While security solutions such as biometrics and QR logins are frequently tipped to replace the traditional text-string password, the future of passwords is more passwords, according to Have I Been Pwned founder Troy Hunt.

Challenged on a US patent that promises to eliminate and prevent against identity fraud during a session at Infosecurity Europe 2019, a leading event for those in the cybersecurity industy, Hunt went against claims that passwords will soon become obsolete.

“In five years from now we will have more passwords than we do today,” Hunt predicted. “All the time I hear about people who have really good technical solutions, and then nothing changes.”

Convenience will prevail

While Hunt admitted that he “loves the ideas” coming out of the cybersecurity industry on password alternatives, he believes that convincing non-technical internet users will prove too difficult.

“But the thing that passwords have going for it that is better than everything else is that every single person in this room, and all of their parents and their friends and non-technical speaking others, everyone knows how to use passwords,” Hunt said.

The difficulty that the cybersecurity industry faces in encouraging change is highlighted by the still rampant issue of password reuse and lacking complexity, despite frequent calls for better password hygiene.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

According to a recent study by the UK’s National Cyber Security Centre, some 23.2 million people still use “123456” to secure an online account.

Likewise, the Collection #1 credential list unearthed by Have I Been Pwned in January contained 773 million unique email addresses but just 21 million unique passwords, showing the extent of password reuse.

Do businesses want change?

According to Akamai, businesses are losing $4m on average each year due to credential stuffing attacks.

However, Hunt doesn’t envision businesses ditching password protection due to the ease and convenience that it provides customers:

“As bad as it is security-wise, when your marketing manager is making a decision about how people are going to log onto the website, and some enterprising end developer comes along and says ‘Hey, this is awesome. All you’ve gotta do is pull your phone out and there’s a QR code or dongle or something’. The market manager is like ‘this is going to slow people down from registering and making us money, which is what we’re actually here to do’.”

The cybersecurity industry agrees on one thing: passwords, or the way they’re currently used, don’t offer adequate protection in today’s cyber threat landscape. However, there is less agreement on how best to improve them.


Read more: Is it time to do away with the traditional password?