Complex Made Simple

Here’s a secret: World moving to stop using passwords

Remember when you couldn't figure out what your login password was? Those days are getting rarer, as passwordless becomes the norm

You can now buy login credentials to someone’s bank or Uber account on the dark web for as little as $7 Gartner predicts that by 2022, 60% of large businesses and all medium-sized companies will have cut their dependence on passwords by half Considering 81% of all data breaches are from compromised passwords, financial organisations need to turn to passwordless solutions

You probably think you use such clever passwords that no one can figure it out. Wrong!

In fact, most of us reach a point where we forget what our password is, either missing a number, a capital letter, an asterisk, or any number of things we do to make it more complex and harder to break into.

Good idea, but not enough. It’s why passwords are on their way out.

Read: Kaspersky finds 60% rise in users hit by password stealers in 2019

Lost for passwords

When the man who invented passwords says it’s time to move on, it probably is. Four years ago, Fernando Corbato, who invented the first computer password in the 1960s, said that passwords had become “a nightmare”. 

Passwords were once one of our most trusted security measures, but over the past decade, the average person’s digital footprint has been exposed to increasing numbers of third parties. Now the average consumer manages over 191 pairs of usernames and passwords. It is almost guaranteed that people reuse the same passwords or tactics to authenticate across various services.

Most of the recent data breaches stem from stolen passwords. You can now buy login credentials to someone’s bank or Uber account on the dark web for as little as $7

The mere costs of password management, of time lost by employees typing passwords and chasing the IT department when they fail, can climb up to $70 per incident. And with up to 50% of all help-desk calls being password resets, the costs can mount up quickly.

Image: Statista / SplashData

Gartner predicts that by 2022, 60% of large businesses and all medium-sized companies will have cut their dependence on passwords by half. How?

Read Facebook: Up to 600 million users’ passwords were visible to employees

Going passwordless

The market to go passwordless started with GDPR.   To meet the requirements established by these new laws, products and services must be designed with privacy at their core and provide complete transparency to their users. 

Examples include the class action lawsuit filed against Facebook in Illinois and the Swedish data protection authority issuing its first fine under GDPR to a school for its improper use of facial recognition technology.

Considering 81% of all data breaches are from compromised passwords, financial organisations need to turn to passwordless solutions and take a strategic approach to implement multi-factor authentication based on biometrics. This redefined strong authentication for the digital age is truly a business differentiator.

Smartphones can handle some forms of biometrics. Some facilities now require you to have your retina or iris scanned or you may have your hand scanned for the unique pattern of blood vessels under your skin.

Likewise, you may be required to present a security token along with your biometrics. Any of these, used in combination with another form of authentication, can be reasonably secure without requiring your staff to struggle through endless password resets.

For the world to become passwordless, we also need to put users in control of their own data. This will allow the work of bodies such as the World Wide Web Consortium, which develops global standards for the web, and the Fido Alliance – an industry association dedicated to replacing passwords as our means of digital authentication. 

Read Revealed: The future of email security is comprised of three distinct zones

What can you do meanwhile?

If your password is one word, you’re doing it wrong — it’s time to upgrade to a multi-word “passphrase.”

The vast majority of hacks result from phishing, the act of guessing users’ login credentials based on information gleaned from messages and online profiles.

Hackers are also developing increasingly sophisticated methods to track and exchange peoples’ passwords, making preventative action all the more crucial.

“‘Password’ is a bit of a misnomer. What you should actually be using is a passphrase,” Kiersten Todt, managing director of the Cyber Readiness Institute and a former cybersecurity adviser to the Obama administration, told Business Insider.

Contrary to popular belief, it’s perfectly fine to use spaces in your password. Many major sites, like Google and Facebook, accept “space” as a valid password character.

Even when using passphrases, it’s crucial to change your password. 

Passwords plus

At this point, most high value target organizations moved their user authentication to require additional data, such as data known to the consumer (out-of-wallet questions, or information about the consumer that wouldn’t be well known), single-use passwords created by an app, or sent via text message or email. These make it harder for a bad actor to access to, but not impossible.

Today there is a large menu of malware and Trojan software for sales that intercept SMS or emails with one-time codes. The reality remains that multi-factor authentication solutions are patches for an outdated authentication framework in dire need for replacement.