While security solutions such as biometrics and QR logins are frequently tipped to replace the traditional text-string password, the future of passwords is more passwords, according to Have I Been Pwned founder Troy Hunt.

Challenged on a US patent that promises to eliminate and prevent against identity fraud during a session at Infosecurity Europe 2019, a leading event for those in the cybersecurity industy, Hunt went against claims that passwords will soon become obsolete.

“In five years from now we will have more passwords than we do today,” Hunt predicted. “All the time I hear about people who have really good technical solutions, and then nothing changes.”

Convenience will prevail

While Hunt admitted that he “loves the ideas” coming out of the cybersecurity industry on password alternatives, he believes that convincing non-technical internet users will prove too difficult.

“But the thing that passwords have going for it that is better than everything else is that every single person in this room, and all of their parents and their friends and non-technical speaking others, everyone knows how to use passwords,” Hunt said.

The difficulty that the cybersecurity industry faces in encouraging change is highlighted by the still rampant issue of password reuse and lacking complexity, despite frequent calls for better password hygiene.

According to a recent study by the UK’s National Cyber Security Centre, some 23.2 million people still use “123456” to secure an online account.

Likewise, the Collection #1 credential list unearthed by Have I Been Pwned in January contained 773 million unique email addresses but just 21 million unique passwords, showing the extent of password reuse.

Do businesses want change?

According to Akamai, businesses are losing $4m on average each year due to credential stuffing attacks.

However, Hunt doesn’t envision businesses ditching password protection due to the ease and convenience that it provides customers:

“As bad as it is security-wise, when your marketing manager is making a decision about how people are going to log onto the website, and some enterprising end developer comes along and says ‘Hey, this is awesome. All you’ve gotta do is pull your phone out and there’s a QR code or dongle or something’. The market manager is like ‘this is going to slow people down from registering and making us money, which is what we’re actually here to do’.”

The cybersecurity industry agrees on one thing: passwords, or the way they’re currently used, don’t offer adequate protection in today’s cyber threat landscape. However, there is less agreement on how best to improve them.


Read more: Is it time to do away with the traditional password?