Will passwords ever be replaced?
Last updated May 2021 - estimated reading time 5 minutes
In 2004, Microsoft’s Bill Gates declared the death of the password.
Since then, we have seen security providers start to move toward passwordless authentication, using biometrics and contextual characteristics, to respond to growing password fatigue.
The bad news?
The battle has just begun.
Verizon’s Data Breach Investigation Report shows that ‘123456’ and ‘password’ remain some of the most commonly used passwords; 10% of people use one of the 25 worst passwords.
81% of breaches involve the use of weak, stolen or reused passwords.
Protect your passwords: If "123456" is always your password, it's time for a change.
“Passwords are vulnerable,” explains Danna Bethlehem, Product Marketing Director for Access Management Solutions at Thales. “People write them down, meaning they can be stolen, and they are easily hacked.”
More people can also access workplace information through the cloud, which, according to Bethlehem, is much easier to hack into.
How to protect passwords?
There are now many ways to better protect our passwords, involving biometrics, SMS authentication and physical security devices.
While SMS messages can notify the user of a login, hackers can circumvent this type of authentication by tricking phone companies into thinking that customers have activated their SIM card on another phone.
One-time passwords (OTPs) tend to be more effective, as codes are cryptographically generated based on a secret key created during account set-up and can also come in the form of mobile tokens to a smartphone or stand-alone device, such as a fob.
Time-based One-Time Password (TOTP) adds an extra level of protection. It changes after a set period, such as 60 seconds, for example.
However, with the average individual having 90 online accounts, entering unique passwords for each one can be inconvenient and impractical.
Biometric authentication combines improved security and user experience.
According to analyst Gartner, touch ID, which is already widely deployed in banking apps, is making its way into other customer and enterprise applications.
The analyst claims that 60% of large and global enterprises will have implemented passwordless methods by 2022.
To enhance security, organizations are now amalgamating approaches.
Looking at an individual's 'digital fingerprint' (the network, device and location of the user's device) means that when unusual activity is detected, such as logging in from an unexpected location, access is denied or a security alert triggered.
Geolocation, IP addresses (the device being used), and keying patterns can create a strong combination to securely authenticate users.
This type of anomaly detection adds context to what would otherwise be a yes/no security decision based on the correct password, token or fingerprint.
"Combining these types of adaptable, adaptive and contextual attributes with biometric capabilities that are native to the device, or with multi-factor authentication is a better way of validating identities," says Bethlehem.
"We are at an exciting point in time where many technologies are converging to enable secure passwordless authentication. I see this trend growing both in the consumer and enterprise space."
The story behind passwords
1961: Fernando Corbató introduces the first computer password while working at the Massachusetts Institute of Technology. The password was for a giant computer called the Compatible Time-Sharing System, which allowed multiple people to sign in. It was developed to limit the amount of time people could spend on the computer.
The 1970s: Cryptographer Robert Morris develops a one-way encryption function for his UNIX operating system (called Hashing) that translates a password into numbers.
2004: Bill Gates announces the death of the password, saying, "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems. They write them down, and they just don't meet the challenge for anything you really want to secure."
2013: Apple's Touch ID fingerprint scanner is first introduced with the iPhone 5S.
2016: Data for almost 360 million MySpace accounts is offered on the "Real Deal" dark market website, including mail addresses, usernames and weakly encrypted passwords.
2017: Microsoft announces four steps to a passwordless future where identity directories no longer persist with any form of the password.
2019: 770 million hacked emails and passwords are discovered by security researcher Troy Hunt who runs the website Have I Been Pwned.
2021: COMB, is the largest collection of hacked emails and passwords of all time leaked online with 3.2 billion records.
More on protecting your password, authentication methods and solutions
- Have you got data security fatigue?
- Passwords: It's time for a change (CNN)
- Create a more robust password (Google)
- German banks move away from SMS OTP (ZD Net - 11 July 2019)
- Learn more about biometric authentication (Thales web dossier)
- Discover multi-factor authentication solutions from Thales
- Behavioural biometrics in banking (for stronger authentication)
- Learn more about silent authentication
- Discover our 3-factor authentication smart token
- Passwordless authentication
- Future of identification