As the world continues to become more digital and data oriented, security is a top priority. Traditionally, when people think of online security they think of passwords. Passwords have been the first line of defence to protect data for many years, including long before computers were invented. Whilst passwords have proven to be effective over the years, as technology advances and cyberattacks become increasingly sophisticated the robustness of passwords is being questioned across the technology world.
The problem with passwords
Passwords have been around since the very early days of computing, with the first password used in a computer system as early as the 1960s. During this time, passwords have been serving as a fundamental way to protect data and authenticate users. Over the years, there has been an evolution in passwords, as complexity requirements have increased, allowing things such as longer lengths, numbers, case sensitivity and special characters. Despite these advancements, passwords are still often very vulnerable to cyberattacks.
The main issue with passwords is that they can often still be guessed by an individual. People will create a simple password that can be guessed easily. Other common problems are that users will reuse passwords across multiple accounts or store passwords in an insecure way. This behaviour opens the door to a variety of cyberattacks. This includes brute force attacks, phishing scams, and credential stuffing attacks.
A brute force attack is a method of attack where trial and error will be used to crack passwords or other secret data, such as encryption keys and login credentials. This works when an attacker either manually or when using a computer programme tries a combination of usernames and passwords until the successful one is found.
Phishing scams are an attack method that relies on social engineering, where the attacker will deceive the victim into either revealing desired information (such as their password) or completing an action that will reveal the desired information.
Credential stuffing attacks are a type of brute force attack. These attacks use stolen usernames and passwords, often gathered from data breaches, in other websites in order to gain access to a user’s accounts. This is particularly successful when passwords have been reused across multiple sites.
The rise of password alternatives
Biometrics are a popular alternative to passwords. This method typically relies on fingerprint, retinal or facial recognition. These are all unique to each individual and are difficult to clone. This technology requires a device to be fitted with the correct technology to read the biometric data from the user. However, it does offer user-friendly and secure authentication.
Two-factor and multi-factor authentication is typically an additional step added to password authentication. These methods add an extra layer of security by requiring the user to provide more than just a password, typically via a one-time code received either via SMS message or an authenticator mobile app or via a hardware token. This method has caused a new type of cyber-attack called Two Factor Fatigue, which is where an attacker has the username and password and will continually request a 2FA code in the hope the user will click it to verify by accident or to silence it.
Single Sign On (SSO) is another solution used by many sites. This method uses a single account (such as a Microsoft 365 or Google account) to authenticate against multiple sites. This reduces the need to remember multiple passwords.
Near Field Communication (NFC) is also a popular alternative, this is a technology that requires two devices to be in close contact to authenticate the user. This technology can be found in bank cards for contactless payment and in key cards and key fobs to verify contact with the reader.
The advantages of moving past passwords
As well as addressing the vulnerabilities of passwords, moving past them can also offer a variety of benefits.
The first is improved security. Adding any of the above password alternatives adds an extra layer of security making passwords either obsolete or less useful for an attacker to gain access to it.
The second is increased user convenience. Passwordless authentication methods can be considerably more convenient as they eliminate the need to remember complex passwords, and vastly reduce the risk of forgotten passwords and the hassle related to account recovery in the event of a forgotten password.
The third is reduced password fatigue. Password fatigue is a real issue people will be able to relate to. Users require multiple accounts and to manage often hundreds of accounts across various platforms. Having unique passwords for these accounts becomes difficult to maintain and manage.
Whilst the benefits of moving beyond passwords are clear, there are many challenges to overcome. The first is with biometric authentication as not all devices and systems have the facilities to support this. It is also critical that this data is secured during storage as it is an individual’s personal identification data.
The transition away from passwords will also require a large culture shift as people become accustomed to a new style of authentication. This will therefore be time-consuming and costly as new technologies and standards are implemented.
In conclusion, the death of passwords may not be imminent, but it is coming. With a growing recognition of the limitations associated with passwords and a sharp rise in alternatives, we are witnessing a shift to more secure and user-friendly methods of authentication.
While passwords are likely to continue to play a role in authentications for years to come, they will no longer be the only or primary method. Embracing these new authentication methods will not only embrace security but also improve usability and ease when navigating the digital world.
If you’d like to discuss your cyber security arrangements contact the CTRL-S team today and let’s start the journey to making you more secure.