Faces rule, brains drool. This is what Apple, Google, and Microsoft decreed earlier this month when they announced they’d be expanding their support for the industry group FIDO Alliance’s fight to replace the internet’s billions of password-based logins with smartphone-based passkeys, which are unlocked by your PIN, your fingerprint, or your face. The announcement from the three browser giants, made on World Password Day (who could forget?), marks what Microsoft calls a “monumental step toward a world without passwords.” It’s also a monumental victory for your face. So get to a mirror and kiss that mug—it snorts, it burps, it blinks, and it may soon open-sesame the universe.
The FIDO Alliance wants to remove our stupid brains from authentication entirely. With good reason. The world’s most common passwords are still 123456, 123456789, qwerty, and password. The most common animal as a password is monkey; we love to remind ourselves how little we’ve evolved. If we’re not getting hacked with weak passwords, we’re getting locked out with the strong passwords we can’t remember. By some estimates, four out of five of us have forgotten at least one password in the last 90 days, and a quarter of us lose a password at least once a day.
But perhaps our brains have been set up to fail. Between apps, subscriptions, banks, and email accounts, the average person has about 100 passwords. In contrast, the average person has about one face, and it’s unforgettable (just look at you!) and mostly unhackable. A passwordless world is a more secure world. But it is a world with fewer reminders that we forget. And let’s not forget that forgetting reminds us of who we are.
(Disclosure: I do not have a password manager, which precludes the need to remember your passwords. This is a source of belittlement and rage from both my wife and my employer, which has several essential guides and cautionary tales on why you must, must, must have a password manager, and which one you should get. WIRED publishing an ode to forgetting your password is like a locksmith preaching to his customers why they should replace their front door with beaded curtains. I’m talking exclusively about the psychic benefits of forgetting, not the cybersecurity benefits, of which there are nearly none.)
After all, but for passwords, forgetting is all but forgotten online. Long ago we blended our brains with Google and seared our pasts into social media and the cloud, where haunting memories can be resurfaced at or against our will instantaneously. (Kate Eichorn writes about this in her book The End of Forgetting.) We also careen through an internet almost entirely free of friction. We search, we share, we spend, and we scream at strangers without so much as an algorithmic superego asking, “u sure?” Along this omnipotent slip-n-slide, rare are the moments that we don’t know, or aren’t able to know or recollect, where we confront our limitations, our humanity. Because of this, one of the internet’s most persistently annoying questions is also one of its most exhilarating: Forgot your password?
Yes, Hulu. Yes, Bandcamp. Yes, New York Times. You’ve halted my capricious joyride. I lost my password again, because I lost my password before. You see, for all my passwords, I oscillate from caps to lowercase like a seventh grader’s AIM bUdDy pRoFiLe circa 2004. I sprinkle random numbers and special characters in the middle of words. I never stop until the password strength meter turns green and tells me I’m “strong.” But the stronger the magic words are, the harder they are to recall.
The existential irony is, I’m often creating new passwords with the recommended level of “entropy” (i.e., unpredictability) while in a state of entropy. I want to hate-watch SNL now. I want that recipe now. And so, like a monkey, my paw tap tap taps refresh until the reset password link appears in my inbox. Then, rather than seizing the opportunity to create a wholly new password—to build a new portal to where I want to be—in my frazzled state I typically change two or three characters from what I thought my old password was, almost at random, daring myself to remember the adjustments whenever the time comes to log in again. Or to write it down. Or to get a password manager. I never do. And a week, a month, or two years later, the cycle repeats. Every time, my password strength is my weakness. Every time, my password security exacerbates my insecurity about my inability to grow. This is the samsara of cybersecurity. It is infuriating, it is humbling, it is among the only places online where we must come to terms with ourselves.
Nirvana will not be found in logging in with your frictionless face. Though it will make us safer, liberation from passwords will also further shackle us to our always online, always logged-in way of being. Nirvana will be found in sometimes abandoning logins entirely, something forgetting entices you to do. As the poet Kay Ryan writes of forgetting, “lacking memory does not make one stupid; it could be argued that it makes one free.” An old password forgotten is a new path forged. I could follow the prompt to create another password, and stay en route to my original destination. Or I could let myself believe I forgot my password for a reason, choose to return to LinkedIn or Grubhub another day—or never—and instead meander anywhere else, perhaps to a place that doesn’t know the secrets I’ve forgotten.