When can we get rid of passwords for good?

When can we get rid of passwords for good?

Or perhaps I should have asked, “Can we ever get rid of passwords for good?”

The security world knows passwords are a problem. Products ship with default passwords that are never changed. People reuse old passwords or adopt easy-to-guess passwords that hackers easily defeat via brute force. Or users simply can’t keep up with having to remember 27 different passwords for various online accounts.

Many times before, we’ve discussed ways to make passwords more secure. Use longer and more complex phrases that don’t include personally identifiable information. Consider a single-sign-on or password management service. Use two- or multi-factor-authentication (MFA) because simple login credentials are not secure enough.

However, these approaches do nothing to eliminate our reliance on passwords as the line of defense between public and private information. And ultimately, passwords will always be susceptible to human error.

To combat the password problem, mobile device and application developers have begun adopting biometrics measures to replace numeric passcodes, including the use of fingerprints, graphics, and facial recognition. I’m pretty sure that a lot of companies are working on a fix-all solution for this problem, or maybe even feel they have already found it.  But so far none of them has turned out to be even remotely as popular as the password.

Before we consider a password-less future, let’s have a look at some of the existing security measures and alternatives for passwords. Because one thing’s for sure: Nobody is happy about having to remember different passwords for every site, app, and device.

But if users continue writing down their passwords in notebooks or post-it notes, re-using passwords across platforms, or sticking with easy-to-remember combos like 1-2-3-4-5, then cybercriminals will continue having a field day with their data.

Password managers

Password managers are a life savior for those of us that care enough to use a different password for every site. But are they really an alternative to passwords? You still need the original passwords, right? Actually, you need one extra password because password managers require that you develop one master password to rule them all. However, the benefit is that, after entering all your account credentials to the password manager one time, you need only remember the master password moving forward.

You might argue that if you lose access to your password manager or if it is compromised somehow, this only makes matters much, much worse. Indeed, there is some risk. However, password managers often encrypt or scramble original passwords for accounts, and those that use 2FA or multi-factor authentication have additional security measures to prevent a breach.

Password managers aren’t perfect, but they are generally much more secure than the current standard alternative. We continue to recommend consumers use password managers with MFA as cybersecurity best practice.

Single sign-on (SSO)

SSO software is popular at workplaces to manage the variety of third-party applications embraced by organizations, as well as to better protect remote workers’ access to company resources. By logging into a central site when you start your workday, you are granted access to a dashboard of company applications and servers approved for your endpoint, usually for the rest of the day. The advantage for the organization is that the granted access can be adjusted based on individual user needs and clearance.

The use of SSO software makes it extra important to lock your computer when you leave your desk, or never leave your laptop unattended in a coffee shop. This is because the login credentials it manages are granted to the machine, as if you are the sole user. So, John the Prankster could have a look at your last pay slip if you leave your workstation behind unlocked. Or worse, if your computer is stolen and you are still signed on, the criminal can view all the workplace data you have access to.

Password recovery

Unfortunately, many users have fallen back on password recovery as a mode of accessing their accounts. If they can’t write the password down, but must remember complex and different passwords for each account (and haven’t yet adopted password management, either because they are unaware of the service, unwilling to pay for it, or wary of its privacy and security benefits), then what other choice do they have but to consistently reset?

Some people abuse the password recovery feature for every website they need to log onto. You probably know the drill:

  • Click on “I forgot my password.”
  • Receive an email with a URL you have to click before it loses validity, or worse, they send you a new temporary password in plaintext.
  • Log in and change the new password, and you are on your merry way.
  • Repeat when you want to visit again.

I recently became painfully aware of a possible downside to this method when I lost access to one of my email accounts. Yikes! What happens when you don’t have a password and can’t retrieve its replacement because you are either locked out of your email account, shut it down, or can’t remember the password for your email address either?

Luckily, I didn’t have to find out. I was able to log in and change my email account where necessary. But for those depending on password recovery, that puts a lot of onus on remembering email account passwords and trusting that email credentials will never, ever be compromised or stolen. Because what happens when your email is hacked? Now all your password reset links are being sent directly to a cybercriminal. Talk about backfiring.

Biometrics

Biometrics refers to using physical characteristics to identify users and allow them access to and control of their computers. Instead of letters, numbers, and symbols typed on a keyboard, devices using biometric authentication measure and calculate physical attributes of the body, from pressure to the tiny imprints made by fingerprints, to facial recognition and vocal cadence.

While biometrics are definitely gaining traction, especially as one of the authentication factors in MFA, there is one major problem lurking on the horizon. What if someone manages to “steal” your biometric authentication by lifting a fingerprint? Or if you “lose” access to it through some kind of accident or reconstructive surgery? What are you supposed to do—grow a new pair of eyes?! Even your number of fingers could change at some point.

Behavioral biometrics is something that more and more financial institutions are beginning to take notice of. This is a dynamic form of authentication that looks into a person’s behavioral patterns—the way they interact with systems and technologies—to identify users.

