Why passwords are failing us – the future of secure logins

Keith Shaw: Years of data breaches and lazy behavior by end users have given passwords a bad name. So, why shouldn't we just get rid of the system altogether?

On this episode of Today in Tech, we're going to explore some of the reasons why we should abandon passwords entirely in favor of new approaches. Hi everybody, welcome to Today in Tech. I'm Keith Shaw. Joining me on the show today is Gilad Shriki.

You prefer to go by Shriki rather than your first name—just remind me again why that is?

Shriki: It kind of stuck from my high school days. I just got used to it—it's like my brand name.

Keith Shaw: And this is your second time on the show. You were previously on a DEMO episode, where we talked all about Descope and what they were doing. Great episode—go check it out if you're interested in that kind of stuff.

But today, we're not going to talk about your company. We're going to talk big picture—why we should get rid of passwords and all that. So, I'm going to unload all my frustrations on you.

I'm not blaming you, but you’re here to take it on for the rest of the world. Over the years, we've had a lot of issues with passwords. For example, let me tell you what's happening at my job.

We're logging into a corporate email system—I've got Outlook on my phone. It makes you log in with a password that has to be at least 16 characters, include a number, a symbol, and a capital letter. It can't be a real word—I think? Maybe it can.

Then it rotates every six months. You either get a reminder, or you're suddenly unable to log in and realize the password expired. Sometimes it just times out. After entering the correct password, I then have to use Face ID on my iPhone—twice.

If I look away while it's scanning, it times out. And this is just to check my email! I'm not holding any corporate secrets or nuclear codes—so that’s a big problem. Security layers keep getting added, but then what happens?

People end up writing passwords on sticky notes or reusing them across multiple sites, which we all know is bad practice. Another big issue—I have to authenticate everywhere. I keep a file with about 250 different accounts—emails, usernames, passwords. Sometimes PINs.

A lot of these services I have to share with my family—streaming accounts like Netflix, Disney+, and so on. My kids text me constantly: “What’s the password for Peacock?” It’s either in the file or on a sticky note somewhere.

I have to stop what I’m doing and send it—via SMS, which is probably insecure. Then my wife or someone else might change the password and not update the file. Suddenly the saved password is outdated. I have old accounts we don’t even use anymore but can’t delete.

And what if I left the studio and got hit by a truck? My family needs access to my email and computer to handle important life stuff. That’s another concern. So, now we have biometrics—face, fingerprint, iris scanning.

But again, if I get hit by that truck, nobody else can access my phone. They can't just use a photo of my face. How did we get here? There’s more I haven’t even brought up yet. But how did we reach this point?

Shriki: First of all, I have to say—your story is the perfect example of why passwords are bad. Over the years, we've used passwords for decades. People realized they were weak, but instead of fixing the root issue, the industry kept patching over problems. "Passwords are bad?

Let’s make them more complex!" Because people used "123456," right? So, they added special characters. I don’t even know why they’re called “special,” but okay.

To be honest, I use the same three special characters. You’re going to crack my password now—it’s either the exclamation point, an @ symbol, or the one above the number 3. Maybe sometimes I use the one above #4, but rarely anything beyond that.

People would say, “Okay, ‘password123’—now let’s add special characters.” So now it’s “password123!” But now you need a capital letter—so it becomes “Password1234!” It never ends.

Keith Shaw: Is that just human nature?

Shriki: Yes, of course. The problem is twofold: it’s easy to break, and worse, people reuse passwords. You said you have a file with all your accounts—some of those passwords may be the same as your bank’s.

If one site is breached and the password hashes are stolen, hackers can brute-force weak passwords like “password123!” easily. Now they’ve got your bank password too. The industry didn’t take the right steps early on. Thankfully, we’re seeing progress now.

Keith Shaw: Even with long, complex passwords, the National Institute of Standards (NIST) put out a report saying all those complexity rules—15 characters, symbols, numbers—they don’t actually make things more secure. I read that and thought, “Then why are we doing all this?” Were you surprised by that report?

Shriki: I wasn’t surprised. With today’s compute power, even complicated passwords can be cracked. Reuse is the bigger problem. If someone steals your complex password from an old site, and you use it for your bank too—it’s a vulnerability. All these patches didn’t really help.

