People use weak passwords. Why? Despite best practices, annual trainings and numerous attempts to educate users on what a secure password looks like, most still use an unsecure password simply because it’s easier. And I completely understand.
Password rules can be exhaustive and exhausting. Your password must contain at least eight characters, have uppercase and lowercase letters, numbers, and special characters, but you shouldn’t use an exclamation point because everyone does that. Don’t use dictionary words, dates, names or nicknames, and don’t add the number 1 at the end because everyone does that too. On top of that, you may be required to change your password every 30 days.
By the time a new password trend is adopted, a new one surfaces. Suddenly everyone should be using 15-plus character passwords, which no longer must be complex. The problem becomes universal adoption, which never happens.
Users must use a new password for websites and applications that have adopted the new standards while also maintaining old ones. Password vault companies have capitalized on this problem by providing a solution that protects all passwords by using one password to them. The problem with this solution is putting all your eggs in one basket and hoping that one password is never compromised.
Weak passwords and demand for higher security led to the implementation of multifactor authentication, which requires not only a password but a one-time security code or a fingerprint. Microsoft, a leader in multifactor authentication, recently reported their technology had been compromised but suggested it is still the best protection available.
If passwords are leaving us vulnerable, then what is the answer? A future without passwords may be around the corner. Apple announced in June, iOS 16 and macOS Ventura will introduce a password-less login for applications and websites. Instead of logging into websites and apps with passwords, you will be able to use passkeys. This could be the first major move toward eliminating passwords.
It works by utilizing your biometrics such as face or fingerprint ID to create the passkey. Apple’s passkeys use end-to-end encryption preventing even Apple from knowing them. FIDO (Fast Identity Online) Alliance, a tech industry group, has been working on a way to store the passkeys that sync between a user’s devices.
In May, Apple, Microsoft and Google declared their support for the FIDO standards. Adoption of a standard by tech giants will certainly make things more convenient for the end user and promote adoption. We should start to see this technology implemented over the next year or so. Ideally, once all the tech companies have rolled out their version of passkeys, syncing across devices and operating systems should be seamless.
Like most technology solutions, if it’s not easy or convenient, people simply won’t use it. Let’s hope that soon we will have a secure, easy to use solution that will replace our outdated easy to compromise passwords of today. Until then, take a moment and evaluate your current passwords to make sure they are complex enough to protect your valuable data.