The Future of Password Security
Over the last few years, a big theme in technology has been, “this is the year that passwords die.” Then somehow, someway, they continue to be a part of our lives. Over time we have added in a few alternatives, and even added security on top of the password, but we haven’t killed the password outright. Below, you can learn why passwords are now considered weak, how password security has evolved, and why we’ve been holding on to the password for so long.
Why are Passwords Considered Weak?
Remember the good ole days when every password/code you used was a simple four-digit code or short word? As the years went on and hackers got more clever, password requirements increased too; more characters, upper and lowercase letters, and symbols. So, why did the original password end up failing? Simple, it was weak. Passwords like this were easily cracked by hackers looking to gain access to your personal or business information. Passwords rely on something the user knows, which in many cases means that hackers (given enough time) can know it too. Another reason passwords became a prime target is because once hackers got your password (and especially if you used that password across multiple applications), they had unfettered access to your account(s). Far too often, individuals use the same or similar password across dozens of accounts, making it easy for cybercriminals to gain access to sensitive information. Password reuse is common, though extremely risky. It’s so common because it’s easy, and because people tend to think that their information isn’t worth hacking (this is a fallacy, hackers will use or sell anyone’s passwords).
The Anti-Password Movement
The anti-password movement began once experts realized that the simple, everyday password just wasn’t working anymore. “They’re easy to steal, hard to remember, and managing them is tedious.” – Google. Passwords are inconvenient and create numerous ways for cybercriminals to acquire your data and begin profiting. The most common way hackers make money off this information is by selling it on the dark web for a quick buck. Before they do this, they attempt to drain every account of any monetary value by making purchases, stealing funds, liquidating gift cards, or taking personal info (Social Security Number, address, emails, etc.). There are even advanced attacks on logins that aim to shut down entire companies or initiate ransomware. The most known version of password hacking is credential stuffing, which takes advantage of reused credentials by automating login attempts against systems using known emails and password pairs. Once they have one login, they are guaranteed to get into other sites. At the root of all these problems lies a system that depends on authentication through a password which is why there are many experts part of the anti-password movement.
It’s Not Just a Password Anymore
We can’t rely solely on a 15-character password with a capitalized letter, special character, and a number anymore. No matter how “strong” you think your password is, it’s always vulnerable to attacks. So, what has been created in conjunction with, or instead of the password?
A single password requirement to get into an account is called single-factor authentication. This form has been relied on for many years but is now outdated. A newly formed best practice is multi-factor authentication, where two or more of the following are required for account access:
- Something you know. This may be a password or PIN number.
- Something you have. This may be an HID card or a server-generated, one-time code given to a user (most of the time on their cellphone), that must be keyed into the device being accessed.
- Something you are. This consists of fingerprints, facial recognition, eye scans, and other biometrics.
It adds a second layer of complexity to log-in but provides another barrier of entry against ransomware and data thieves. This encourages them to move on to other, easier targets. While it’s not foolproof, it deters attackers to look for another option, potentially saving you from a disaster.
A passphrase is a sentence-like thread of words used for authentication, instead of the traditional 8–16-character password. Its common characteristics include several random, common words, up to 100 characters in length. This may seem a bit intimidating, but passphrases are actually easier to remember since they don’t include character substitutions, capitalization, or numbers. A major benefit, aside from memorization, is actually the difficulty to hack. Since passphrases are several words long and could include an infinite amount of word combinations, it makes it extremely difficult for hackers to break into a system. Passphrases don’t have to be implemented throughout your whole organization; they can be used at any time if the account doesn’t have a password character limit. This is a cheaper and easier version to MFA, which could be helpful to smaller companies or individuals.
Is it Time to Retire the Password?
As popular as MFA and passphrases have become, neither are considered the perfect remedy for password security. The original computer password was invented back in 1960. It was doing great until the first known instances of “hacking” came about in the ’80s. Slowly but surely people began to realize that the password was not dependable by itself. Bill Gates said in 2004, “The password is dead.” So why is it that so many organizations are still using it even though we’ve created different options?
1. Scalable and affordable
Passwords require no charge because they only depend on a piece of information from the user. This is one of the main reasons many companies are holding on. Since it’s essentially free for both the user and company, it’s one of the only scalable authentication systems because it works for everyone.
2. User privacy
Privacy has been a major discussion the past couple of years, and different authentication systems have been part of the blame. From fingerprints to face IDs, users have been afraid that too much of their personally identifying information is getting out into the virtual world. Especially when biometric data is being held in data systems that could very well be hacked too. As long as the user doesn’t include their personal info, then passwords are one of the most private authenticators.
3. The first factor in MFA
Getting rid of the password all together may mean a reconfiguration of MFA as well. Since it is the first step in most MFAs, where you enter a password and then confirm again with something you have or something you are.
Passwords are one of the only authenticators that can easily be replaced if a massive data breach occurs. For example, if an organization that uses biometrics gets hit, how is the user supposed to reset their face or fingerprint?
5. Change resistant users
One of the major factors are the organizations that fear the disruption and challenges that come with replacing the password completely. Since there isn’t a one-fix solution just yet, many leaders are skeptical to the idea that it will ever happen.
Even though the perfect solution hasn’t been created yet, doesn’t mean people aren’t trying. Very recently, companies have been taking on a new approach to MFA. They only use one factor, but it’s not a password. For example, Microsoft is now allowing users to log into accounts such as outlook with just a code sent to their device and no password. Maybe in the next few years with different methods continuing to be tested, we’ll finally say goodbye to our good friend, the password.
Tips to Keep Your Data Secure with Thrive
So, what do we do in the meantime while we’re waiting for the safest solution? For sites that still use SFA, be sure to choose a password with strength. It’s tempting to use one that you’ve used before in order to remember it, but in doing so you may release your sensitive information (you can see if your account information has already been compromised here). Other best practices include not allowing your computer to automatically save passwords, especially on work computers, and changing your password regularly.
Thrive has been a long-time advocate of organizations requiring frequent password changes and having a layered approach to security put in place. If you can, work with your service provider or technology team on setting up MFA for your organizations. This one step could mean the difference between getting hacked or not. Thrive partners with top security providers to bring our clients peace of mind. We can also help with managed threat detection and external vulnerability scans to stop cybercriminals before they can start. Contact us today for help with your data security needs.