For decades we\u2019ve been using passwords to protect computers and for decades they\u2019ve only somewhat worked. For example, within critical infrastructure I\u2019ve seen cases where there is a well-known, default password for many devices. In some cases that password is even written on the device and in other cases engineers share a single user account and password thus associating no accountability with system changes. In the world of critical infrastructure where availability is the priority, while I don\u2019t agree, I understand the philosophy that drove this mindset resulting in simple, default passwords remaining fixed for thirty plus years in some cases.[The 25 worst passwords of 2013: "password" gets dethroned]As an industry, we\u2019ve conducted security awareness training for users on choosing strong passwords and pass phrases, frequently changing passwords, not sharing passwords, not reusing passwords and not writing passwords down. And we\u2019ve conducted security awareness training for companies about not storing passwords in clear text, how to write secure code around access control systems to avoid simple attacks like SQL Injection, and how to take advantage of more robust solutions leveraging multi-factor authentication, tokens, and the like.But we keep getting it wrong and new solutions are turned on daily with simple username and password requirements. Passwords are often stolen in the clear. Users still use the same passwords across multiple devices. And one password across multiple services such as banking, retail, email, social media and corporate assets are the norm. With the popularity of smaller, mobile devices, general password practices are too clumsy so the passwords become even shorter and more simplified.Failures I honesty feel that passwords are a failed human experiment. Even if strong passwords were enough, many people are not willing to follow the best practices needed to even make them slightly more secure. There are some password management tools that work well, sync across multiple devices, and allow for extremely complex passwords to be automatically populated on websites. But if ultimately the passwords on the server side are stored in the clear, or an attacker that has the encrypted password file has sufficient processing power -- even elastic computing power via cloud services -- then even those strong passwords become irrelevant.Solutions Many of the security executives I\u2019ve met with are \u201ctrying\u201d to move to a multi-factor authentication, onetime password solutions that take advantage of smartphones. This is a huge issue for them because the amount of time and resources spent addressing password issues is exploding with most users now having four or five devices that need access to organizational resources instead of one or two.For these security executives, the solution to this problem is the smartphone. \u00a0Virtually everyone has a smartphoneMost people are never far from their smartphone and it\u2019s always onSmartphones can take advantage of biometricsSmartphones can use GPS as part of the authentication requirementsSmartphones can use multi-factor authentication with sounds, images, text messaged codes and the likeMoving away from passwords is never as simple as rip and replace. There is pushback to any change, or it wouldn\u2019t be real change. Moving away from passwords is no different. And there are legitimate concerns. For example:Passwords are simple and anything beyond a password has a chance of being more complicatedOther solutions can cost the user or organization morePeople will need to be taught how to use a new solution; that takes time and you don\u2019t want to lose sales for example in the processPasswords are universally accepted, there is nothing else universally accepted that stands out as a clear, simple, cheap alternative offering enhanced securityWhen biometrics are part of the equation, for many people the fear of getting a digital fingerprint stolen for example is \u201csketchier\u201d than changing a passwordChangeWith the high rate of cybercrime, changes can\u2019t come soon enough. All the investment in robust incident prevention, detection, response, threat intelligence, asset management, identity solutions and the like are weakened by the use of traditional passwords.[Petition calls for an end to passwords]Hopefully, very soon, using passwords will be as archaic as calling a theater to find out movie times, having a pocket full of change for the payphone, buying an encyclopedia set or walking into a bank more than once a quarter.I\u2019m curious to understand what position you take on passwords. What\u2019s working; what\u2019s not? And what are some of the success cases you\u2019ve had either personally or organizationally when adopting more robust solutions? Feel free to answer in the comments section below.