The Password Is Slowly Becoming Extinct, but It's Not Obsolete Yet

​Using passwords—the most common digital authentication method to log in to company systems—is rife with problems, from being an annoyance to posing a security risk. Technology vendors are now coming up with methods to allow access to systems that don't require passwords.

But at least one expert says mass adoption of these techniques is not happening anytime soon and organizations are better off improving password policy, working to prevent phishing attacks and patching vulnerable software to secure their systems.  

The practice of employing usernames and passwords to access computer systems began in the 1960s, and, despite recent innovations in adding multifactor authentication to make them more secure, passwords are still the most-often used gateway for cyberattacks. Compromised credentials were behind 80 percent of all data breaches in 2019, according to Verizon's 2020 Data Breach Investigations Report.

"Passwords have a risk of theft as they can be predicted easily, and even the strongest password can be easily hacked," said Rohan Pinto, a technologist and founder of 1Kosmos BlockID, a blockchain-based network security company in Somerset, N.J.

Typical flaws of passwords include being easy to guess, easy to share and used on multiple sites, meaning hackers can use one compromised site to compromise other sites, said Roger Grimes, a cybersecurity consultant at KnowBe4, a security awareness training company in Clearwater, Fla. People also lose passwords, forget them and only make slight changes to them when required to reset them. "Password complexity, length and rotation requirements are the bane of end-user experience and literally the cause of thousands of data breaches," he said.

The most common type of cyberattack directed at passwords are phishing scams prompting employees to hand over their credentials in response to phony e-mails or spoofed websites.

Cyberthieves also use automated technologies including brute force techniques to guess passwords. "This only works against weak passwords, but, sadly, 'password' is the most common password in the world," Grimes said.

He added that attackers will also try to steal credentials via malware or from database dumps of stolen passwords or attempt to crack the coded versions of passwords stored in an organization's system. "These codes can be stolen from password storage files or figured out and translated back to plain text," he said.

Grimes said passwords can be secure if used and protected correctly. "With all the possibilities available using the 94 possible characters on a typical U.S.-based keyboard and if the password is truly random, it would be very difficult to guess, even for a machine," he said. "But passwords are almost never random," he added.

A major reason for that is simple: Remembering completely random, complex passwords is very difficult. In addition, the average Internet user has at least dozens of online accounts that require a password, and the probability is that the same or a similar password is used across sites. Multifactor authentication is a growing trend, but most of these products still rely on passwords.

Going Passwordless

Passwordless authentication is a type of multifactor method that replaces passwords with more-secure forms of identification such as biometric technology, Pinto said.

"Verification would require one or more factors for a successful sign-in attempt and be further secured with advanced cryptographic algorithms," he said. The system is based on public and private keys. Only one public and private key pair will work together. The public key is provided to the online system to be accessed, while the private key is stored in the user's device and is tied to a unique biometric authentication factor.

"Unlocking the private key can only be done by using biometrics like a face scan, voice recognition or a fingerprint," Pinto said.

In addition to improving system security, proponents of using a passwordless method say it enhances the user experience by eliminating the need to remember and safeguard multiple passwords, as well as reduces operating costs for the organization. According to research firm Forrester, about half of IT help desk calls are related to password resets and the cost of a single password reset is estimated to be around $70.

Management advisory firm Gartner predicted that 60 percent of large companies and 90 percent of midsize companies will implement passwordless methods for more than half of their operations over the next few years.

Google and Microsoft have announced their commitment to support passwordless authentication, and some companies have already begun to switch over from traditional passwords.

"Passwordless authentication is a top initiative for security leaders across the globe," said George Avetisov, CEO and co-founder of HYPR, a technology company working on passwordless authentication. "It's incredible to see the effort put forth by enterprises to eliminate the password for their customers and employees.”

CVS Health moved to a passwordless experience for consumers and is working to do the same for its 150,000-person workforce by 2022, said Brian Heemsoth, executive director and head of global security at the health care company.

"The goal is to provide a secure experience for all of our employees across local workstations, VPN and remote access, and applications," he said. "The ROI [return on investment] driver is that the more we embrace a passwordless model, the less susceptible our users will be to phishing, which leads to significant incident response costs."

A Different Take

Grimes maintains that passwords are not going away anytime soon. "People have been talking about a passwordless society for three decades now," he said. "Passwords are used everywhere, and 98 percent of the world's websites and services only accept passwords for authentication. Until that changes, passwords will be around."

He added that whatever replaces passwords—multifactor methods or biometric identification—will not be without risks.

Pinto agreed that even with passwordless authentication, the possibility that a user account will be compromised still exists, as threats to an organization's data are not limited to the authentication source. "It could also come via insider threats or via back-end data breaches," he said.

Grimes said employers would be better off preventing phishing and staying on top of software patching than worrying about passwords. "Between 70 percent and 90 percent of malicious breaches are due to social engineering," he said. "Another 20 percent to 40 percent are because of unpatched software. Password attacks are only about 1 percent to 10 percent of organizational risk."

Grimes shared the following advice to help defend against password attacks:

• Make sure to change default passwords. "You'd be surprised how many people don't do this," he said.
• Use strong passwords. "A strong password is not easily guessable," he noted. Truly random passwords are best, but difficult for people to create or remember. Good password policy components include length, complexity, expiration period, an account lockout function after a set number of guesses and rules restricting common words.
• Monitor for failed login attempts.
• Use password management software, an encrypted digital vault that stores secure password login information and multifactor authentication.