While its accuracy is high, behavioral biometrics are not yet a 100 percent match, so for now the tech is being used to monitor sessions rather than during the login authentication. This means that a bank or other organization can use behavioral biometrics to check whether it is still you using the site, or whether someone else took over the session and log you out accordingly.

Physical keys

This is a type of authentication that is often part of a two-factor-authentication (2FA). First you login and then you prove you say who you are by pressing a button on the physical key. This can be a device connected to your computer as a USB stick or by Bluetooth or any other close-range contact. In February 2019, Google announced that Android devices running 7.0 and higher could be used to log people into websites and apps. Using FIDO2, an open standard developed by the FIDO Alliance, Android users could be automatically logged into their sites using the biometric or passcode sign-in for their device in place of individual passwords.

The down side to using a physical security key is that it requires extra hardware that can be lost or broken, or, in the case of Android devices, quite expensive. It would nevertheless be a good alternative if it could be used everywhere, which for the moment is not even close to the truth.

iOS devices do not currently use the FIDO2 standard, and about 42 percent of Android users are still running version 6.0 software and older. In addition, while the FIDO standard is adopted by many browsers, its API still needs to be incorporated by software and app developers in order to support using the feature to sign into their programs.

Authentication apps

Authentication apps allow you to use your phone to log in at specific sites, typically by scanning a QR code on the website and then authenticating through your phone by using biometrics or a passcode. Your phone will send a confirmation to the website and consequently you will be allowed to proceed.


Recommended reading: Is two-factor authentication (2FA) as secure as it seems?


These authentication apps are often used by banks and other public organizations. However, QR codes, or two-dimensional bar codes, have known flaws that have been exploited by cybercriminals and used frequently in scams.

Trust-score authentication

This is closely related to behavioral biometrics. Google, and maybe others, are working on this. A trust score is calculated based on several factors, such as location, facial recognition, and typing pattern. If the score is high enough, you’ll be granted access.

Sounds great, but can you imagine how frustrating it must be when you are denied access and you have no idea why? And if such authentication software would tell you what you are doing different from usual, this opens a possibility for an attacker to impersonate you through trial and error.

Certificates

A client authentication certificate is a security certificate used to authenticate clients during an SSL handshake. It authenticates users who access a server by exchanging the client authentication certificate. Simply put, this means you have a valid certificate on your system that has not expired and was issued by a trusted certificate authority.

Some encrypted information is sent back and forth to ensure that you have both the public and private key that go with that certificate. When that exchange is successful, the server can provide you with access to the resources you are entitled to. However, cybercriminals have discovered ways to abuse the certificate system via malware, so this method is not 100 percent foolproof.

SQRL

Somewhat similar to authentication certificates is GRC’s authentication method, which was dubbed SQRL. For a complete description of how SQRL works we recommend reading Welcome to SQRL (PDF). It is an interesting concept that combines the strong points of some of the other methods like encryption, into a single factor authentication method.

Checking stolen credentials

We would like to point out some services that you can use to check whether or not your password credentials have been stolen or compromised. Most of our readers will be acquainted with have i been pwned, where you can check based on email address.

On VeriCloud’s site, you can search based on email address and domain (for organizations), and you can have VeriCloud email you the leaked password(s). Don’t feel guilty when your email address(es) appear on these sites. It happens to the best of us! But check where they were found, and make sure you change the password you used there and didn’t re-use it elsewhere.

Mathematical facts about passwords

In case you need to create new passwords, here is something to consider. Did you know how much difference those few extra characters make?

Basically, the strength of the password is determined by two different factors and the number of possibilities can be calculated with the formula a to the power of b, where a = the number of allowed characters and b is the length of the password.

For example, a basic password that can contain six lowercase letters will have a number of possibilities 26^6 which equals 308,915,776. That may seem like a lot, but in a brute force attack such a password will last less than a second.

Adding two letters gives us roughly 209 billion options and such a password would last against a brute force attack for a few hours. If you can also use uppercase letters, numbers, and special characters, the base of the equation is 77, and we can reach 208 billion with only six characters.

Still, we are looking at a password that would take only hours to crack in an attack. To construct a password that would last a lifetime at the current state of computing speeds would require a password that is 12 letters long (95,428,956,661,682,176 options) or nine characters if we can use the full set (95,151,694,449,171,437 options).

Note that computer speeds continue to increase and that the chance your password will be leaked is still present, so there is no guarantee that such a password will last. But at the moment, the long and multi-charactered password is still king. While other methods such as biometrics, physical keys, and web authentication are in the works, security flaws have already been identified.

As for the future, ideas about implanted microchips, brain passwords, and DNA-based identification have already been circulated, but ethical concerns loom large. Will there ever be a truly 100 percent secure system to replace passwords?

Our guess is no. In fact, there’s no such thing as 100 percent protection. But with widespread adoption of better practices and easier, more innovative technology, the password problem should at the very least become far less annoying for consumers—which will make it far more secure for the world.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.