Today is world password day, an event kickstarted by Intel and held on the first Thursday of every May both to remind people of the importance of passwords in securing their digital lives, and to raise awareness of the best practices to use. However, with the advent of new passwordless technologies, some think they are often no longer fit for the digital world we live in.
There’s no doubt that there are good and bad passwords, and that the quality of your password can have a significant effect on your security posture. Strong passwords are long, random and have multiple character types, and you should use a unique one for every account you have. Password managers are the best way to achieve this, as they can create and store all the strong unique passwords you’ll ever need - without them, you’ll almost certainly fall into bad habits.
But even if you’re using the best password manager, some still think this isn’t good enough to keep your credentials secure. Your password manager itself could be hacked, as we saw infamously with LastPass, as well as others including Norton Lifelock and Passwordstate. And aside from outright breaches, there are examples of minor incidents, such as Keepass’s vault export bug and Bitwarden’s low risk iFrame exploit, that may still make people think twice about entrusting their most treasured information to a third party.
More than a password
Despite this, we still recommend using a password manager, as they are still almost certainly more secure than relying on your own memory to come up with multiple complex passwords for every account. Even the largest corporations, including the likes of Nvidia, are guilty of using bad passwords for the sake of convenience. As you may have guessed, though, research shows that such logins are frighteningly easy to crack, with phrases like ‘password’ making up 88% of hacked passwords.
What’s more, if you only use a password with six characters, a computer could crack it 62 trillion times faster than a login using twice that number in a brute force attack. This means that if it took a second to crack the six string password, it would take over two million years at the same rate to crack a 12 string one - so the difference between a weak and a strong password really can mean the difference between being hacked or staying safe.
But strong passwords alone are not enough to keep businesses and the precious data they hold protected. Don Boxley, CEO and Co-Founder, DH2i, maintains that “passwords must be considered a first-line, not the only-line, of defense.”
He explains that other tools, such as using the best VPN, can help firms stay protected online, but these are starting to fall out of favor, with Boxley citing their “limitations in terms of security, slow connection speeds, bandwidth constraints, configuration and management complexity, and high cost” as the main drivers.
DH2i’s solution is Software-Defined Perimeters (SDP), which allow for a direct connection to endpoints in zero-trust networks, without the need for any intermediary such as a VPN. This means that, unlike VPNs, “SDP can prevent lateral network attacks, enhance data transfer rates by up to 3x, and offer complete control over the data stream,” claims Boxley.
Steve Santamaria, CEO of Folio Photonics, even goes as as far as to suggest using Linear tape-open (LTO) when it comes to backing up important data for your business. So-called Write Once Read Many (WORM) media is air-gapped - i.e. disconnected entirely from the internet - allowing data to be viewed multiple times but only written once, as the name indicates. This means the data cannot be tampered with unless someone has physical access to the WORM storage medium. The tape used is also certified to last up to 30 years without data integrity being compromised, beating most hard drive ratings.
As Santamaria puts it, “It can safeguard your assets while helping you recover from a ransomware attack or other data loss event; subsequently, reducing the impact that this disaster has on your business operations.”
Passkeys: the new password?
But what about going one step further - and ditching passwords altogether in favor of another solution?
Passkeys make use of cryptographic keys instead of passwords, a complex string stored on your device that is not known by anyone - even the user. Instead, only your device knows, and when this private key is combined with the public one stored in the cloud of the service you have an account with, grants you access to said account. All that is required to authenticate is the biometric data your device contains, such as a fingerprint scan or facial features.
Although the technology is still nascent, plenty in the world of big tech support its use, including the likes of Amazon, Google, Microsoft, and Apple, which have united under the open industry FIDO alliance, which sets the standards for the technology under the FIDO 2 WebAuthen specifications.
Jasson Casey, CTO at Beyond Identity, is very bullish about passkeys, going as far as calling for a boycott today, and urging us to consider it “World Password-less Day” instead.
