It seems in today’s world, with such large parts of our lives online and intertwined with smart devices, everything has a password. To talk to your friends, perform banking transactions, order takeout and even to pay your bills, it all requires a password.
In our previous article we went over why having a strong password is useful when it comes to protecting your accounts against different types of authentication attacks. However, creating these ‘strong’ passwords often results in difficult to remember passwords. It’s easy to forget which letters were capitalized, where the number is located, what symbol was used, etc.
The problem isn’t necessarily that passwords are bad, it’s the plethora of things we do that require a password which leads to bad password practices.
Issues with Passwords
Passwords leaked in data breaches have really exemplified how weak passwords are as a security measure. The reluctance of companies to disclose security breaches, on top of how common ‘password reset’ spam is, makes it more likely that notifications about passwords are ignored. This increases the chance that passwords will still not be updated, despite public knowledge of data breaches.
The need to create a password for every online service drives people to either create weak and easy to remember passwords, or reuse the same password across multiple services. It is simply too difficult to remember 20 strong passwords, and which password goes with which username and service. You can be sure that passwords exposed in data breaches will be used in authentication attacks across various services. This method is referred to as credential stuffing attacks.
Bill Gates predicted back in 2004 the death of passwords, and here we are in 2021 where data breaches are becoming more and more common.
Alternatives to Traditional Passwords
A human can reliably remember a handful of strong passwords at best. Only one strong password needs to be remembered, ideally zero. Although they exist, alternatives to the traditional password are becoming very slow to adopt. Below are some examples of alternatives to remembering passwords.
Likely the first thing that comes to mind as an alternative to remembering passwords. There are many password managers out there, but the ones that most people are familiar with are likely from your web browser. For example, many browsers remember passwords and saves it. You’ll constantly see the pop up for remembering your password for you.
The downside to this method is that malware exists which is able to steal these passwords saved into your browser. Also, should you forget the account tied to the browser, or lose access to your computer, you’ll then lose all those passwords as well.
Writing it down somewhere
Probably a close second to what comes to mind, there is a stigma that writing your passwords down is poor security. Well, it really depends on the people around you and where you plan to store it. If you lock your password notes up in a vault at home, it’s pretty safe. If you write down your passwords on sticky notes and post them on your monitor at the office, perhaps that is not the best idea. Regardless, writing down your passwords to help you remember can be a good alternative to remember passwords if you take the proper precautions.
Note that we’re talking about physically writing it down on paper. Saving your passwords digitally on your computer or cell phone is still susceptible to malware.
Physical USB Keys
This is probably one of the oldest forms of securing something, and can be though of as a lock and key. This method is also possible on digital accounts as well. A USB Key is something you could use to access your accounts.
There are clear positives to this as there are no passwords to remember and can be easy to use. However, they often are small enough to be easily lost and are not supported for every device and account.
This is a fancy way of saying to use your unique biology as a password, such as your fingerprints or face shape. The concept is relatively new compared to other methods of authentication but has been widely adopted in recent years.
The advantages of biometric authentication make it clear why it is so popular. Since the security relies on the fact human characteristics are unique to each person, they are more difficult to forge than a password. Another reason is that these biological characteristics are always with you and cannot be forgotten.
Despite these positives, biometric authentication isn’t without its disadvantages. There have been cases where twins can bypass each others’ facial recognition. A fingerprint can also change over time, enough that it is no longer recognized. This data can also be exposed in data breaches just like passwords, and theoretically can be used to bypass biometric authentication. It is a lot harder to change your own face or fingerprint, as you would a password.
Using this form of authentication to log into an account, a user would simply need to provide a username and the system would send an email or SMS message to the user prompting them to approve this sign in.
Normally used in 2FA, or ‘I forgot my password’ tools, there’s no reason why this can’t also be used as a password. This relies on having access to an email account or a mobile device which are harder to forget and recycle than a password. For example, Craigslist allows you to sign into your account by sending you a URL to your email address.
However, this form of authentication still has it’s weaknesses such as an email account getting compromised or losing a mobile device.
Ultimately, each of these different methods all have their strengths and weaknesses, and it is up to the user to decide which of these are most important to them. The use of passwords as the main form of account security is still ubiquitous, and often the only security option offered for many services. However, as long as due diligence is kept on being aware of the risks, creating strong passwords, never reusing passwords and finding an alternative to remembering passwords that works for you, security is attainable.