1
00:00:00,000 --> 00:00:06,360
Honestly, we all suck at passwords, and yeah, maybe you personally use unique, impossible

2
00:00:06,360 --> 00:00:11,880
to guess. 50 character randomized passwords for all your accounts, but unfortunately you'd be

3
00:00:11,880 --> 00:00:15,360
the exception rather than the rule, you special little person you.

4
00:00:15,360 --> 00:00:20,080
According to a 2019 Google study, about a quarter of Americans use some absurdly unsecure

5
00:00:20,080 --> 00:00:26,040
passwords like one, two, three, four, five, six. And according to a different study from the same year, around three quarters of users

6
00:00:26,040 --> 00:00:32,200
in the US and Canada reuse passwords, while around half only change one character when

7
00:00:32,200 --> 00:00:38,800
they're forced to update their passwords. And to be fair, a big part of the reason this happens is that the average person has so

8
00:00:38,800 --> 00:00:42,960
many online accounts now that they can't keep their passwords straight, and many people

9
00:00:42,960 --> 00:00:47,320
aren't even aware that password management software even exists.

10
00:00:47,320 --> 00:00:51,360
Then you have the fact that passwords sometimes aren't even stored on the servers themselves

11
00:00:51,360 --> 00:00:57,080
in a secure manner. All you need is to take one look at the headlines about password dumps to see that.

12
00:00:57,080 --> 00:01:01,120
But do we even need passwords at all?

13
00:01:01,120 --> 00:01:04,520
Even though we're all still used to punching in passwords, people in the computer industry

14
00:01:04,520 --> 00:01:07,960
have been discussing eliminating them for quite a while now.

15
00:01:07,960 --> 00:01:12,960
Back in 2004, Bill Gates himself pointed out that the whole idea of a password was flawed

16
00:01:12,960 --> 00:01:16,680
for situations where a high level of security was needed.

17
00:01:16,680 --> 00:01:20,520
But if this is true, what would we use instead?

18
00:01:20,520 --> 00:01:27,160
Microsoft seems to think they've got it all figured out. If you have a Microsoft account, you could actually go into your settings right now and

19
00:01:27,160 --> 00:01:30,360
choose to convert your account to password lists.

20
00:01:30,360 --> 00:01:34,520
Instead of using a password, you can use the Microsoft Authenticator app to secure your

21
00:01:34,520 --> 00:01:39,480
account. Each time you want to log in, you'll either get a verification code from the app or through

22
00:01:39,480 --> 00:01:45,120
SMS or email, get prompted for a physical security key, or use biometrics like Windows

23
00:01:45,120 --> 00:01:51,160
Hello face scan. The password list isn't just something Microsoft is doing, though it has stolen the headlines

24
00:01:51,160 --> 00:01:54,560
considering it means you can go entirely password lists on Windows.

25
00:01:54,560 --> 00:01:58,320
Many mobile apps have allowed you to log in with a fingerprint after just a first time

26
00:01:58,320 --> 00:02:03,560
setup. And the signs also point to Google moving to a password list model with those one tap

27
00:02:03,560 --> 00:02:08,520
authentication prompts that show up on your phone, possibly being the way of the future.

28
00:02:08,520 --> 00:02:13,040
In fact, Google builds security keys directly into Android phones themselves in order to

29
00:02:13,040 --> 00:02:16,880
verify that it's actually you trying to get into your own account.

30
00:02:16,880 --> 00:02:20,640
Of course, even though none of this will sound super novel to anyone who's ever used

31
00:02:20,640 --> 00:02:25,800
two factor authentication, as all of you should be, we probably still have a ways to go before

32
00:02:25,800 --> 00:02:32,200
passwords really become a thing of the past. While large firms like Google and Microsoft will probably lead the way in implementing

33
00:02:32,200 --> 00:02:38,040
it, it won't be trivial for smaller organizations to switch all of their infrastructure over

34
00:02:38,040 --> 00:02:42,880
to password lists, especially as users often have to log into multiple services that might

35
00:02:42,880 --> 00:02:49,720
not automatically play nice with each other. It's for this reason that IT departments might be looking more at a concept called the

36
00:02:49,720 --> 00:02:54,720
Federated Login, which essentially means that one login will get the user into all the services

37
00:02:54,720 --> 00:03:00,780
they need. But this takes work to implement, and this isn't the only barrier to ditching our passwords.

38
00:03:00,780 --> 00:03:05,400
If all of this sounds like two factor authentication with, you know, one less factor, you'd be

39
00:03:05,400 --> 00:03:10,400
right. Although not having a password sounds super convenient, it has the potential to make things

40
00:03:10,400 --> 00:03:15,320
a massive headache if a user loses their phone or their physical access token.

41
00:03:15,320 --> 00:03:19,960
So cybersecurity workers face a challenge in figuring out a practical way to verify

42
00:03:19,960 --> 00:03:22,960
a person's identity if the worst happens.

43
00:03:22,960 --> 00:03:32,400
Personally, I'm a fan of good old fashioned secret handshakes.

44
00:03:32,400 --> 00:03:37,000
So thanks for watching guys. If you liked this video, hit like, hit subscribe, and hit us up in the comment section with

45
00:03:37,000 --> 00:03:39,480
your suggestions for topics that we should cover in the future.