Make Passwords Magic Again

The idea of a password is pretty old. It comes from the realm of magic: a magic spell which grants access to some place.
The first passwords were neither personal, nor complex. One just had to know them – or guess them.
We do not need to go back to tales as old as the famous “Open sesame” from the One Thousand and One Nights back in 1717: let’s just review two masterpieces from the 20th century literature.
In the first volume of J. R. R. Tolkien‘s The Lord of the Rings, published in 1954, the Fellowship of the Ring, led by Gandalf the Grey, in order to enter the caves of Moria, must open a massive portal bearing an Elven prompt, the Doors of Durin:
At the top was an arch of interlacing letters in an Elvish character. Below, though the threads were in places blurred or broken, the outline could be seen of an anvil and a hammer surmounted by a crown with seven stars. (…) The words do not say anything of importance to us. They say only:
“The Doors of Durin, Lord of Moria. Speak, friend, and enter.”
The password is neither individual, nor complex. You just have to know it to enter. And you just need a good command of the Sindarin Elven dialect to guess it. (*)

In the fourth chapter of Umberto Eco’s Foucault’s Pendulum, published in 1988, Casaubon the narrator tries to access the text hidden by Jacopo Belbo in its rather primitive home computer, nicknamed Abulafia.
When I loaded the machine, a message promptly appeared:
“Do you have the password?”
Not in the imperative. Belbo was a polite man.
The machine doesn’t volunteer to help. It must be given the word; without the word, it won’t talk. As though it were saying:
“Yes, what you want to know is right here in my guts. Go ahead and dig, dig, old mole; you’ll never find it.”

Here again, the password is neither individual, nor complex. You just have to know it to enter. And you just need a good experience of the delightful Italian courtesy to guess it. (**)

The world has changed.
Today, passwords are supposed to be personal, unique for each and every individual, on each and every system.
A password is bound to your identifier – account number, E-mail address, social security number, etc. It lets you prove your identity. You are strongly encouraged to never share any password. And you are also strongly encouraged to set up a different password for each system. And the fact is, you are lucky enough to have access to dozens, if not hundreds of systems!
Today, passwords are also supposed to be complicated – if so, they are labelled “strong”.
“password”: it’s no good. “Julie”: it’s better. “Julie55”: it’s much better. “Julie55+“: keep going. “L” : yes, this is sweet, this is strong, this is secured! Great!
And then, you have to generate the same kind of password for each system, always a different one, for each of those hundreds of systems. And finally, you have to memorize them, and that’s it, you are safe. Cheers.
Today, everybody hates passwords. The magic is gone.

Less is more

Fortunately, this is not the end of history.
Of course, it’s quite impossible to go back to elegant passwords such as the ones of the caves of Moria and of Abulafia.
Today, elegance lies in the solutions. Today’s passwords, personal, distinct, strong, are just a step in evolution, and they will soon belong to the past.
The new solutions are personal, tailored, as much as individual ids and passwords, allowing to authenticate exactly the right person.
The new solutions are strong, safe, even more than passwords such as “LoTReZxtfaMb3lB0EPAu”, or than ciphered certificates on 2048-byte steroids.
Some of those solutions send one-time, short numbers to your mobile device or your inbox. Others use the fingerprint reader or the camera of any of your personal devices. Others rely on accounts you already have in the operating system of one of your devices, or on features or souvenirs buried in the guts of those devices. Others delegate to others. Others aggregate multiple such “authentication factors”.

Gandalf the Grey and Jacopo Belbo would have loved those solutions, which are conveniently named “passwordless”.
Those solutions are available to any organization using modern Identity and Access Management platforms, such as Memority.
As Arthur C. Clarke wrote:
Any sufficiently advanced technology is indistinguishable from magic.

Epilogue 

* Gandalf has read the Elven prompt too fast. The prompt which he has translated as “Speak, friend, and enter.” actually means: “Say: friend, and enter.” Hence the password is “mellon”, the Elven word for “friend”.

** Casaubon has read Belbo’s question too fast. The question is: “Do you have the password?” The answer is obvious. The password is: “no”. Belbo was a polite man.