Skip to main contentSkip to navigationSkip to navigation
A young man looks at Apple's new iPhone 8 Plus at the Apple Store of Omotesando shopping district in Tokyo, Japan, 2017.
Apple launched its new Passwords app at last night’s event to little fanfare – but it could be one of the more consequential changes of the year. Photograph: Franck Robichon/EPA
Apple launched its new Passwords app at last night’s event to little fanfare – but it could be one of the more consequential changes of the year. Photograph: Franck Robichon/EPA

Why passwords still matter in the age of AI

This article is more than 5 months old

As Apple’s new Passwords app tries to solve our identity crisis, why are we still proving who we are via strings of random characters?

Whether it stands for artificial intelligence or, er, Apple intelligence, AI is the hot news of the day. Which is why I think it’s time to talk about [sits backwards on chair] passwords.

It may have been buried in the reporting of last night’s Apple event – which the inestimable Kari Paul and Nick Robins-Early covered for us from Cupertino and New York – but one of the more consequential changes coming to the company’s platforms in the next year is the creation of a new Passwords app.

From 9to5Mac:

The average user probably has never heard of 1Password or LastPass, and they may or may not be aware that the iPhone can automatically create and store passwords for them. For users like that, a new Passwords app showing up on their iPhone’s Home screen this fall is going to hopefully lead them to a more secure computing future.

The straight version of this is that it’s a minimal change. Almost everything the new passwords app will do is already in iOS and macOS, just buried in settings menus. Unless you’ve actively decided to do something different, if you use either platform then you should just be able to go to the system settings app, scroll down to Passwords and, after authenticating with your face or fingerprint, see a nice list of every login you have across the internet.

Apple hasn’t been neglecting the service, either. In the years since it launched, it has built it out into a fully featured password manager: it will perform a light security audit, warning you of hacked or reused passwords; it lets you share details with family members, saving you from having to email sensitive data; it even lets you import and export the database, still somewhat of a rarity for the company.

But breaking the service out into its own app is still an important act. Because the problem Apple is trying to solve isn’t really about passwords at all – it’s about identity.

Last week I sat down with Steve Won, the chief product officer of 1Password, a password manager app with a long pedigree on Apple’s platforms. “The way that we manage digital identity is just screwed up,” Won said. “Effectively, I don’t have an identity at all: there are just random databases all across the world with my information. My credit card information, my bank information, my university probably still has my information, and so forth.”

Passwords are the oldest and most popular way of solving the identity problem on the internet. You prove who you are by sharing something that only you know. But they also have large and obvious problems: Simply existing in the developed world requires the creation of more passwords than one can reasonably remember, which pushes people towards password reuse. Password reuse means that the loss of a single password can lead to devastating follow-up hacks. Attempting to memorise a unique password for every account forces passwords to be short enough to be guessable through brute force.

All of which leads, inexorably, to the creation of password managers. Despite competing directly with Apple in the space – a position no one would choose to be in – Won is optimistic. “Every single time Apple and Google have done a big push around the password manager, it’s been like our biggest lead month,” he says. Pitching 1Password as “the Aston Martin of password managers”, he argues that anything that makes it clear to users that they need to move away from memorising or reusing passwords is a plus. “The total addressable market for a password manager should really be seven-and-a-half billion people.”

But even a password manager can’t fix passwords. Linking ever more precious systems to an easily phished or stolen string of characters is a recipe for trouble. Two-factor authentication fixes some of the issues, but also introduces new ones. And so the industry has started looking to what comes next: passkeys.

From password managers to passkeys, nothing seems to have solved tech’s identity crisis yet. Photograph: Dominic Lipinski/PA

You may remember when we spoke about them two years ago. From the TechScape archives:

A mild improvement in your daily life. That’s what Apple, Google and Microsoft are offering, with a fairly rare triple announcement that the three tech giants are all adopting the Fido standard and ushering in a passwordless future. The standard replaces usernames and passwords with ‘passkeys’, log-in information stored directly on your device and only uploaded to the website when matched with biometric authentication like a selfie or fingerprint.

Since they launched in 2022, though, passkeys haven’t set the world on fire. Part of that is because their rollout has been slow – just a handful of sites support them, with 1Password listing 168 in its directory – but it’s also because early adopters have been burned. Australian hacker William Brown is emblematic of that reaction:

At around 11pm last night my partner went to change our lounge room lights with our home light control system. When she tried to login, her account couldn’t be accessed. Her Apple Keychain had deleted the Passkey she was using on that site … Just like adblockers, I predict that Passkeys will only be used by a small subset of the technical population, and consumers will generally reject them.

The very things that make passwords insecure – the fact that they are human-readable, that you can copy and paste them in plain text, that you can physically speak them down the phone – also make them feel controllable. Passkeys, by contrast, require you to put all your trust in the system, and after the last few years, you may not have that much trust left.

For 1Password’s Won, though, the switch is still an opportunity. “Apple, Microsoft and Google have been very, very open to making this a dialogue with us, because they realise passkeys are only going to work if they work everywhere, evenly. They recognise they’re not going to be the best at cross-platform, right? We’re able to store passkeys and use it across every single surface. It’s not just a security benefit, it’s also a speed benefit: passkeys let you skip email verification and password setup, so it’s a better user experience.”

This is important to get right, because “identity” is about to get a lot more confusing. Take the pontifications of Zoom’s chief executive:

Zoom users in the not-too-distant future could send AI avatars to attend meetings in their absence, the company’s chief executive has suggested, delegating the drudge-work of corporate life to a system trained on their own content.

In practice, such a system is a long way from reality. Or, at least, if we actually have AI systems that can meaningfully attend a meeting in your absence, then Zoom calls are quite far down the list of things that would be radically changed.

But AI systems that can play the part of you well enough to fool people for a bit are very real. OpenAI’s latest voice synthesis system isn’t publicly released, because the company thinks its flagship capability – to convincingly mimic a voice with just 15 seconds of sample audio – is too dangerous to be generally available. But it knows that it can’t hold the tide back for long, and is publicising what the tech can do to try to promote safety goals it sees as necessary:

• Phasing out voice based authentication as a security measure for accessing bank accounts and other sensitive information
• Exploring policies to protect the use of individuals’ voices in AI
• Educating the public in understanding the capabilities and limitations of AI technologies, including the possibility of deceptive AI content

Like I said: whether we’re talking about passwords, Apple intelligence, or artificial intelligence, it all comes back to identity in the end. How can I prove I am who I say I am? How can I even prove I am an I at all? Wherever we end up going, a 16 character password just won’t cut it.

The wider TechScape

A European brown bear plays in a pool at Bristol Zoo’s Wild Place project, 2020. Photograph: Ben Birchall/PA

Most viewed

Most viewed