It’s time to move away from passwords.

Keith Shaw: So, would you say the next level of authentication was two-factor authentication? We had passwords, then they added, “We’ll send you a text message to prove you’re really you.” That was the next step, right? Shriki: Exactly.

But then attackers got smarter. Let’s say your bank is Bank of America. I can spin up a fake website that looks like Bank of America—with a slightly different URL—and send that link to 100,000 people. Even if just 1% fall for it, that’s still 1,000 people.

And even some MFA (multi-factor authentication) methods are vulnerable. If you're tricked into entering your password and then your one-time code into a phishing site, the attacker can use that code in real-time to access your real account.

So some MFAs are "phishable"—especially those that rely on one-time passwords via text or email. Attackers are evolving, so the industry needs to evolve too. Biometrics offer stronger, less phishable methods of authentication.

Keith Shaw: And we were talking before the show about biometrics. You're saying there's a huge misconception about how it works. For me, I’m fine with it. I'm not worried about my data being stolen.

Maybe it’s just because I use an iPhone and Apple is pretty clear about how secure their systems are. But you said a lot of people still don’t want to give up their fingerprint? Shriki: Right.

People think that when they give their thumbprint to a service, it gets sent somewhere and stored—but that’s not true. The biometric data stays on your device. When you use Face ID or Touch ID, your device just uses that input to unlock a key stored on the device.

That key is never shared or uploaded. The challenge is education. Not for people like us—but for my mom, for example. People don't use features they don’t understand, and fear of the unknown is a big blocker.

One big e-commerce site used a button labeled "Login with WebAuthn"—the old standard before passkeys. But would my mom know what that even means?

Keith Shaw: Wasn’t there something called OAuth or something like that?

Shriki: There are lots of names, but the problem is always the same—if you want mass adoption, you need to educate people and make it user-friendly. Even the term "passkey" is new and unfamiliar to many.

Keith Shaw: Another authentication method I want to mention—CAPTCHAs. The “I’m not a robot” stuff. There are so many memes about those. At first, it was figuring out whether a curvy letter was a 3 or an E.

Then it became “Click all the pictures with buses” or “Find the stop signs.” If I’m on a PC, it’s doable. But on my phone? Forget it. I can’t even authenticate with that method.

Shriki: CAPTCHAs are often poorly implemented and add a lot of friction. Some services don’t mind the friction—like banks, where you’re a captive user and have to log in. But e-commerce companies want to eliminate friction to avoid losing customers.

Keith Shaw: Is that why Amazon still only uses a username and password? Shriki: Partly.

Amazon could implement more advanced security, but it’s a trade-off. Let’s say fraud costs you 1–2% of revenue, but adding security friction reduces revenue by 5%. In that case, it makes more business sense to accept the fraud.

Keith Shaw: You were talking earlier about simple passwords. NordPass released a list of the 200 most common passwords—and “123456” is still at the top! It’s 2025! How is that possible?

Shriki: I think even in Spaceballs, Lord Helmet had his luggage set to “12345.” It’s a combination of websites that don’t enforce strong requirements and users who don’t understand the risks. It’s on us, as a tech industry, to educate and help people adopt better practices.

Keith Shaw: I saw that in Canada, one of the top passwords was "hockey." I mean, really? That shows how much it depends on whether the site enforces good password rules. Shriki: Exactly.

And then we got password managers. They're great because: * You don’t need to remember anything * You can use different passwords for every site without stress. But now, password managers have become targets for attackers.

Keith Shaw: Yeah, so moving from frustration to solutions—password managers seem like the first step. Google Chrome and Apple Keychain will store passwords. But it feels like I need seven different password managers, and sometimes they don’t work.

If it’s been a while since I logged into something, I assume the browser saved it—and it didn’t. Then I reset the password or go digging through my insecure file.

Shriki: Password managers are great—better than sticky notes. I recommend picking one and sticking with it. Whether it’s Google, Apple, or a third-party service, just having one cross-device manager helps a lot. They can generate complex passwords and flag reused ones.

Yes, they’re also targets, but they use a zero-trust model. Even they don’t have access to your passwords. You still need a master password—but the good ones are now integrating passkeys, which we’ll get into.

