Can We Kill the Password?
- Published: Tuesday, March 29, 2022
There have been decades of discussions about a passwordless society, but the fact is, we use passwords everywhere. Usernames and passwords have been in existence since the 60s. The purpose was to authenticate to the website or system in order to certify a user's access. Somewhere along the way, cyber crooks found that if they could capture some of these passwords, they could steal access to these systems. Some of the vulnerabilities of passwords are that they can be weak, easy to guess and reused on multiple sites.
So the next logical step was to add complexity to the passwords. Substitute numbers for letters, use special characters and a mix of upper and lower case. But still, what about the reuse of passwords on multiple sites? Or the length of the password itself still stalled at eight characters?
Here's a thought! Let's add length to the password. Let's make it a passphrase. Keep the complexity but stretch it out to 15 or more characters, making it much more difficult for an attacker to break.
Now lets add another layer of security. How about implementing two-factor or multi-factor authentication? Now you have username plus password plus MFA. Add a token (SMS code, physical token) or biometrics (facial or finger scan). Remember, MFA does not replace the need for complex passwords; it adds another roadblock to protect your authentication.
The human factor still comes into play no matter how many defenses we add, so end-user education is a must. Teach users how to spot phishing scams and the pitfalls of using the same password for everything.
The discussions continue regarding the demise of the password, and there has been some movement to this end. Microsoft has implemented replacements by using a token, authentication app or Windows Hello. Google predicts that going without passwords will also lead to the death of phishing attacks.
And so the arguments continue. The fact is, passwords remain the failsafe method of authentication for many of the passwordless methods. There are background processes in place that enable a user to authenticate with a password should the other methods fail. Clearly, we are heading in the direction of kicking the traditional password to the curb, but it is a slow process steeped in concerns about what processes work best and should be adopted.