The idea of killing passwords dead is simply absurd. A cyber space where we have to live without remembered passwords, i.e., where our identity is established without our volitional participation would be a world in which we would be able to have a safe sleep only when we were alone in a firmly locked room. Is this what we want?

1. Passwords should not be killed dead, but should be expanded.
Some people shout that the password should be killed dead by deploying PIN or biometrics. However, the
idea of killing passwords dead is simply absurd. A cyber space where we have to live without remembered
passwords, i.e., where our identity is established without our volitional participation would be a world in
which we would be able to have a safe sleep only when we were alone in a firmly locked room. Is this what
we want?
Even more absurd is the idea of killing passwords by deploying PIN (numbers-only password). If we could
displace the password with the numbers-only password, we should be able to displace horses with ponies,
lorries with mini-lorries. We would need to find an exit fromAlice’s Wonderland.
As crazy is the idea of killing the password dead by deploying the biometrics that need to depend on a
password. Whether face, iris, fingerprint, typing, gesture, heartbeat or brainwave, biometric authentication
could be a candidate for displacing the password if/when (only if/when) it has completely stopped depending
on a password registered in case of false rejection while keeping the near-zero false acceptance. Threats
that can be thwarted by biometric products operated together with a fallback password against false
rejection can be thwarted more securely by the password alone.
We could be certain that biometrics would help for better security only when it is operated together with a
password by AND/Conjunction (we need to go through both of the two), not when operated with a password
by OR/Disjunction (we need only to go through either one of the two) as in the cases of Touch ID and many
other biometric products on the market that require a backup/fallback password. It only increases
convenience by bringing down security.
Two/multi-factor authentication schemes that need a password as one of the factors can by no means
displace passwords while ID federations (password-managers and single-sign-on services) create a single
point of failure which makes another big vulnerability if it is operated in an excessively centralized way.
Now that it is obvious that conventional character-based password alone can no longer suffice, we urgently
need a successor to it. What we advocate as the successor is an Expanded Password System that accepts
images as well as characters.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which
we cannot firmly remember and correctly recall more than 5 textual passwords on average. What worries
us is not the password, but the textual password. The textual memory being only a small part of what we
remember, we could think of making use of the larger part of our memory that is less subject to interference
of memory. More attention could be paid to the efforts of expanding the password system to include images,
particularly images of episodic/autobiographic memory, in addition to characters, so we can easily manage
dozens of unique passwords for dozens of accounts by our remembrance.
The Expanded Password System certainly would not solve all the password problems on its own, but it will
no doubt help to largely mitigate the problems with the smallest possible costs, contributing to safer life in
the real/cyber-fused society over many generations or centuries to come.
3rd September 2015/
Hitoshi Kokumai