The password has long been a staple of the digital experience. It’s how we access everything, from our work emails to our social media accounts. Believe it or not, it’s also the greatest weakness in the cybersecurity space. A weak password has been the source of countless data breaches. But is that reason enough to get rid of passwords entirely?
It’s no secret that cybersecurity is a bit of a mess these days, and that’s putting it lightly. Barely a day seems to go by without us hearing about some new data breach, some new incident that’s compromised the personal information of thousands.
In the war against cyber-crime, it appears as though criminals are the only winners. Unfortunately, that doesn’t look like it will change anytime soon. Depending on who you ask, there are many reasons for this.
Some would say it’s a result of poor authentication and spotty firmware on Internet of Things (IoT) devices. Others would argue it’s the result of unpatched vulnerabilities in enterprise networks. Or that it’s simple human ignorance that’s to blame.
According to noted security consultant, lecturer, and former con-man Frank Abagnale Jr., it’s none of the above – passwords are the problem.
“I can’t believe that passwords were developed in 1964, when I was 16 years old, and now today, we’re still using [them] as a protocol to get into security systems,” Abagnale said in an interview with Information Age. I don’t understand why there are still passwords around when we know passwords are the root cause of all these issues that we have.”
He’s not exactly wrong. Consider the three primary types of authentication.
- What you know. A password, your birthday, your mother’s maiden name.
- What you have. A smart card or a smartphone.
- What you are. A fingerprint, a facial scanner, voice recognition software, etc.
When it comes to protecting sensitive information, the first method is arguably the weakest form of authentication. Anything you know can be gleaned by a clever criminal or cracked by an algorithm or simply broken with a lucky guess.
Consider how Mirai, one of the largest botnets to date, spread. It didn’t exploit a software vulnerability or gain access to new devices through some sophisticated attack vector. It simply scanned the web for open ports, then proceeded to log-in with a default username and password.
By doing this, it became large enough to bring some of the largest companies on the web to their knees.
But how exactly can we be rid of passwords? They’re as ubiquitous as the keyboards we use to type them in. And they’ve been a part of the digital realm for just as long.
Unfortunately, that’s where the waters get a little muddied. Because while passwordless multi-factor authentication does exist, it’s not yet widespread enough to shift us all away from the established way of doing things. In some cases, people aren’t even aware it exists – and there are still far too many devices floating around that simply aren’t designed to leverage it.
Certainly, organizations such as Microsoft have proposed lofty plans for ridding the web and the world of passwords. Windows 10 is even being shifted over to a new form of authentication known as Windows Hello. Yet most of these plans don’t have teeth.
They don’t consider how to deal with logins for IoT devices. They don’t account for devices and form factors that lack the necessary features for non-password authentication. They require people to sign up for new services, subscriptions, and what have you.
I’m not trying to say passwords should stick around. They’re outdated, cumbersome, and a glaring security risk. I agree that it’s high time we kill them.
The problem is that no one seems entirely certain how – and those that claim to have a solution seem like they’re just trying to sell us something.