Keith Shaw: One issue I’ve had: I’ll sign up for a site with 2FA, and the password manager thinks the one-time code is a new password. It prompts me to update, and sometimes even changes my username. It gets clunky. Shriki: 100%.

They’re trying, but it’s not perfect. Still, it's way better than a piece of paper.

Keith Shaw: So now all the cool kids are talking about passkeys. At first, I thought passkeys were just password managers—but they’re not. Can you explain the difference? Shriki: Sure.

A password manager is a vault. You store your secrets in it and retrieve them when needed. A passkey, on the other hand, establishes trust between your device and a website. When you log in, your biometric input unlocks a cryptographic key, which proves who you are—without needing a password.

It’s supported across devices and browsers. For example, you can log into your Mac using a passkey stored on your phone—just scan a QR code and verify with Face ID.

Keith Shaw: And there are software-based passkeys and hardware-based ones, right? Do they call them hardware or physical keys? Shriki: Correct—hardware-based.

They’re like little USB keys. Someone gave me one and I still haven’t used it.

Keith Shaw: My concern is, what if I lose it? It’s so tiny.

Shriki: It’s basically like a thumb drive. These are mostly used in high-security environments—banking, privileged users, things like that. They can't be shared and are locked to a specific device, which makes them very secure. But for the mass market, it's overkill.

Using Face ID or a fingerprint on your phone is a much better experience for everyday users. Think about the friction—you'd have to ship someone the physical key, pair it with their identity, explain how to use it. That’s a lot for most consumers.

Keith Shaw: What about those authenticator apps that rotate a code every few seconds? Like a digital bomb timer—you have to type it in fast! I remember one of those in an online game I played 10–15 years ago. Why didn’t those become more popular?

Shriki: Those are called TOTP—Time-based One-Time Passwords. They work by using a shared secret between your app and the service. The code rotates every 30 seconds. At first, it was done via physical pagers. Then they moved to phones. But again—friction. And they’re still phishable.

I can build a phishing site that asks for your username, password, and your TOTP code. If you give me all three, I can log in as you. So it's better than nothing, but still vulnerable.

Keith Shaw: Yeah, my work uses Microsoft Authenticator. A code pops up, usually 55 or 17—it’s always the same numbers, it seems. Maybe it's just me. But sometimes the prompt doesn’t appear. Other times, I get goofy numbers that repeat. It’s inconsistent.

I remember in that Star Wars MMO I played, they used TOTP—but it was still manually typing the code, which got annoying.

Shriki: Yeah, it’s just another patch. Patch on patch on patch. Passkeys are promising because they’re not just a patch—they’re a real alternative. Hopefully, they’re the password killer. Of course, there have been other attempts before—social logins, for example.

Keith Shaw: That was going to be my next question—are social logins safe? I use Google most of the time because I just don’t want to create another account. I figure Google knows who I am—why not let them handle it?

Shriki: Social login can be very secure. It depends on whether the underlying account—Google, Apple, Facebook—is secure. If your Google account is protected with a strong method, that’s much better than creating a new, potentially weak password for every site. From a consumer standpoint, it’s low-friction.

Some sites even use “one-tap login,” where you just click a button and you’re in. So yes, as long as your core account is protected—especially with a passkey—it’s a solid approach.

Keith Shaw: That’s interesting—Google hasn’t reminded me to change my password in, like, 15 or 20 years.

Shriki: That’s because they trust their own systems. But I’d still recommend setting up a passkey for your Google account—it’s easy and far more secure.

Keith Shaw: And if I use Google for social login on other sites, I can still secure that with a passkey? Shriki: Exactly.

You use the passkey to secure your Google login. Then any site where you use “Log in with Google” benefits from that added security. If you’re logged in on the browser, it's seamless. If not, it’ll ask for Face ID or your fingerprint.

Keith Shaw: Okay, hypothetical time—if you were Emperor of the World for one day, would you get rid of passwords? Shriki: Of course.

First thing. First half of the day, even.

Keith Shaw: So what would you have everyone do?

Shriki: I’d start with education. Today, the most promising option is passkeys and WebAuthn. I’d make sure people understand that biometrics don’t leave the device. Education for both users and services. Show companies that passkeys reduce friction and increase security. Show users that they don’t need to remember passwords anymore.

