Interesting concept, right? Passwords have been around since before the internet was even a thing. Read on to see how passwords have evolved, why they are no longer secure and why the end is in sight, and hopefully with it, a more secure digital world in which we can all live, work and play.
Passwords: The Problem
The first use of computer or digital passwords was in 1961 at MIT. Since then, the use of passwords has grown to the point where most people today have an average of over 100 passwords. These manage everything from access to our email to our bank accounts and even to our tv viewing. Some of us are even using a program that manages all of these passwords, and even it has a password.
The problem with passwords and having so many is that they are easy to circumvent. In today’s highly connected world, there are an infinite number of hackers and bad actors who have access to billions of leaked or stolen databases of passwords and have come up with sophisticated ways of guessing or figuring out your passwords from this data. This is because most of us reuse passwords or reuse the same convention when changing our passwords. That in conjunction with the way passwords have traditionally been stored on systems makes them easy to crack. A 2009 study from University of North Carolina at Chapel Hills showed that researchers using sophisticated password cracking algorithms, along with the knowledge of only one of a user’s previous passwords, were able to crack 41% of these accounts.
So, what do we do? We have advanced a lot since 1961 and even 2009 so let’s look at where we are today.
Two-factor Authentication: The Improvement
By now, you have more than likely been forced into a higher level of security on some of your accounts with what is called two-factor or multi-factor authentication (2FA).
2FA is typically two things, “what you know” (most commonly still a password) and “what you have.” The “what you have” is typically one of 4 things. An email with a one-time password (OTP), an SMS text to your smartphone, a vendor-specific app on your smart phone that prompts you to approve a login to your account, or a specialized authenticator app on your smartphone that has an OTP that rotates every 30 seconds. This is a good advancement from a security perspective but let’s cover why 3 of these options are not as good as the fourth.
A one-time code to your email is only as good as the protection on your email account. Let’s say a bad actor wants to gain access to your bank account but your bank sends an OTP to your email and your email does not have 2FA. All the attacker has to do is compromise your email account first then when they log into your bank account, they can intercept the email with the OTP and continue to login. Since most email is now cloud based, the attacker does not even have to have access to your computer or phone.
SMS Text
The second option, SMS to your cell phone, is a good step up from email, although still vulnerable to compromise. Hackers can use a method called SIM card hacking where the bad actor, using phishing methods, is able to convince your cell phone carrier that they are you and have the carrier move your cell phone number to a phone they control. From there, they can login to your bank and get the SMS text to their phone instead of yours. However long it takes you to figure this out is the window of time the attacker has to complete the compromise.
Smartphone App
If a vendor or provider already has a smartphone app then, after logging in with your password to your account, the vendor will send a “push” notification to your smartphone vendor app. If your phone has notifications turned on for that app, the app will pop up on your phone asking you to approve this login. This, in principle, is a very secure method. However, we have seen numerous times where users have still approved this notification even though they have not been the person logging into the account. Be diligent in approving notifications on your phone. These only come when you are logging into the app, or if you happen to be on the phone with the vendor. If the latter, make sure you were the one to call them for support vs randomly receiving a call from them out of the blue. We have seen many cases where someone claiming to be from Microsoft has called a customer asking to get on their machine or provide the OTP. Microsoft will never initiate a call to you unsolicited.
Authenticator App
The last “what you have” option is a 3rd party authenticator app. As of today, these are the most secure of the 2FA methods; so, whenever possible, use this option. Google and Microsoft are the most common of these two apps and are free on both Google Play and Apple IOS. In this setup, you will login to your account with your username and password and then provide an OTP that is provided by the authenticator app. Since the app is only on your personal smartphone, unless you provide this code to someone else (which is never recommended), it would be very difficult for an attacker to circumvent this login method.
Going Passwordless: The Future
So, how do we avoid the risks? Stop using passwords.
The newest form of security is passwordless. This is still a multi-factor authentication but moves away from passwords as one of the primary options. Let’s review a couple of these.
Windows Hello comes on all Windows 11 computers and can be used with Microsoft Entra ID (formerly Azure ActiveDirectory). This technology allows a user to sign-in to their device using biometric data or a PIN (personal identification number) instead of a traditional password. It provides enhanced security through phish-resistant 2FA and built-in brute force protection.
PIN
You might be wondering, how is a PIN more secure than a password? A PIN is unique to each device you set up. The attacker in this case must have the device “what you have” and the PIN “what you know.” It can be protected as we mentioned above, but it would be more vulnerable to being breached either through attacking the cloud vendor or attacking you directly with phishing.
Biometric Login
If you are able to set up your device to receive biometric data (typically through the webcam), this method is even more secure since it requires you to be physically at the machine to login.
Face ID is Apple’s version of this technology. It uses a mathematical representation of your face, which is encrypted on the device (meaning it cannot be copied), combined with a passcode similar to the Hello PIN which is specific to your smartphone. In addition to facial recognition, biometric data such as fingerprints or eye (retina or iris) recognition can also used to verify a user’s identity.
Conclusion
As you move forward in your digital security journey and vendors make these technologies available, please take the time to setup either 2FA, or a passwordless technology and hopefully we can sunset World Password Day in the future or rename it to World Security Day!
It’s all very complicated and there is a lot involved, so if you are not sure how to set up 2FA for your business or school, or would like a complimentary consultation on your current cybersecurity, we are happy to help. Simply click on one of the links below to submit a request or Book a Meeting with me directly to learn more about how to stop using passwords.
Brian Hess
President, Spera Partners
For Businesses: https://sperapartners.com/business-solution-complimentary-consultation/
For Schools: https://sperapartners.com/Complimentary-Consultation/
For more information about Spera Partners’ cybersecurity services, visit us at https://sperapartners.com/cybersecurity/
