Why do we need to eliminate world passwords?

Read time: 4 minutes, 39 seconds

According to Gulf News, “An estimated 300 billion passwords are used by humans and machines worldwide. Which is nearly 40 times more than the number of people walking on Earth.”

Passwords are the most common technique for authentication used across the globe.

Why are passwords bad for your security?

Usage of easy passwords is also one reason that leads to compromised security. With a limited number of words in the dictionary and a handful of digits and special characters, there comes a handful of passwords that can easily be guessed. Moreover, if your password has appeared in any of the password leaks, then that is more likely easy to be discovered by some hacker. Many people also tend not to rotate their passwords in regular intervals

According to a report by LastPass, 53% of the people surveyed haven’t changed their passwords in the last year, even after hearing about a data breach in the news. And 42% of the people say that having a password that is easy to remember is more important than having a more secure password.

People tend to pick easy passwords to avoid remembering them. SplashData carried out an analysis in which they studied over 5 million leaked passwords and concluded that 10% of the passwords were still using the 25 worst and most common passwords.

People also tend to use the same password for multiple accounts and websites, which is highly unsecured and not recommended. But making new passwords for every new account across a wide array of websites is also a tedious task. Hence leading to the usage of the same passwords. This scenario is often termed Password fatigue. Wikipedia explains this as “The feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as log on to a computer at work, undo a bicycle lock, or conduct banking from an automated teller machine.”

What do organizations do to combat this?

To combat this password-related issue, many organizations stick to strict password policies. They use a minimum length of the password, use special characters, and use both lower and upper cases combined with numbers. All these can help build a strong password that end-users can use.

In recent days, many organizations have adopted the use of MFA (Multi-Factor Authentication), an authentication mechanism used to authenticate a user using multiple verification steps. Usually, the first step is a password. The second step has several options like authentication code from liked authenticator applications (Google authenticator, Microsoft authenticator, etc.), or, in general, OTP delivered to the registered mobile number or email address.

How authentication can be made passwordless

Authentication can be achieved regardless of a predetermined password in the following six ways

1. Biometric Authentication

   • Biometric authentication is based on unique biological features of human beings that are used to authenticate the user’s identity. Physical traits like depth scanning of the face, fingerprint, retina scan, etc., are used as authentication parameters.

2. Dedicated hardware security tokens

   • It is a small hardware device that stores additional information required for authentication during a user login or a service authentication. The stored additional information is generally a numeric code that keeps rotating every 30 seconds. Hardware tokens are specifically making use of One-Time Password (OTPs), Multi-Factor Authentication (MFA), or Two-Factor Authentication (2FA).
   • A dedicated security token, when coupled with the following properties, makes the system of the user more secured from attacks and breaches-

     • Possession

       The user must possess something like a phone or a key card handy to access the system.

     • Knowledge

       The first stage of the authentication is the password which must be in the user’s knowledge.

     • Inheritance

       The addition of biometrics (like fingerprint or face scan) makes it more secure.

3. Certificate-based authentication

   Digital certificates are yet another mode of authentication. One used case for certificates is authenticating a system in an organizational network. The install certificate is verified with the CA (Certificate Authority). The certificate chain of trust plays an important role when it comes to the verification of certificates.

4. PIV (Personal Identity Verification) cards

   A PIV card is a smart card issued by the United States government that contains the information needed to access federal facilities and information systems and ensure acceptable levels of security for all national applications

5. One Time Password (OTP)

   OTP is an alphanumeric string, specifically a passcode that is automatically generated for a single time transaction or login session. One major advantage of OTP is that it expires after a certain period which prevents it from being reused by attackers for malicious purposes.

6. Email magic links

   They are special links sent to the email of the user upon clicking on which the user gets authenticated. The following steps take place in the whole system-

   • The website requests the user’s email address
   • The user enters the email address
   • The website generates a token and subsequently generates the magic link as well.
   • The application sends the magic link to the user’s mail address.
   • When the user clicks on the magic link, the application receives the query at the magic link endpoint, and the user is authenticated.

7. Authenticator applications

   These third-party applications create a one-time passcode that keeps updating every 30 seconds. The authenticator applications are linked to the account we set up the MFA for.

Conclusion

With each passing day, the knowledge and number of hackers and the increased probability of a simple password being guessed are growing. So, people and organizations need to adopt a more secure form of authentication like 2FA or Hardware Tokens. But this journey will take some time. And hence the need for awareness of going passwordless is at its peak.