It’s a win-win.

Keith Shaw: Do most companies agree with you? Or are they just avoiding the cost of switching to a more secure system? Shriki: It depends.

From a security standpoint, most experts agree that passkeys are better. No system is 100% secure, but passkeys are a huge step forward. But companies also have to think about cost, time, priorities. There's always something else on the roadmap. But yes—security people are on board.

Keith Shaw: Someone once suggested we should just implant chips in people’s arms instead of using passwords. That kind of freaked me out. I hate needles.

Shriki: I hate needles too, but I’d stand in line for that.

Keith Shaw: You’d be fine with it?

Shriki: From a security perspective? Yes. We’ve already been using tap-to-pay tech for years. Whether it’s Apple Pay or transit systems, we’re used to contactless verification. Putting that tech inside your body is just an extension. It's a bit extreme, but conceptually, it’s not that different.

Keith Shaw: I used to be an early adopter, but I’ve lost some trust along the way—too many breaches, too many issues. Shriki: Fair.

But we already carry devices—phones, watches—with our payment methods. I tap my watch to pay. I tap into the subway. Same concept. California is even putting driver’s licenses on phones now. You can tap your phone at TSA instead of handing over a card. The tech is mature enough.

That could be the future evolution of passkeys—stored not just on your device, but in you.

If you think about the classic MFA model: Something you know (like a password) Something you have (like your phone) Something you are (like a fingerprint) Passkeys combine "something you have" and "something you are." If the passkey is in your arm? Even more secure.

Keith Shaw: You're not going to lose your arm... unless something really bad happens. If I were Emperor, maybe I wouldn't ban all passwords—I’d start by banning "123456." Shriki: You don’t need to be Emperor for that. That’s just common sense. Government institutions could help, too—NIST, PCI, etc.

They set standards. Industries like banking already have stronger password requirements. But e-commerce? They don’t want friction. They just want the transaction.

Keith Shaw: From an end-user perspective—is it lazy to stay logged into everything? Like, I have 12 tabs open right now and I’m logged into all of them.

Shriki: That’s totally fine—as long as it's your device. The browser uses secure, signed cookies to maintain sessions. Staying logged in reduces friction and makes you less likely to reuse or write down passwords. Just don’t do it on public or shared computers.

Keith Shaw: But if I handed you this laptop right now, you could see everything? Shriki: Not necessarily. You’d probably close the lid, which locks the screen. That adds a layer of security. Keith Shaw: Right.

So, no problem staying logged in—as long as it's your device. But if I'm at a public place—like a cafe or the airport—I should log out? Shriki: Definitely.

And be cautious even logging in on public devices. They could have keyloggers. I avoid it completely.

Keith Shaw: I still get nervous at the airport when they offer free Wi-Fi. You never know if it’s real.

Shriki: There are ways to protect yourself—use a VPN, for example. Add extra layers of security.

Keith Shaw: Do you see this as a real movement? Are we finally waking up to the fact that passwords need to go? Or are you just the “kooky guy” shouting into the void?

Shriki: I’ve been called that! But no—it’s happening. The FIDO2 Alliance, which developed passkeys, has backing from all the major players: Google, Microsoft, Apple. Sites like Best Buy and Home Depot already let users set up passkeys. This is the tipping point.

Keith Shaw: Are they doing a good job explaining what passkeys are, though? Because I was still confused. Shriki: Not yet.

Google and Apple are doing a decent job during setup—they walk you through it. But I don’t expect Home Depot to educate people. That’s probably not their job. The platform providers need to lead that effort.

Keith Shaw: So, final question—will we ever live in a password-free world?

Shriki: I won’t predict it outright—but I want to see it. Hopefully in this decade. It’s happening. The momentum is there, and I hope it continues.

Keith Shaw: Shriki, always a pleasure. I love talking to you about this stuff—thanks again for being on the show.

Shriki: Thanks for having me. This was great.

Keith Shaw: That’s all the time we have for today’s episode. Be sure to like the video, subscribe to the channel, and leave your thoughts in the comments. Join us every week for new episodes of Today in Tech. I’m Keith Shaw—thanks for watching!