A big theme in technology over the last few years has been, “this is the year that passwords die.” Then somehow, someway, they continue to be a part of our lives. Over time we have added in a few alternatives, and even added security on top of the password, but we haven’t killed the password outright.
Why are Passwords Considered Weak?
Remember the good ole days when every password/code you used was a simple four-digit code or short word? As the years went on and hackers got cleverer, password requirements increased too, more characters, upper and lowercase letters, and symbols. So, why did the original password end up failing? Simple, it was weak. Passwords like this were easily cracked by hackers looking to gain access to your personal or business information. Passwords rely on something the user knows, which in many cases means that hackers (given enough time) can know it too. Another reason passwords became a prime target is because once hackers got your password (and especially if you used that password across multiple applications), they had unfettered access to your account(s). Far too often, individuals use the same or similar password across dozens of accounts, making it easy for cybercriminals to gain access to sensitive information. Password reuse is common, though extremely risky. It’s so common because it’s easy, and because people tend to think that their information isn’t worth hacking (this is a fallacy, hackers will use or sell anyone’s passwords).
The Anti-Password Movement
The anti-password movement began once experts realized that the simple, everyday password just wasn’t working anymore. “They’re easy to steal, hard to remember, and managing them is tedious.” – Google. Passwords are inconvenient and create numerous ways for cybercriminals to acquire your data and begin profiting. The most common way hackers make money off this information is by selling it on the dark web for a quick buck. Before they do this, they attempt to drain every account of any monetary value by making purchases, stealing funds, liquidating gift cards, or taking personal info (Social Security Number, address, emails, etc.). There are even advanced attacks on logins that aim to shut down entire companies or initiate ransomware. The most known version of password hacking is credential stuffing, which takes advantage of reused credentials by automating login attempts against systems using known emails and password pairs. Once they have one login, they are guaranteed to get into other sites. At the root of all these problems lies a system that depends on authentication through a password which is why there are many experts that are part of the anti-password movement.
It’s Not Just a Password Anymore
We can’t rely solely on a 15-character password with a capitalized letter, special character, and a number anymore. No matter how “strong” you think your password is, it’s always vulnerable to attacks. So, what has been created in conjunction with, or instead of the password?
A single password requirement to get into an account is called single-factor authentication. This form has been relied on for many years but is now outdated. A newly formed best practice is multi-factor authentication, where two or more of the following are required for account access:
- Something you know. This may be a password or PIN number.
- Something you have. This may be an HID card, or a server-generated, one-time code given to a user (most of the time on their cellphone), that must be keyed into the device being accessed.
- Something you are. This consists of fingerprints, facial recognition, eye scans, and other biometrics.
It adds a second layer of complexity to log-in but provides another barrier of entry against ransomware and cybercriminals. This encourages them to move on to other, easier targets. While it’s not foolproof, it deters cybercriminals to look for another option, potentially saving you from a disaster.
A passphrase is a sentence-like thread of words used for authentication, instead of the traditional 8–16-character password. Its common characteristics include several random, common words, up to 100 characters in length. This may seem a bit intimidating, but passphrases are easier to remember since they don’t include character substitutions, capitalization, or numbers. A major benefit, aside from memorization, is the difficulty to hack. Since passphrases are several words long and could include an infinite amount of word combinations, it makes it extremely difficult for hackers to break into a system. Passphrases don’t have to be implemented throughout your whole organization; they can be used at any time if the account doesn’t have a password character limit. This is a cheaper and easier version to MFA, which could be helpful to smaller companies or individuals.