Casey believes that regardless of how weak or strong your password is, they can still be compromised, as malware can be used in phishing attacks that trick victims into giving away their password unwittingly, or in data breaches of third parties who have access to your credentials, thus rendering even the strongest passwords useless.
Casey instead recommends that businesses adopt passwordless solutions, which are resistant to such phishing techniques, “making it virtually impossible for attackers to gain access through traditional methods.”
“Organizations don't have to compromise their security or convenience,” he says. “Today they can switch to a modern, secure, phishing-resistant MFA that leverages the combination of biometrics and Passkeys based on the Fast Identity Online (FIDO) standards.”
“Each year, we 'celebrate' World Password Day, and then cybercriminals continue to exploit password-based authentication. Only by adopting passwordless, phishing-resistant MFA technologies can organizations make it much more difficult for adversaries.”
Casey isn’t the only one to be won over by passwordless security. When we spoke to Eve Maler, CTO of identity management firm ForgeRock, she was similarly critical of passwords' ability to provide adequate security for organizations. ForgeRock is the first of its kind to allow its customers to log into their services completely password-free.
She believes that passwordless systems allow businesses a greater degree of flexibility in providing authentication. She also spoke about the use of behavioral biometrics, which work in tandem with passwordless systems to seamlessly authenticate a user’s identity. According to Maler, they can “track our physical habits such as [our] gait, height or location and login patterns to build a map of a user and their ‘normal’ behavior”.
With the help of AI to work out a user’s identity, 2FA can also be done away with, again making it easier for organizations to manage worker security protocols. Maler also pointed out that as regulations change around the security that firms have to adopt, this kind of AI can help businesses to adapt with less friction.
Another key aspect for Maler of passwordles systems is the fact that they are much easier to use than passwords, going as far as to say, “the only way a passwordless approach will succeed is if it takes a no-compromises stance between security and user experience.”
However, when we recently spoke to veteran security expert Roger Grimes, he wasn’t as enthused as others when it came to passkeys and passwordless solutions. Despite saying they were a “good thing”, and admiring their phishing resistance, he was skeptical about the number of services and companies that would actually adopt them, believing that, “Passwords will be with us for at least another decade, if not forever.”
It seems that many ordinary people share Grime’s trepidation. To mark the occasion, Bitwarden - our pick as the best free password manager - released its annual World Password Day Survey for 2023, which sought opinions from people around the world on passwordless technology. It found that only just over a half of respondents were excited about this new technology, with others concerned that their personal biometric data used in their place, such as fingerprint and face scans, may be used against them in some way.
Grimes also expressed concerns about the close knit integration between passkeys and big tech companies: “Passkeys are currently locked into one platform…If you use multiple platforms you'll need to store, operate, and update your passkeys separately even if you are connecting to the same websites. Meaning if you set a passkey on a website using Microsoft it won't automatically be there to use if you go to the same website on your Apple product; and vice-versa. That's a problem in today's multi-platform world.”
Instead, Grimes prefers using a good password manager with MFA enabled, and spoke of the extra useful features password managers have that you don’t get with passkeys: “My password manager automatically notifies me when one of the websites I belong to gets compromised. It allows me to store secure notes that have nothing to do with logins, like my will. I can store my credit card information separately from my browsers. I can store electronic licenses and passports.”
Although experts can’t agree on what the future of credential security will or should be, what we do know is that for now, passwords still have to be dealt with. And no matter their pitfalls, or what they can accomplish on their own, making sure you have strong, unique passwords, using a secure password manager and bolstering them with MFA will certainly be preferable to reusing the same weak passwords time and again.
Considering the continuing rise in cyberattacks and their increasing sophistication thanks to the emergence of AI, and even the possible threat of quantum computers to the very foundations of digital security, there has never been a more pressing time to think about passwords - and the technologies that may replace them - than now.
- Here are the best business password managers