Passwords, first introduced in 1961 with MIT’s Compatible Time-Sharing System, are celebrating their 65th anniversary. Yet, as they age, their security is deteriorating, according to a recent analysis. The once-reliable method of authentication is now plagued by new vulnerabilities, including optimized attacks, flawed password managers, and passwords that may appear strong but are not.

Over the past few weeks, three new issues in password security have emerged. Compilers can now improve away protections against time-based attacks, password managers once thought to be secure have shown flaws, and passwords may not be as reliable as they seem. The latter issue is particularly concerning as some password managers now offer passwords, raising questions about how these are created and whether they are truly secure.

Most users rely on password managers provided by Apple and Google. However, both companies are based in the United States and could potentially revoke access to their services if users are deemed a risk. This raises concerns about digital sovereignty and the ability to retain control over one’s passwords.

While the problems with passwords are not inherent to the concept itself, the implementation and management are often lacking. A properly designed and managed password system, used by well-informed users, can be secure. However, the reality is that most users are not properly educated about password security, leading to vulnerabilities.

The rise of agentic AI has further complicated the situation. These systems require access to user credentials to act on their behalf, creating new risks. With no industry-wide best practices or management principles, the integration of AI into password management is fraught with potential issues. Recent developments, such as the emergence of AI-driven password-sharing platforms, have raised alarms about the security of user data.

Experts suggest that the answer to securing agentic AI is not to use it at all, or at least not to declare an entire operating system as agentic. If users do choose to use agentic AI, they must understand and implement proper security measures, including privilege isolation and security segmentation.

Despite these challenges, there has been progress in making passwords safer. Fingerprint and facial recognition on devices have become more reliable, and PINs are often sufficient when paired with multi-factor authentication. However, extending these security measures to online services and managing them across multiple devices remains a challenge.

Two-factor authentication and passkeys, while promising, face practical issues. Options like SMS, authenticator apps, and physical security keys all have vulnerabilities, including social engineering and device loss. Even the latest Mac mini lacks a fingerprint sensor, complicating the user experience.

Passkeys, when implemented correctly, offer a more secure alternative to traditional passwords. They rely on cryptographically signed tokens and are strictly per-device. However, they are difficult to explain and can be confusing for users, especially when systems offer multiple passkey options or cloud-based storage.

The industry’s reluctance to adopt common standards and user-friendly solutions is exacerbating the problem. While the technology exists to improve password security, the lack of standardization and user education leaves many users vulnerable. As passwords continue to age, the need for a more secure and user-friendly authentication method becomes increasingly urgent.