For decades now, usernames and passwords have been a critical, and highly visible, element in data protection and cybersecurity. However, the use of passwords is a far-from-perfect approach to protecting access to computer systems. Nowadays, newer, more sophisticated forms of user identification and authentication have emerged on the scene. We asked this week’s Expert Panel Roundtable: Is the password on the brink of extinction in physical security? Why or why not?
The future is guaranteed to be password-less. Users loathe passwords almost as much as security experts. Trying to remember complex passwords causes users to often write passwords down or save them on a computer, making them even more vulnerable. Generic usernames and passwords are often used for maintenance or admin accounts, and reused passwords often end up in password lists used by hackers. Passwords represent a critical vulnerability in networks and are one of the most common attack vectors. The two most damning statistics on passwords are: 80% of hacking-related breaches are due to lost or stolen passwords, and 75% of users say that they are frustrated by trying to maintain them. Passwords will be likely replaced by some combination of zero trust authentication using context-based analysis, one-time pad plus pin codes with apps that constantly generate new keys, physical or app-based tokens in conjunction with a mobile device, and biometrics.
With a staggering 80% of cyber-attacks due to password breaches, the prospect of a password-less world is appealing. Imagine a life where no one would have to remember unique eight-character sequences or constantly update passwords to stay ahead of hackers and keep data secure. While tech giants such as Apple, Google, and Microsoft are already taking steps for this to become a reality, it will likely still be some time before passwords are completely extinct. In the meantime, we should rely more on multi-factor authentication and other alternatives such as certificate-based authentication and biometrics for additional layers of protection beyond a password. Furthermore, since passwords are meant to authenticate humans, not machines, they shouldn’t be the first choice to authenticate one system to another.
While passwords will likely be with us for a while yet, it’s certainly not because they are loved and respected as a trusted method for authenticating humans and machines. It’s no real surprise that passwords are a principal cause of cyberattacks since, when users don’t like them, they are bound to take shortcuts, storing them insecurely or reusing and sharing them. Likewise, some installers are known to do the same, because they feel the risk is low—until one day it isn’t. Meanwhile, there are myriad better ways to authenticate humans using more trusted and secure methods, be it biometrics and/or any number of combinations involving trusted private and public keys on our mobile devices using authentication apps or physical tokens. Until we get to the eventual password-less future, multi-factor authentication should be used whenever possible. Passwords aren’t on the brink of extinction just yet, but they probably should be.