The invention of digital passwords in the 1960’s was the start of a revolution in the technical age. The password was one of the first stepping stones to cybersecurity – an easy authentication method to confirm that you are the person who you say you are by use of a memorized phrase. This gave a way to secure information or belongings and link it to a user for accountability all at once. Though now an unconscious standard for most people in their daily lives with universal access to computers and the internet, passwords have been under attack and scrutiny since their invention. The existence of passwords has started the tug-of-war between malicious entities and the users, companies, and applications that store them.
According to Verizon’s 2021 Data Breach Investigation Report, 61% of data breaches are due to compromised passwords. This can include weak and predictable passwords, reused passwords, insecure storage of passwords, limited password complexity, social engineering, and lack of accountability. In February 2019, Google conducted a survey with 3000 people and their beliefs and behavior on online security and found that approximately 65% reuse the same password across multiple accounts. This practice increases the risk of a password breach impacting multiple accounts and allowing horizontal movement if one is compromised. This domino effect can lead to malicious entities attempting to use the stolen credentials on different platforms and may uncover more sensitive data. In a 2019 Google survey on the state of passwords, 24% of users had a common password like “Password” or “abc123” and 59% of users have incorporated a name (themselves, pets, or spouses) or birthday in their passwords which are all easily obtainable information. This survey also includes 37% of participants using multi-factor authentication and 36% of people managing passwords by writing them on a piece of paper.
Why do so many people have this bad habit of reusing the same password or using common ones even though they likely know it is a bad security practice? With so many different websites, services, and social media that require an account and password, it is difficult to remember a different complex password for each account and remember for which service it’s for. It is much easier for people to remember one password across all accounts of different platforms, even personal and work accounts, and make small changes or variations to them depending on requirements like having an uppercase first letter, adding an exclamation mark at the end, or having your birth year satisfy the number requisite. This bad practice is so common among people that the National Institute of Standards and Technology is advocating in NIST Special Publication 800-63 q-b05 that password expiration is no longer recommended due to the fact that “users tend to choose weaker memorized secrets when they know that they will have to change them in the near future.” When the changes are required, people make common predictable modifications to their old memorized secret such as changing a number or adding an additional exclamation mark at the end of the password. NIST believes if any of the previous secrets has been compromised, attackers can apply these same common transformations.
Having a weak or compromised password can have severe consequences. If a compromised password is reused across personal and company accounts, it can impact both the affected company and its customers or users. If customer or user data is compromised, it can cascade to affecting millions of people, leading to data and identity theft and the information can be exploited for various malicious purposes, such as fraudulent transactions, impersonation, or even selling the data. Unauthorized access to private communications, private files, and financial information are consequences that may occur if credentials are compromised. The average cost of a data breach is $4.24 billion dollars with $180 per record cost of personal identifiable information with PII records being the most common type of record lost at 44% of breaches in 2021.
Passwords Phase Out
A new age has begun in the digital world: the beginning of the end for passwords. In May 2022, Google, Microsoft, and Apple announced a collaboration with the FIDO Alliance and the World Wide Web Consortium for a passwordless support solution. In a joint statement, they have announced “Password-only authentication is one of the biggest security problems on the web, and managing so many passwords is cumbersome for consumers, which often leads consumers to reuse the same ones across services. This practice can lead to costly account takeovers, data breaches, and even stolen identities. While password managers and legacy forms of two-factor authentication offer incremental improvements, there has been industry-wide collaboration to create sign-in technology that is more convenient and more secure.” To replace passwords, devices and platforms will shift from “something you know” (passwords) to “something you have” by having users authenticate by fingerprint, facial recognition scan, or unlocking a phone with a pin. This implementation works by having the phone store a FIDO credential called a passkey that will be used to unlock your online account utilizing public key cryptography that is only accessed when you unlock your phone. The passkey will protect against phishing attacks due to passkeys working only on registered websites and apps. Computers will also have this functionality where logging into a website will just require a one-time unlocking of the phone in the close proximity of the device. The passkey of the new device will have to be approved before the device can then be used as a passkey itself.
Password Best Practices Before Phase Out
Though passkeys and a passwordless future was only recently announced in 2022, hundreds of companies including the three tech giants have already started implementing the standards needed for it. Google announced in May 2023 that passkeys are now available for Google accounts and Apple devices now support passkeys in managed environments.
Since passkeys are a new technology, there is an understandable hesitation security-wise in implementing it without any case studies or ample time for unknown facts to be discovered about it, which is why we at Hanabyte strongly encourage users to perform their own extensive research on it before application.
For those that still love passwords or are resistant to change immediately, there are password best practices that can make your environment safer. Password managers have been recommended by security experts for years but have rarely been implemented; as seen in the 2019 Google survey of passwords, only 15% of participants used password managers. A password manager helps users manage and keep track of strong passwords, securing all data across accounts through encryption and hashing. However, with the string of LastPass breaches in 2022, doubt is being cast on the security of password managers as well. Though they do introduce a single point of failure with the master password, most password managers store the passwords securely and make rotating a complex and strong password incredibly easy in the event of a breach or compromised password. Users should thoroughly research and choose a reputable password manager provider that employs strong encryption, has a history of security practices, and regularly updates their software. Other best practices include creating strong passwords that are different for each account, enabling multi-factor authentication (MFA) where possible on each account, implementing recovery accounts, and avoiding recovery questions where the answers are personal information that can easily be sought through social media. Hanabyte is also looking into new ways to stay secure in the evolving password versus passcode debate and will continue to give updates.
Authored in collaboration with Ramana Lakshmanan