In the face of these password-free advances, will the traditional password become a dinosaur?
Today is World Password Day, and in a recent interview with TechRepublic, the COO of password management provider 1Password estimated that we currently have about 100 billion passwords protecting our digital gateways.
That’s a lot of hackable passwords in the ether. And, yes, that’s the awful truth about passwords – they’re ALL hackable. If you can type it with a standard keyboard, then anyone else can too. They’d have to guess it first, of course, but that’s getting increasingly easier with AI, which can rail against a digital door, trying thousands of different passwords every minute, all without you detecting a thing.
In the majority of instances, password-crackers like to deploy two simple methods – leaked credentials and brute force. Using leaked credentials is a no-brainer, as hackers simply aggregate the hundreds of millions of user names and passwords leaked in data breaches over the years and apply them like skeleton keys to locked doors. These hackers know that most of the population reuses passwords across different services, and they aim to take advantage of that.
Brute force attacks are rapid-fire educated guesses. A password-cracking program hammers away with alphanumeric combinations until it finds one that fits, using the Infinite Monkey Theorem, which proposes that if you have a monkey randomly hit typewriter keys for an infinite amount of time, eventually she will turn out the works of William Shakespeare. Or your password.
What has become industry standard for us is an ancient tradition that reaches as far back as the beginning of civilization. From the first utterances of “open sesame” centuries ago, people have been using secret words and codes to prove identity and gain admittance. But a new wave of tech is poised to reduce the security risk of hackable passwords by eliminating them entirely. Some organizations are already using these measures, but none have been widely adopted yet.
Gartner predicts that by 2022, 60% of the world’s largest enterprises and 90% of the world’s midsize enterprises will implement password-free security methods in more than 50% of use cases. Here are some of the leading contenders in password-free authentication.
- Biometrics - Most people are familiar with this concept, thanks to Apple Touch ID. Biometric authentication uses identifying features unique to your body, such as your face or fingerprint. In this model, you become your own password. A problem could arise, however, if your biometric data was replicated by someone else. Unlike passwords, there is no way to go back and “reset” your fingerprint.
- Single sign-on (SSO) - This practice does still use a password, but only one. It’s an authentication protocol that allows users to enter one user name and one password which then opens up multiple applications and programs. While it could technically still be brute-force attacked, it reduces the attack surface area by only having one entry point.
- Risk-based authentication - In this case, AI measures the risk of the transaction by analyzing the requester and what the requester is requesting. If it’s deemed low-risk, the AI allows the transaction to proceed. If it’s deemed medium-risk, the system will ask for another identifying factor. And if it’s deemed high-risk, the system will block the transaction.
- Device fingerprint - Here the security program takes a “fingerprint” of the device, logging its brand, memory, location, and IP address. Thereafter, when that device logs on, the security program recognizes it and then uses risk-based analysis to proceed with the transaction. The company Beyond Identity is diving deeply into this idea, using a system similar to website certifications, where URLs communicate and “approve” each other through the use of certificates. Beyond Identity even trademarked the term “Chain of Trust,” which it uses to describe its envisioned network of recognized devices.
But the fact is that we do not live in a password-free world yet, so it’s on each of us individually to protect our data and devices with the best security we can. Therefore, use the fact that today is World Password Day to assess the passwords you’re currently using and ensure they are protecting you.
As always, remember these password tips.
- Never reuse the same password for more than one account. That is the #1 greatest password security risk, and it is not where you want to get lazy.
- Enable multi-factor authentication where it’s available. Authenticators encompass three things - something you know (like a password), something you have (like a fob), and something you are (like a fingerprint). Using at least two of these for each of your accounts will drastically reduce your risk.
- Follow the best practices for password use by understanding the threats and knowing how to create strong, uncrackable passwords.
Until the next digital chapter, when biometric authentication might give us the technology to use our own heartbeats or brainwaves to prove our identity, we will continue to use these keyboard keys. Be creative and be clever. No “qwerty”s. Have a safe and secure World Password Day, everyone.