Is there any Hope for Passwords?

The first Thursday of May each year is World Password Day, a brief occasion when internet users are supposed to mull over each and every password they’ve created and ask the question, “Is this really strong enough?” Unfortunately, as more than 1m passwords are stolen each week and 81% of cyberattacks rely on these lifted credentials, the answer is usually a resounding “no”.

Alphanumeric passwords have never evolved beyond a potential threat to the security of email and social media accounts. Worse, they’re used in their most basic forms even in business, health services, and government sectors. The great irony is that passwords can be safe. It takes about 7 quadrillion years to crack an 18-digit password made up of numbers, symbols, and letters, both in upper and lower case.

The problem is that millions of people still use the password 123456. Even if we extend that password all the way to ten numbers, it can still be broken instantly by hackers running software found online. These are the tools we use to secure our online life. The Ponemon Institute indicates that the reason passwords are so weak is that only 63% of people believe in the importance of securing personal devices.

Put another way, the password could be doomed through no fault of its own, although, there are plenty of other concerns. We’ve already seen shades of this in developments like 2-factor authentication, fingerprint and iris recognition on mobile phones, and in using USB hardware keys that work much like their steel counterparts.

Access Control

An emerging solution to password woes involves the use of an identity provider. What is an identity provider(IdP)? These services act as a secure repository for the details of large groups of people, whether that’s customers or employees. While some passwords are still involved, authentication attempts are routed through an identity broker, which provides an additional defence against unauthorised access. Identity providers often use secure access methods such as biometric security, too.

This kind of product is generally provided by a cloud-based operator. Think of it like an exclusive but adaptable guest list. The benefits of an identity provider apply especially to customers, as new credentials can be offered based on information that is already held, rather than what the client chooses to input. This could be a boon for users of government services, in particular.

Beyond that, Microsoft already plans to eliminate passwords altogether in favour of biometric security. There’s also a (mercifully) niche movement to implant RFID chips in workers’ hands so that they can serve as a living key to all their important things. It’s an obviously difficult sell, as it raises questions about privacy, bodily autonomy, and other hot-button things.

Overall, the password has to go but there doesn’t seem to be any agreement yet regarding its successor. However, there’s a clear movement towards using the body as some kind of access control, whether that’s fingerprints, retinas, or other uniquely identifying features. It’s hard to escape the dystopian connotations of having microchips placed under our flesh so that we can open doors, though.