I have 268 passwords on 268 different websites. At least that’s what my password manager says. I actually stopped saving new passwords a while back, so the real number of passwords I should change now that Heartbleed has been revealed is even higher than that. How many of those passwords do you think I’m going to change? It took me 10 minutes just to find the change password form for my bank! What about the average computer user who uses the same password for every website and doesn’t understand the details of the exploit? How many passwords will they change?

Not very many.

Everybody knows that most passwords will remain unchanged. Yet our collective response to Heartbleed has been to patch our servers and email users asking them to do something we know most of them won’t do.

Here’s what our response should have been:

ALTER TABLE users DROP COLUMN password;

It turns out that passwords are obsolete, and they have been for a long time. Like the occasional pay phone you find in the back of a run-down restaurant, passwords have been unnecessary for years. The difference is that everyone laughs and reminisces when they see a pay phone, but nobody does that when they see a password field. But they should.

There are two separate technologies that have made passwords obsolete, and they aren’t the ones you would think. You may have guessed fingerprint scanners. Or voice recognition. Or maybe iris scanners. Nope. The technologies that made passwords obsolete have nothing to do with biometrics. And they have been mainstream for much longer.

Passwords are obsolete because of email and SMS. Specifically, the ability to send an email or SMS to users reliably and quickly. In theory, we’ve had that ability for a long time. And with the rise of services like Twilio for SMS and Mandrill for emails, it’s incredibly easy.

The basic idea is that instead of using a password to authenticate each user, a temporary secret code is sent to them over a secure channel. Email or SMS is that (mostly) secure channel. It’s almost as if the backend server makes up a temporary, one-use password each time a user wants to log in and whispers it in their ear.

The interesting thing is that we already use exactly this flow for password reset emails. This is why I previously recommended taking advantage of this so you could stop remembering your passwords.

My argument was mostly from the perspective of convenience though. I assume you’re using a different password for every website. There’s no way you will remember all of those passwords, and it is pretty inconvenient to have to put every single one of them into a password manager. Especially on a mobile device. So instead, you make up random passwords, immediately forget them, and use the password reset flow next time you need to log in.

But the recent Heartbleed bug highlights the fact that hacking password reset flows for convenience is not good enough. We need to convince websites to stop using passwords altogether.