Three days after Yahoo announced its new “on-demand” passwords (ODP), the company released a statement on the system and its CISO Alex Stamos took to Twitter to address criticism from the security community.
While multiple industry professionals said the company's password option, which gets rid of predetermined passwords and instead uses one-time text messages with a verification code, puts users at-risk, Stamos and the company argued otherwise.
In a statement to SCMagazine.com, a Yahoo spokesperson said the system was devised to address the fact that users often don't make complex passwords, use the same password across sites and use simpler passwords to enter on their mobile device.
“On-demand passwords make life easier and more secure for our users by relieving them of the responsibility of creating a password that is at once difficult to guess, unique to one site and still memorable,” the spokesperson said.
Stamos followed up separately.
“The truth is that passwords are so incredibly ridiculously broken that it is almost impossible to keep users safe as long as we have any,” he tweeted.
He then went on to say password managers haven't saturated the market enough to help most users keep track of their passwords, thereby making them ineffective as a solution at the moment. Plus, he said, account lifecycle management presents an issue, especially considering that SMS or backup email is typically used for a password reset.
“For now, ODP is significantly *safer* for most users than the current status quo,” he tweeted. “How do I know? We are sitting on data from the reality.”
That reality, he said, is that users are already being hurt by passwords.
“Also, please remember that security and safety are not the same thing,” he said. “It's easy to be religious about the former.”
He suggested his followers use two-factor authentication with a password manager, but also try the on-demand password system to provide feedback.
He also noted that more password options are slated for release this year.