Go ahead, try to predict the death of passwords. You’ll wind up sounding like the 1960s futurists always predicting that we’d abandon cars any year now for personal aircraft buzzing above the gridlock. Back in 2004, even Bill Gates pronounced passwords obsolete when he declared them insufficient for truly securing critical data. At the time, Gates noted the chronic issues of people using the same password on many platforms and writing them down so they can remember them.
The kids learning to walk on the day that Gates threw that password shade are now college students generally continuing the sins of their digital ancestors. Most people still use ridiculously weak passwords, with “123456” being the most popular choice of 2020. The top 50 passwords of 2020 can all be cracked by automated hacking tools in under a day, with most being crackable in under 1 second. But that’s not say we’re not worrying about those lame passwords, since Google reports that searches for “password strength test” jumped 300% in 2020.
But choosing a stronger password throws us right back into the hassle loop. Stronger=harder to remember, which explains why about 2/3 of Americans use the same password across multiple sites. That’s a bigger problem than most people realize, considering that roughly 15 billion passwords are for sale on the dark web on any given day. (You can check whether your e-mail address or phone number as been part of a data breach at this site.)
The Trade-Offs of Passwords
So we all agree: Passwords are a pain and actually pretty mediocre at their one job of securing data. Roughly 80% of system breaches involve a compromised user credential. And the research firm Forrester estimates that about half of IT help desk calls relate to password resets, at an average cost of $70. In one case study, Aetna insurance noted how customers would deluge the help desk with password resets during open enrollment (one of the few times each year most people touch their insurance app). The company dubbed it “Password Armageddon.”
Even so, passwords survive largely because switching to other tools requires more inconvenience for users and a significant migration effort and expense on the part of the IT team. This chart from Microsoft sums up the trade-offs between passwords and several alternatives we discuss below:
If you’re looking to improve your organization's IT security or Identity and Access Management, here are some options to consider.
Passphrases – These extended versions of passwords are harder to crack because of their length and mix of words. A basic one might be “HowIMetYurMoth3r!” That’s better than a password or a string of normal words, and it meets common password requirements for capitalized letters, punctuation, etc. It throws in a couple of curveballs with a misspelled word and a number standing in for a letter. But it still lacks enough of what experts call entropy, or randomness. Humans almost inevitably think in patterns, so if you want a truly strong passphrase, use a randomizer tool like Diceware. Of course, a great passphrase still has a major weakness if you reuse the same one on multiple platforms.
Single Sign-On – Many companies have adopted this setup, which lets users rely on a single username and password to access a wide variety of programs and services. No more typing in a different password for Office 365, the company intranet, the expense reporting system and every other cloud-based service. SSO has clear advantages in the realm of user experience and workload for IT teams constantly dealing with password issues. SSO’s main challenges are complexity of implementation and dealing with legacy applications that may not support it. And SSO obviously carries the problem of giving a hacker access to all your systems if they compromise the SSO itself.
Multifactor authentication – If you’ve ever talked to a cybersecurity expert, you’ve probably heard them preach the importance of MFA. We’re doing it again here. Virtually every vision for eliminating passwords requires MFA because of stats like Microsoft’s finding that MFA reduces the odds of being compromised by 99.9%. MFA lets people access data by providing two of the following three things:
- Something you know – This is the password or PIN. If you know it, someone else can at least theoretically figure it out, too. Which is why you need other factors.
- Something you have – Also known as an “ownership factor,” this is a physical item like a cellphone, badge, hardware token, etc.
- Something you are – Biometric factors, which could be fingerprints, retina scan, voice recognition, etc.
Password Replacement Options
Password-less Authentication – These systems rely on MFA’s “something you have” and “something you are” elements to grant access. There’s no password to memorize, or steal. So logging into a system typically requires you to have an item (your phone, a hardware token, etc.) and a biometric factor like those described below. Many of the systems also incorporate some version of public key cryptography that generates a unique key for logins. In simple terms, this system puts a padlock on a system that everyone can see. But only you get the key.
PINs – They’re not quite the same as a password. Microsoft now supports PINs that are tied to a specific device. That means that even if you gave a hacker your system password, they couldn’t get into anything without accessing it through your physical device. That turns the computer itself into a “something you have” factor for MFA.
Biometrics – Scans of fingerprints and facial features have gone mainstream in recent years with smartphone features and Windows 10’s Windows Hello option for logging in with a facial or fingerprint scan. Your unique appearance is far more difficult to steal than a password, but hackers are finding ways to spoof faces to fool the systems. So even with the go-to security system of every spy movie in place, MFA still provides a needed extra layer of security.
Along with reading faces and fingerprints, companies have spent years researching some other incredibly subtle ways of identifying you. Your computer may eventually identify you by your typing rhythm, and your phone may recognize you through the pressure you exert on the screen. (It’s an old idea. During World War II, telegraph operators recognized each other by their tapping rhythms in a method known as “Fist of the Sender.”)
Advanced threat detection – Next-gen endpoint detection tools such as Managed XDR can stop hackers even if they have an authentic username and password. (This process is sometimes known as risk-based authentication.) These tools constantly watch for developing threats by tracking where a user is logging in from, what they’re trying to access and more. With this 360 defense in place, even a stolen password won’t be enough for someone acting suspiciously to get to critical data.
Need help figuring out how to implement some of these tools to move past passwords’ inherent limitations? Contact us today.