HOW MANY PASSWORDS?
Truth be told, passwords are a pain. And to be polite, we won’t say where. You’ll remember that if they’re too short, they get hacked very easily. The world’s most common passwords remain 123456, 123456789, qwerty, and password, with the most common animal used being monkey. These words will all be cracked in an instant. Longer passwords and passphrases are difficult to remember, especially when people with an active digital life have 100 passwords on average. This copious collection of letters, numbers and characters is also problematic. New York-based MFA vendor, HYPR reports that 78% of online users need to reset one or more personal passwords within 90 days – due to forgetfulness. Work passwords didn’t fare as badly, coming in at 57%. Nevertheless, that’s a lot of wasted time and a loss of productivity.
THE PASSPHRASE SOLUTION
One solution could be to create a strong password or passphrase that is relatively easy to remember. For example, 4da1stTymein4eva-Frozen, a derivative of ‘For the first time in forever’ from Disney’s Frozen is much more memorable than PkxgbEM%@hdBnub4T or %j8kr^Zfpr!Kf#ZjnGb$ and would take a hacker 19 septillion years to crack. So given that your password is unsusceptible to hacking for a trillion trillion years, can you safely use it as a credential for your 100+ accounts? Definitely not. A passphrase becomes exponentially more vulnerable when it is used across a multitude of platforms. Should your computer get infected with malware, bad actors can potentially track the multiple uses of the same password stored in an extension such as Chrome. If you enter your credentials manually, then you run the risk of being hacked by illicit keylogging.
Some say that a password manager is a solution to your password woes. There is an abundance of them including Passportal, Google Password Manager, 1Password and LastPass to name a few. Password managers are convenient since you only need to remember your master password – they store the rest for you. They also generate and save strong, unique passwords when you sign up to new websites. But these platforms also have their downsides. Firstly, there is a single point of failure since all your passwords are protected by a single master password. If a hacker gets hold of this, then all is lost. To counter this disadvantage, many password managers have multi-factor authentication (MFA) but this adds another step to the login process. Also, if you forget your master password, you could be locked out of all your accounts. And let’s not forget the LastPass breach from August last year. In a published statement, the password manager admitted:
“The threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service. The threat actor was also able to copy a backup of customer vault data.”
Put simply, this means that the cybercrooks know who the users are, where they live, how to identify them from the computer they are using and how to contact them electronically. The hackers also stole customers’ password vaults. This should make us reflect on the reliability of password managers.
ENTER FIDO – NOT THE DOG
Another solution is to get rid of passwords altogether. Last year, tech giants Apple, Google and Microsoft all decreed their support for the FIDO Alliance with the intention of replacing passwords with smartphone-based passkeys, unlocked by a default setting of either your PIN, a drawing, your fingerprint, or your face. FIDO is a Californian open-industry association launched in 2013 whose mission is to develop and promote authentication standards that reduce the world’s over-reliance on passwords. Microsoft stated that its commitment was a monumental step towards a world without passwords. Kurt Knight, Senior Director of Platform Product Marketing at Apple said:
“Working with the industry to establish new, more secure sign-in methods that offer better protection and eliminate the vulnerabilities of passwords is central to our commitment to building products that offer maximum security and a transparent user experience — all with the goal of keeping users’ personal information safe.”
The long and the short is that FIDO-compliant passkeys will facilitate a password-less login process where users choose their phones as the main authentication device for apps, websites, and other digital services. A level of compatibility will also exist across platforms whereby using your Apple pass-key, you can sign in on Chrome that’s running on Microsoft Windows. From simplicity to security, it all sounds like a dream come true.
PASSWORDS OF THE FUTURE?
So has the plot to kill the password succeeded? Are our faces the solution to passwordless Nirvana? First off, FIDO authentication is not 100% secure as initial sign-on still requires the use of a password before you can configure FIDO. So users remain vulnerable and passwords can still be intercepted or stolen. There are also concerns about the storage of facial recognition data as these databases could be hacked, providing a wealth of opportunities for lawbreakers. At present, the technology is only 98% accurate so it is not an all-in-one pass-key solution. While passwords are often identified as the weak link in cybersecurity, many of these issues can be attributed to our failure to adhere to good password hygiene. Craig Lury, the CTO of password manager keeper adds:
“The password is not on the verge of extinction. If anything, the use of passwords is increasing along with the world’s rapid transition towards software use and cloud-based approaches. All of these require passwords; encryption keys cannot be generated without a standalone password. Even biometric security relies heavily on encryption keys. There is no doubt that no matter how much we innovate in the upcoming years, passwords are here to stay as the core of personal digital security.”
It seems that in the short term at least, we are stuck with our vexing passwords and passphrases.
PROTECTING YOU INTO THE FUTURE
Whatever the future holds for passwords and digital security, I’ve got you covered. For over 20 years I have supported SMEs in London with their IT, specialising in cybersecurity and risk mitigation. If your team needs training in good password practice, then let me help. Contact me today and see how we can work together to make the online world a safe place for everybody.