and fix it, everyone is obsessed with experimental AI that is to security what anti-vax is to healthy children. Passwords aren’t the only idea needing to be pensioned off. ®