The Final Nail in the Password’s Coffin

July 15, 2019
4 minutes read
Category: Security
Author: Harry Cheung

Hey, is your account among the billions who have been pwned? 

According to the website Have I Been Pwned? almost 8 billion accounts have been pwned to date, and this number increases every day. 

Not trying to freak you out, but heading there and checking whether your data has ever been involved in a data breach is probably a good thing to do. If anything, this website helps understand the magnitude of our problem with passwords, an ancient form of authentication. 

Passwords had originated at MIT in 1961 and were hacked the following year. Ever since then, experts have been working on trying to preserve and upgrade this authentication process. 

First, it was eight characters minimum, then have at least one upper case letter and one number, then password expiration systems and banned password lists. However, it seems that we are finally realizing that password authentication might not be one worth trying to save. 

Consider the number of cyber breaches. Year on year, there has been such an increase that it seems as if we have been conditioned to expect a new one each week. 

Moreover, do you remember the yearly lists of the worst passwords? It’s always the same weak passwords at the top, even after all attempts to force users to take password authentication more seriously. 

That’s why even the tech giants have all been coming out with statements pointing out the inefficacy of this authentication option and signalizing the end of the password era. 

Just this past month, there have been new developments at Microsoft. 

Password Expiration is Dead, But What About Passwords?

In their update to the Windows 10 Security Baseline, they have removed the password expiration policies

In case you’re not familiar, what these entailed are that many enterprise-scale organizations, such as Verizon for example, required their users to change their passwords periodically. 

I know—at first, this decision seems counterproductive to what we are trying to accomplish, but it’s actually not. In the end, this policy came down to complicating user authentication unnecessarily.

Their reasoning for this decision was based on recent scientific research that “calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives … If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.”

They are saying that after an organization has implemented all the usual preventative measures for securing password authentication, password expiration doesn’t add to it. In contrast, if they haven’t, password expiration still doesn’t add nearly enough protection. 

What is more, they are not the only ones with this opinion. A security guide published by the National Institute of Standards and Technology in March suggests eliminating the requirement for users to change their passwords frequently. They agree that banning common passwords and patterns is much more effective.

However, this was only the latest development. Microsoft, Google, and Apple, among other big players, have all been going against password authentication for some time now. 

Tech Giants are Killing Passwords… To Some Extent

I’m going to start us off by saying that Bill Gates predicted the death of passwords back in 2004 while speaking at the RSA Security Conference in San Francisco. He said they couldn’t “meet the challenge” of keeping important information secure. 

That was in 2004, so how do you think passwords fare today? Tech companies have been trying to find better authentication solutions ever since then.  

Microsoft’s above-mentioned Windows 10 update comes close to the passwordless future, although not quite there yet. 

You can now add a passwordless phone number Microsoft account to Windows, or use the Microsoft Authentication app to sign in to Windows for the first time, use Windows Hello to sign in to apps on the web, and a new recovery process for Windows Hello PIN. 

It’s just what it sounds like. These solutions will rely on biometrics and 2FA, even SMS-based, which are all safer than passwords, but definitely have their issues. However, at least it is a step in the right direction. 

Furthermore, Microsoft’s Chief Information Security Officer, Bret Arsenault told CNBC that eliminating passwords is the best way to protect ourselves from these breaches, and internally, Microsoft is close to this. 90% of its 135,000 employees now use biometrics to log into their accounts.

Google has done the same for their employees. They now use physical security keys and say that protection against phishing has been “stellar”. 

Meanwhile, Apple has introduced its single sign-on (SSO) tool—think Facebook or Google login you use for other websites - in order for its users not to have to rely on passwords any time they want to use an app. Now, when you see that even Google’s login chef is in favor of this feature, you can understand just how insecure passwords actually are. 

What they are trying to do is “federate” passwords in a way that the total number of them is reduced, while you still have a couple of really important ones. 

However, that’s just it—with all the different tactics of password breaching, do you feel comfortable with still relying on any number of passwords?

What Does the Future of Authentication Hold?

I’ll give you a number—from 2016 to 2017 alone, the number of data breaches caused by weak or stolen passwords has experienced an increase from 63% to 81%

So, what do we do when something is too easy to hack? 

We make it more complex. That’s how 2FA came into play. 

While 2FA increased security when it first appeared, it has been proven ineffective time and time again, especially SMS-based 2FA. In addition, 2FA is not UX friendly—and you know what that means, a lot of people opt to go back to their old habit of using passwords

However, things are looking up! Over 83% of IT decision-makers predict that their organization will soon become passwordless. MFA is increasingly being used!

Is it the best option?

Depending on the authentication solution incorporated—yes, it can be. 

So, how do we decide on the solutions? 

Simple, we don’t compromise. Security, UX, and privacy—we can have them all. 

But one thing is sure, passwords don’t fare well against any of these criteria. Tech giants realize this, IT decision-makers realize this, and everyday people are starting to realize this as well. 

With everyone slowly, but surely turning around, it’s only a matter of time before passwords become obsolete

What will be the actual final nail in the password’s coffin? We just have to wait and see.