WEBVTT

00:00:00.000 --> 00:00:06.360
Honestly, we all suck at passwords, and yeah, maybe you personally use unique, impossible

00:00:06.360 --> 00:00:11.880
to guess. 50 character randomized passwords for all your accounts, but unfortunately you'd be

00:00:11.880 --> 00:00:15.360
the exception rather than the rule, you special little person you.

00:00:15.360 --> 00:00:20.080
According to a 2019 Google study, about a quarter of Americans use some absurdly unsecure

00:00:20.080 --> 00:00:26.040
passwords like one, two, three, four, five, six. And according to a different study from the same year, around three quarters of users

00:00:26.040 --> 00:00:32.200
in the US and Canada reuse passwords, while around half only change one character when

00:00:32.200 --> 00:00:38.800
they're forced to update their passwords. And to be fair, a big part of the reason this happens is that the average person has so

00:00:38.800 --> 00:00:42.960
many online accounts now that they can't keep their passwords straight, and many people

00:00:42.960 --> 00:00:47.320
aren't even aware that password management software even exists.

00:00:47.320 --> 00:00:51.360
Then you have the fact that passwords sometimes aren't even stored on the servers themselves

00:00:51.360 --> 00:00:57.080
in a secure manner. All you need is to take one look at the headlines about password dumps to see that.

00:00:57.080 --> 00:01:01.120
But do we even need passwords at all?

00:01:01.120 --> 00:01:04.520
Even though we're all still used to punching in passwords, people in the computer industry

00:01:04.520 --> 00:01:07.960
have been discussing eliminating them for quite a while now.

00:01:07.960 --> 00:01:12.960
Back in 2004, Bill Gates himself pointed out that the whole idea of a password was flawed

00:01:12.960 --> 00:01:16.680
for situations where a high level of security was needed.

00:01:16.680 --> 00:01:20.520
But if this is true, what would we use instead?

00:01:20.520 --> 00:01:27.160
Microsoft seems to think they've got it all figured out. If you have a Microsoft account, you could actually go into your settings right now and

00:01:27.160 --> 00:01:30.360
choose to convert your account to password lists.

00:01:30.360 --> 00:01:34.520
Instead of using a password, you can use the Microsoft Authenticator app to secure your

00:01:34.520 --> 00:01:39.480
account. Each time you want to log in, you'll either get a verification code from the app or through

00:01:39.480 --> 00:01:45.120
SMS or email, get prompted for a physical security key, or use biometrics like Windows

00:01:45.120 --> 00:01:51.160
Hello face scan. The password list isn't just something Microsoft is doing, though it has stolen the headlines

00:01:51.160 --> 00:01:54.560
considering it means you can go entirely password lists on Windows.

00:01:54.560 --> 00:01:58.320
Many mobile apps have allowed you to log in with a fingerprint after just a first time

00:01:58.320 --> 00:02:03.560
setup. And the signs also point to Google moving to a password list model with those one tap

00:02:03.560 --> 00:02:08.520
authentication prompts that show up on your phone, possibly being the way of the future.

00:02:08.520 --> 00:02:13.040
In fact, Google builds security keys directly into Android phones themselves in order to

00:02:13.040 --> 00:02:16.880
verify that it's actually you trying to get into your own account.

00:02:16.880 --> 00:02:20.640
Of course, even though none of this will sound super novel to anyone who's ever used

00:02:20.640 --> 00:02:25.800
two factor authentication, as all of you should be, we probably still have a ways to go before

00:02:25.800 --> 00:02:32.200
passwords really become a thing of the past. While large firms like Google and Microsoft will probably lead the way in implementing

00:02:32.200 --> 00:02:38.040
it, it won't be trivial for smaller organizations to switch all of their infrastructure over

00:02:38.040 --> 00:02:42.880
to password lists, especially as users often have to log into multiple services that might

00:02:42.880 --> 00:02:49.720
not automatically play nice with each other. It's for this reason that IT departments might be looking more at a concept called the

00:02:49.720 --> 00:02:54.720
Federated Login, which essentially means that one login will get the user into all the services

00:02:54.720 --> 00:03:00.780
they need. But this takes work to implement, and this isn't the only barrier to ditching our passwords.

00:03:00.780 --> 00:03:05.400
If all of this sounds like two factor authentication with, you know, one less factor, you'd be

00:03:05.400 --> 00:03:10.400
right. Although not having a password sounds super convenient, it has the potential to make things

00:03:10.400 --> 00:03:15.320
a massive headache if a user loses their phone or their physical access token.

00:03:15.320 --> 00:03:19.960
So cybersecurity workers face a challenge in figuring out a practical way to verify

00:03:19.960 --> 00:03:22.960
a person's identity if the worst happens.

00:03:22.960 --> 00:03:32.400
Personally, I'm a fan of good old fashioned secret handshakes.

00:03:32.400 --> 00:03:37.000
So thanks for watching guys. If you liked this video, hit like, hit subscribe, and hit us up in the comment section with

00:03:37.000 --> 00:03:39.480
your suggestions for topics that we should cover in the future.