Passwords are an archaic and painful way for users to securely authenticate themselves. They are one of the biggest issues that security teams need to deal with in an enterprise, they are constantly stolen or cracked due to user poor security practices. You know the things I am talking about, using the same passwords for all your accounts or just changing a number by counting up and down at the end or the start of the password.
What about those of you who use your pets name or date of birth of one of your children or your partners (don't do that it is insecure) then we have the one who uses a variation of password or QWERTY (I am just not going to say anything more about these). You all know someone who does one or more of the above password options and you probably know because they have told you what the password is (I just literally slapped my palm against my forehead – wow this is as bad as post-it notes on screens which sadly happens more times than you would believe). So, I think you get what I am saying here, people really suck at good password security.
This is partly our industries fault and I will explain why just to give it some more context. We in the industry have been telling everyone for years and years to create a password that has numbers and characters and symbols so that it is really difficult to break but there is a huge flaw in this that we all just completely missed (honestly, I just followed the norm and recommended best practices – which is my own fault for not thinking for myself and just being a sheep) these types of passwords are really hard for us humans to remember and then we want you to change it every 30-90 days just to be a bit more of a pain in your sides (than we wonder why people always need password resets).
These types of passwords are not exactly the most secure option either, with the power of today's computers they can be cracked in a reasonably short amount of time. Let’s do some quick numbers on this, I have a password – Secure134! It has a substitution and some numbers, and it would be what we would call in today's best practices a pretty good password. With a medium-sized botnet (nothing to fancy but something every decent malicious actor should have) they could breach this password in 6 days, parallel GPU’s could do it in 87 years (that is not very fast), so I would think that a rig set up with 10-12 aligned GPU’s it could now be done in a few weeks.
I know that sounds like a long time but for a high-value target, that really isn't much of an effort for a malicious actor when all you need to do is set it up and leave it to run. Chances are it could be done in under the password policy expiry time frames. Why are we stuck with passwords like this when you could actually use a passphrase, it is much more secure and can be much easier to remember. Let’s do an example of what I mean, take four random words or more and string them together like – bluemustangriversteaks, this password with a medium sized botnet would take 52 billion years to crack, 260 trillion years with parallel GPU’s. Now that is clearly a much more secure option, wouldn’t you agree?
Passphrases are a great option but, in the end, they are still just passwords and are in turn still prone to be lost or stolen or you name it. So why don’t we just stop using them? Well, it’s because people don't like change and it's the easiest way for systems to provide secure access without too much effort or costs. With the obvious flaws is because it is easy a good reason to keep using them? No, it probably isn’t, so if we decide to change and stop using passwords all together can we really do it?
It is certainly an option that has been thrown around a few times but passwordless access controls are certainly a future option that has never truly been in our reach but more recently it has become something that is almost achievable. There is some USB key fobs with fingerprint scanners or we have facial recognition options and fingerprint/vein pattern scanners which are okay. Combine a couple of options together, with biometric and maybe a security authentication app then we have a workable solution but is good enough?
Is good enough though better then current password practices, no I don't think it is. I personally still feel that a combination of a good passphrase and a second or maybe third-factor authentication method is still a more viable option to individuals or organisations.
I honestly don’t think the technology is quite there yet and believe that in a couple more years passwords will, in fact, become a thing of the past (that will make it a bit harder to be a malicious actor, but I don’t think I will be shedding any tears for them). This move away from passwords will be a good move for security however, it will not be the end of security breaches as malicious actors will continue to find new methods of attack and passwords are just one method in today's systems.
They will undoubtedly still be riding the social engineering wave that's for sure and I can almost guarantee that there will still be software vulnerabilities for them to exploit as there will be certainly organisations who won't be doing the basics with regular security patching. I don't think that will ever change no matter how much we say it's needed, we will go blue in the face and collapse before we will get that message across but that doesn't mean we shouldn't keep trying.
Let’s keep our eyes on the passwordless options and when the time is right to make that move but until then please can you all try to be good corporate citizens or cyber individuals and actually practice good security practices.