Does the password still have a future? [Q&A]
The death of the password has been predicted for a long time, yet despite increased adoption of biometrics, passkeys and other newer technologies, passwords still underpin much of our day-to-day security.
We spoke to Darren James, senior product manager at Specops Software, to discuss passwords, whether they still have a future and where authentication is heading.
BN: Most of us still reuse passwords -- although we know we shouldn't -- why is it so dangerous?
DJ: We have so many passwords to remember today, for both personal and professional use, that it’s easy for any of us to fall into the trap of reusing the same password across multiple systems. The issue with this is that even if it a long/strong password it only takes one website to store it insecurely, they then get breached and that amazing password, usually along with many of your other details are then leaked onto the internet. Threat actors know this is a common behavior and then use credential spraying attack to try to login to as many systems as possible with that stolen username and password combination and before you know your identity has been stolen.
BN: Is it possible to create a truly safe password?
DJ: All passwords are eventually 'crackable' given enough time and computing power, but if it takes three billion years to do it, you probably won't care too much by then. Ultimately a strong password comes down to length and complexity i.e. types of characters e.g. upper, lower, digit, special and Unicode (don't worry too much about the last one as they don’t exist on many keyboards). Of course, a long (+15 characters), complex password is great, but you might have trouble remembering or typing it, so increasingly we are seeing the adoption of passphrases as opposed to passwords. These are typically just long, but non-complex passwords. There’s no hard and fast definition, but the NCSC, UK Government, have been using the mantra of three Random Words for some time now. The idea is not to use a well-known sentence e.g. maytheforcebewithyou, but instead use three words that mean something to you but nothing to anyone else and put them together. Maybe separate them with a special character or deliberately misspell one of them to give it a bit of extra spice!
BN: There have been some high-profile breaches involving password managers recently. Is it still better to use one?
DJ: As I mentioned above, we all have a lot of passwords to remember, so a password manager will help alleviate that pressure, but as you have mentioned confidence in the security and privacy of password managers is a genuine concern. Personally, I would still recommend their use, however you do need to keep an eye on the solution you have selected, make sure that you update it when required, and make sure that your “master password” is a strong one.
BN: Why are passwords still refusing to go away?
DJ: This answer is simple, despite all the problems associated with passwords, you can't deny that everyone, from a toddler using a pin code to a senior using their grandchild's name, understands how passwords work. It's the oldest and simplest form of authentication and is very inexpensive for developers to implement, they also work globally and have a zero upfront cost (although financial damage due to breaches can be significant).
As new forms of authentication become more commonplace, we will see password use decline, but many of these replacement systems still fall back on, you guessed it, a password or a PIN, so they’ll be with us for some time to come yet.
BN: Will we ever reach a genuinely passwordless future?
DJ: I truly hope so, but until we can make alternative authentication systems more robust and accessible e.g. flexible MFA, then we will still need to have passwords. There are still huge differences in the hardware, operating systems and devices that are being used, so creating a new secure authentication system that can work across them all is a big ask. We've seen some progress with the push for Passkeys in the consumer space and the FIDO alliance, its early days, and adoption is slow but we're keeping an eye on things for sure.