The future of passwords is a hot topic no matter which side of the debate you take. Not being able to remember your password, which is a reality all too often, can be very frustrating. The average person has more than 80 passwords to remember. And with technology ever-changing, so are the techniques required to keep passwords safe from cybercriminals. The best password is often the most random. Yet, as history notes, most people aren’t good at generating random passwords, much less remembering them.
For example, based upon research provided by the Garner Group in 2017, 20 to 50% of all IT help desk calls were related to password resets. The problem with passwords is that most often the hackers can use dictionary attacks and create automated schemes to recommend and possibly discover passwords quickly. This leaves the intended victim vulnerable. Dictionary password attacks have been around for years and aren’t going away any time soon.
Hackers are now also using password managers as another venue for identifying easily suggested passwords to attack their intended target. Many companies, like Google, are developing high-tech alternatives for using biometrics since they can’t be easily replicated. The good thing about biometrics is that no one can guess your fingerprint. It’s assigned to your DNA and yours alone. However, biometrics also have downsides and aren’t completely secure as the increases in false positives show.
The problem with passwords today is that the users creating them are using the simplest options possible, which makes them more vulnerable to attackers. There are currently ongoing efforts by many IT businesses to eliminate passwords altogether, but it’s not easy to break habits developed over decades. Using passwords has become a learned behavior. Some companies are using passwordless schemes and different workarounds. However, the downside to this is that the schemes typically only work on newer devices.
While passwordless implementations are becoming increasingly standardized, account recovery options are not. Additionally, password-less schemes are actively moving toward systems to where one device previously authenticated can anoint a new one as being trustworthy. But this also raises the issue of creating options for people who don’t or can’t maintain multiple personal devices.
There are other issues with moving away from traditional passwords. It’s harder to share accounts with trusted people in a password-less world, and attempting to tie everything to one device, like a smartphone, creates even more incentive for hackers to try and compromise that device. In another example, end users also faced havoc when trying to set up Windows 11, which is geared toward password-less schematics.
So, the debate continues. Both sides have valid arguments. IT services will continue to become more sophisticated. And habits, good or bad, will be hard to break. Who will win?
Comments