The security of passwords as the primary way we authenticate almost any type of login is fundamentally flawed and it needs to change ASAP. If we don’t shift to a different system soon then the bad threat actors with access to a little bit of evil AI and a small amount of computing power will end up forcing a systematic change for most organisations prematurely.
Passwords have long been the primary means of securing access to our online accounts and sensitive information. However, despite the significant advances in technology, passwords remain one of the weakest links in the security chain. This is primarily due to human behavior and the way we use and manage passwords.
One of the most significant issues with passwords is that humans are inherently bad at creating strong passwords. Gone are the days of being able to use simple passwords like “123456” or “password” but this has shifted us to use incrementally changing passwords or worst still reuse passwords across multiple accounts, making it even easier for hackers to gain access to multiple accounts at once.
Another problem with passwords is that we tend to forget them. As a result, people often write down their passwords on pieces of paper, or store them in unsecured digital files, which can be easily accessed by anyone with access to a physical or digital storage device. Even switching to a password management system isn’t without risk because there are an unlimited amount of fake password managers out there trying to fool you into using their system and if you don’t get duped by one of those who knows how truly safe the system that you have chosen is. In recent months we have seen many password managers have major data breaches because the information they store contains a treasure trove of information so they become a target for more advanced hackers.
Even when people create strong and unique passwords, they often fall victim to phishing attacks. Phishing attacks trick people into giving away their login credentials by posing as legitimate websites or services. These attacks can be incredibly sophisticated, making it challenging for even tech-savvy individuals to distinguish between a legitimate site and a phishing site.
However, there is hope for a more secure future. Many experts predict that we will eventually transition to a passwordless authentication system. In the past people have talked about systems that will use biometric authentication, such as facial recognition or fingerprints, or secure hardware tokens, such as YubiKeys, to verify a user’s identity but I suspect it will be something slightly different.
My money is on a security token system that uses a multi-factor approach to confirming identity. We are already used to seeing push notifications for multifactor authentication, it will be a step above that where it will factor things like your proximity of other devices that you own and the security built into the operating system and hardware on your local device. I’m never going to sign into my PayPal account from a new device and random IP address that I have never signed into any of my other accounts from so why would PayPal or any other company allow people to access accounts like this?
Passwordless authentication has several advantages over traditional password systems. First, it eliminates the need for users to create and manage passwords, which removes the risk of weak passwords, password reuse, and password theft. Second, it is more convenient for users, as they do not have to remember and enter passwords repeatedly.
Passwordless authentication systems are more secure than password-based systems because they rely on unique identifiers that cannot be replicated or stolen. Tokens-based security has been proven to be secure, look at SSL with HTTPS, this is essentially a token-based system that is the backbone of ensuring people get a secure 1:1 connection. At a local level, we can use things like biometric authentication and the security hardware built into our devices to sign in but since we tend to have access to more than one device these days there is no reason we can’t be smarter and use a fully token-based system.
Passwords are an inherently insecure means of securing our online accounts and sensitive information due to human behavior and the way we use and manage passwords. However there is still hope for a more secure future but we just need to start looking at these systems now. As we move towards a passwordless future, we can expect to see significant improvements in security, convenience, and ease-of-use for users.
