More than a quarter of us have used the words "password" or "qwerty" as our primary password at some point in our lives, according to Google. Even more alarming, six in 10 of us admit to using the same password across multiple online accounts, from email to online banking, and only a third of us bother to change passwords more than once a year. That's why World Password Day was created. In 2005, security expert Mark Burnett wrote a book called Perfect Passwords, in which he floated the idea of dedicating one day in the calendar each year when everybody should change their passwords.
By 2013, the idea had really caught on and Intel ran with it, making the first Thursday in May the official World Password Day. In 2021, World Password Day falls on May 6, but is it still relevant in its current form?
From phishing scams to distributed denial-of-service attacks, malware to spyware, the security landscape is a lot more complex than it was back in 2005, or even 2013. Most individuals today have so many different online accounts that to devise and remember a unique and complex password for each one is near impossible. It's why so many of us now rely on authenticator apps and digital "vaults" in which to store our passwords, allowing us to simply remember one to unlock them all. This kind of innovation is good; however, it also leads to a creeping realization that the humble password may no longer be fit for purpose. So, what's next?
Has the Password Outlived Its Usefulness?
Bill Gates famously quipped that the password was dead back in 2004. His forecast might have been a little premature, but he was right when he said the traditional password cannot "meet the challenge" of keeping critical information secure. That's as true for businesses as it is for each and every one of you reading this article. As recently as 2018, more than 80% of all data breaches could be attributed to poor passwords. Businesses know this, which is why they're constantly encouraging employees to create ever more complex passwords, layering up password security with things like two-step and certificate-based authentication. But while these technologies might help to mitigate password vulnerability, they can't eradicate it.
Technology hasn't yet evolved to a point where we can do away with passwords altogether. Instead, we keep inventing ways of making passwords more secure, propping them up as a viable way in which to secure our data. Two-step authentication does exactly what it sounds like, requiring an additional step in the login process beyond simply entering a password. Once a user has entered the password, that person will be sent a text message with a unique code or be asked to generate one via an authenticator app, which is needed to gain access to their account.
This kind of multifactor authentication certainly offers an additional layer of security. It means that even if hackers crack your password, they aren't going to get very far without your mobile phone or access to your code generator. However, it's not entirely without flaws. For one, it makes the login process extremely tedious for the user, requiring additional hoops to jump through. It also creates an unwanted dependency on third parties, such as mobile service providers. What happens when a user is unable to receive their authenticator code via SMS because they're out of signal range or their operator's network goes down?
Risk-based authentication (RBA), which involves asking users to jump through additional hoops if they exhibit unusual login patterns, such as logging in from a foreign country or via a new IP address, has similar issues. They frustrate users and increase login times.
Certificate-based authentication recognizes humans as fallible guardians of their passwords and does away with them entirely, instead shifting the onus onto the network itself. A user or device can be granted network access for a set period until that access expires, and it's as simple as that. However, this is only useful in very specific circumstances and limits how and where employees can work.
As a society, we've invested a lot of resources into coming up with ways to patch over the password problem. Two-step authentication and RBA ease the symptoms of password vulnerability but don't fix the underlying issue. We've come to depend on these stopgap solutions because there's never been a viable alternative to passwords. That is, until now. We're beginning to see the start of biometric technologies like fingerprint and facial recognition become mainstream that might eventually replace passwords entirely.
Right now, I can pull my smartphone out from my pocket, unlock it by merely looking at it, and then access my banking app via my thumbprint to pay a bill or transfer someone some money. A decade ago, this user journey would have involved entering several passwords, and World Password Day would recommend I update those passwords frequently.
The thing is, no matter how convenient our technology becomes, passwords will always drag down the user experience to a degree, and it's for that reason we might soon be leaving the world of mandatory asterisks and interrobangs behind for good.