The Great Password Debate

AI-created, human-edited.

On a recent episode of the popular tech podcast Windows Weekly, hosts Richard Campbell, Paul Thurrott, and Leo Laporte extensively discussed the current state and future of password managers, passkeys, and authentication. While they all agreed that the password's days are numbered, they had differing views on the ideal future system.

The Trouble with Passwords

The discussion started with Paul Thurrott expressing his frustration with password manager LastPass recently requiring master passwords to be 12 characters. As Thurrott noted, "Passwords!? Are you kidding me? Why don't password managers all support pass keys?"

Thurrott argued that we should move beyond passwords to stronger forms of authentication like passkeys. Passkeys use public key cryptography to authenticate users without passwords. Instead of typing in a password, users simply approve a login request on their device using biometrics or a PIN.

Leo Laporte agreed that passwords are problematic, noting that people often use short, easy-to-remember passwords for their master passwords in password managers, compromising their security.

The Appeal of Passkeys

Both Thurrott and Laporte saw passkeys as the ideal future of authentication. As Thurrott stated, "The goal is passwordless."

Thurrott praised the secure authentication experience of passkeys, where you simply approve a login request from another one of your devices. He argued that password managers should write passkeys directly to hardware security modules like TPM chips, eliminating passwords completely.

However, Richard Campbell pointed out that passkeys still need to be implemented perfectly, sharing frustrations about occasionally re-authenticating passkeys after rebooting a device.

Convenience vs. Security

A significant point of debate was balancing convenience and security. Thurrott argued that security measures like password managers only gain effectiveness if they are convenient and frictionless. As he stated, "If something is secure but it's a pain in the butt, they just say no."

However, Laporte noted that many security experts advocate a "zero trust" approach where users have to authenticate every time, even on their own recognized devices.

There was extensive discussion around Windows Hello and whether biometrics like fingerprint and facial recognition could securely replace typed passwords for approving access to password manager apps after initially logging into a device.

Thurrott argued that if a device is secure and the user properly locks it when not in use, Windows Hello should provide enough ongoing security for password manager apps without repeated authentication. But Laporte and Campbell seemed unconvinced, noting that many security protocols still require occasional re-authentication.

Ongoing Frustrations and Challenges

Throughout the show segment, all three hosts expressed their frustrations with the current state of passwords and authentication. As Thurrott stated, he wants to find a completely secure and convenient solution for mainstream users. Laporte shared his account password woes on various devices.

The hosts acknowledged that passwords will be around for a while longer but were hopeful that passkeys can usher in a new era of effortless authentication. However, it's clear that making this a reality will require addressing convenience issues and building more seamless multi-device authentication flows.

Authentication technology has come a long way but faces ongoing security and usability challenges. However, security experts are hopefully still dedicated to finding solutions, guiding the industry toward a passwordless future that the public can truly rely on.

Become a subscriber and never miss an episode: Windows Weekly