The password's demise has been predicted for years, with new modes of authentication from biometrics to wearable devices being touted as the next big things in login security. The desire for change is understandable. Speaking at the 2006 RSA Conference, Bill Gates cited passwords as the weak link in cybersecurity, and there is no disputing that many data breaches, such as the one that struck Adobe in 2013, have been enabled by the use of overly simplistic, highly guessable passwords.
Similarly, a 2008 HID Global white paper likened the age-old username/password system to metal keys, which have been around seemingly forever as a cheap yet relatively effective way to secure buildings and automobiles. However, these keys have gradually given way to cards that are harder to duplicate, and these card-based access systems have taken root within enterprises that have many sensitive assets to protect. Could something similar happen with passwords and multi-factor authentication?
Passwords versus smartphone-based authentication
It's possible, although even if passwords were supplanted as the primary means of authentication, they would likely stick around as a secondary security mechanism. While passwords have well-known shortcomings and are arguably less safe than solutions that utilize unique fingerprint data or multiple factors, they are easy to use and simple to implement.
"The main advantage of passwords is that everybody can use them straight away," explained Trend Micro senior threat researcher David Sancho. "There is no need to tie yourself to a specific authentication token ('I could swear it was in my bag this morning!'), location ('I can't log in from the hotel, I forgot I enabled that security feature!'), or smartphone ('I let my phone's battery go dead!'). It might seem odd to some, but forcing users to own a smartphone – or asking a company to provide their employees with one – might be too costly."
Certainly, smartphones have become mainstays of alternative authentication. Services such as Dropbox and Microsoft online accounts allow customers to use the Google Authenticator mobile app to generate codes. Alternatively, they can receive verification codes via SMS and enter them to confirm their identities. Twitter now even allows users to reset their passwords with a text message. But how much of an upgrade is smartphone-based authentication over the traditional username/password combo?
It isn't a silver bullet solution since it has its own drawbacks, with equipment costs (to both the individual and the organization), as well as associated expenses for mobile device management and upgrades, being only the tip of the iceberg. SMS codes are often transmitted in plaintext, and mobile devices are prone to being lost or stolen, meaning that codes could be obtained by others who may use them to break into a privileged account.
Plus, the text from the SMS usually has to be entered on a particular website. In 2012, malware known as Eurograbber exploited this workflow by mounting man-in-the-browser attacks on mobile banking users, resulting in almost $50 million in losses. Going the smartphone route is also inherently risky because it makes application developers beholden to the security practices of the telecommunications providers that manage SMS.
Compared to password security, though, those flaws may seem slight. SplashData's list of the 25 worst passwords of 2013 – compiled from information made available following data breaches – demonstrated that a shocking number of individuals still safeguard their online accounts with codes such as "123456" and "password," making these assets easily hackable through basic guessing or automated dictionary attacks.
Passwords are by and large too weak to withstand attackers' scrutiny, and the reuse of them across multiple accounts means that a single good guess is all it takes to get access to a lot of sensitive information. The security and technology communities have realized these issues and sponsored the recent World Password Day. The initiative's homepage states that 90 percent of passwords are vulnerable and that passwords should be changed regularly.
Best practices for a world still ruled by passwords
There are still several frontiers in authentication, with smartphones being the most prominent. The iPhone 5S and the Samsung Galaxy S5 both include fingerprint scanners. Wearable devices such as wristbands or heads-up displays may eventually factor into security, too.
For now, however, none of these solutions completely fills the password's virtual shoes. Accordingly, individuals and organizations should become more well-versed in how to make passwords into assets rather than liabilities. With just a few simple steps, online accounts can be made much safer and resilient against attack:
- Don't reuse passwords – recycling made be good for papers and plastics, but it's bad form for passwords. Sure, it can be difficult to keep track of the unique codes associated with every account, but that's what password managers, such as Trend Micro DirectPass, are for. DirectPass works on PCs, Macs and iOS and Android devices for comprehensive handling of logins.
- Create sufficiently complex passwords – websites are slowly getting better at warning users if their passwords are too weak. A good password should contain letters, numbers and special characters and also be of sufficient length. A good way to create a memorable yet tough-to-crack password is to abbreviate the words in a phrase and then sprinkle in extra characters. With a password manager, strong passwords are generated automatically, but the user still has to come up with and remember a master code.
- Use two-factor authentication as needed – smartphone-based authentication isn't perfect, but it creates another layer of separation between accounts and cybercriminals. Services such as Twitter now offer the two-factor option, and there's usually no reason not to use it as long as a compatible device is available.
Writing for Slate, Lily Hay Newman argued that every day should be World Password Day in order to raise awareness about best practices for creating strong logins. Maybe that's a bit excessive, but she makes a good point about taking password security more seriously going forward.
"There have been so many data breaches and hacks this year that's it hard to feel safe in cyberspace," wrote Newman. "The best way to protect your data, though, is still through strong passwords and two-factor authentication where possible. Taking steps like changing passwords regularly and using a password manager are crucial to protecting yourself."