The end of passwords

Poor password practices are behind the majority of cybersecurity breaches, but alternative methods of authentication have their own drawbacks

According to a report by LastPass, employees are expected to have between 25 and 85 unique logins, which means it's no surprise that insecure passwords are frequently reused

As it stands, our use of digital technologies is hugely dependent on passwords. They are needed to access our email accounts, our social networks and our mobile phones. “What’s the password?” has gone from being a secret-agent catchphrase to a call of despair as you try and fail to log in to your account for the umpteenth time. According to a 2019 report authored by software firm LastPass, employees at large companies are expected to have 25 unique logins; for staff at smaller organisations, the number is 85. It is no surprise that many individuals are suffering from password fatigue.

The problem is, when people are required to have too many unique passwords – more than can possibly be remembered – they start cutting corners. Passwords get reused, or easy-to-guess credentials start being employed. According to the UK’s National Cyber Security Centre, the most commonly hacked password of 2019 was ‘123456’.

With research by TraceSecurity indicating that as many as 81 percent of company data breaches are caused by poor password protocols, businesses are scrambling to find alternative methods of authenticating their employees. But while many individuals have grown weary of passwords, they are also accustomed to them – getting them to switch to something else might not be easy. The password era may be coming to an end, but it is likely to be a slow death.

Individuals believe that passwords are on their way out – Bill Gates said as much back in 2004 – but deciding what to replace them with is proving a challenge

Doubling down
Although easy-to-guess passwords are the root cause of a number of cyberattacks, businesses have not removed them from the authentication process – instead, they have embraced what is known as ‘two-factor authentication’. Usually, this approach involves an individual needing two of the following pieces of information before their identity is verified: something they know, something they have, and something they are.

In the case of something they know, a password remains the most commonly used piece of data. Something they have might be a device, like a smartphone, and something they are might include biometric data. This extra layer of security makes it much harder for hackers to access personal or business assets. In addition, a lot of firms are employing a password manager to bolster their cyber defences. With many employees now being asked to remember several passwords for different pieces of software, organisations have looked for a way to push back against a tendency to reuse passwords.

Password managers are applications that store information for multiple digital solutions and log in users automatically. They hold a database of passwords that is encrypted and can only be accessed via a master password, leaving users with much less to remember and meaning that they are more likely to choose a stronger password overall.

Passing out
Many individuals believe that passwords are on their way out – Bill Gates said as much back in 2004 – but deciding what to replace them with is proving a challenge. Biometric identification – like a fingerprint or an iris scan – is harder to cheat, but the consequences of doing so are much greater. Companies would have to store copies of this information internally in order to verify each individual, making them even greater targets for hackers looking to steal personal credentials. Passwords, when compromised, can be changed – a fingerprint cannot.

In today’s digital-first world, there is mounting pressure to tackle the threat posed by hackers – and with good reason. Worldwide, cybercrime is estimated to have cost $600m last year, with inadequate password protocols responsible for a sizeable chunk of this figure. Transitioning to a different system of authentication will not be simple, but it will surely be easier than remembering 20 different passwords – each containing at least one upper case letter, one lower case and one special character, of course.