Passwords are DEAD! (Long live passwords?)

In this modern world, there are several viable alternatives to passwords for authentication into computer systems with important functions or containing sensitive data. Passwords are ubiquitous. Removing passwords from all proprietary computer operating systems would be a slow, costly process. Passwords, if used appropriately, provide a low risk, cost effective, and familiar interface to authenticate into systems of low functional importance, or that don't contain sensitive data. The strength of passwords, or an alternate authentication system should be proportional to the value or importance the system that requires protection. Passwords have algebraic, computer implementation, and human behavioral properties that for low value systems, are risks that require mitigation through policies and technical controls. For systems of high importance these same properties are critical flaws which no longer have strong mitigations which render passwords unsuitable for use in this time period. Following a brief history and definition of passwords, this paper will show three properties of passwords that render passwords risky or unsuitable for use. Suggestions for mitigating risk from these properties are covered briefly. Current attacks on passwords, illustrated by a simple experiment, and future trends in computing that will obsolete password use are highlighted. A short description of a risk analysis as applied to authentication is sketched out and pointers are given to alternative forms of authentication.