Passwords appear increasingly obsolete in today’s cybersecurity landscape. Last year, the Colonial Pipeline — a vast network spanning from Texas to New Jersey — experienced a ransomware attack that forced the shutdown of its operations for several days. President Joe Biden declared a state of emergency, with experts deeming the attack a national security threat.
Within two days, Verkada, a cloud-based surveillance camera provider, fell victim to a massive cyberattack and hackers gained access to approximately 150,000 cameras. The shocking part? These breaches were not a result of advanced hacking techniques or sophisticated cyber criminals. Instead, they were each due to negligent security practices that left passwords exposed.
Since their inception in the 1960s, passwords have been a staple in online security. Despite their ubiquity, however, they are fallible. Today, research shows that hackers using a brute force attack can crack six-character passwords — even those with a mix of numbers and symbols — almost instantly.
Irrespective of their fragility, traditional passwords are still popular due to their simplicity, familiarity and compatibility with a range of users and devices. The recent wave of password attacks prompts a critical question, however: Can legacy passwords adequately safeguard today’s sophisticated technologies? Let’s explore.
What Is a Passkey?
A passkey is a password-free method that uses a pair of cryptographic keys: a public key stored by the service provider (apps and websites) and a private key stored on the user's device. When your device verifies your identity, it combines the two keys to grant access to your account. Passkeys show great promise in minimizing brute attacks and thwarting bad actors. Better yet, credentials are easily transferable between devices, thereby expediting account recovery.
Why Are Passwords Unsafe?
Even though setting a password has become standard practice, every other password hack reveals the same disturbing truth — we haven’t moved past “1234”, “qwerty” or “PASSWORD.” For example, an intern at SolarWinds used “solarwinds123” as the password for a file server, which was subsequently exploited by a researcher on the internet.
Users tend to choose weak and predictable passwords, failing to realize that about 24 billion credentials are already available on the dark web. Reusing passwords across personal and work accounts, sharing passwords on spreadsheets across departments, storing sensitive data in plain text and using weak hashing algorithms are other poor password practices that can negatively affect security.
Unless you use a complex password and take the initiative to change it regularly, there’s always going to be a potential risk. Even after opting for secure passwords, users must deal with the hassle of memorizing them. These roadblocks call for an authentication mechanism that can eliminate passwords altogether.
The Evolution From Passwords to Passkeys
Over the years, multi-factor authentication (MFA), advanced encryption standards and biometrics have been introduced as new layers of security to bolster passwords. MFA did not eliminate the use of credentials, however, and biometrics had its own limitations in terms of privacy, flexibility and accessibility. Meanwhile, encryption did not address the issue of identity authentication.
The security industry — backed by tech giants like Microsoft, Apple and Google — is signaling a gradual move towards passkeys. A passkey is a password-free method that uses a pair of cryptographic keys: a public key stored by the service provider (apps and websites) and a private key stored on the user's device. When your device verifies your identity, it combines the two keys to grant access to your account.
Passkeys show great promise in minimizing brute attacks and thwarting bad actors. Better yet, credentials are easily transferable between devices, thereby expediting account recovery. On the other hand, passwords are still very much entrenched in today’s cybersecurity ecosystem. Until an authentication evolution takes effect, cybersecurity leaders should seek to strengthen their password posture as much as possible.
Preparing for a Password-Free Future
The good news is that you can easily accomplish this with a few extra steps. Setting very strong passwords, for example, is crucial for protecting your accounts. Further, password manager tools like Keeper Security and OnePassword rescue users from the daunting task of remembering their credentials by encrypting and storing passwords securely.
Additionally, two-step authentication is a must-have. This security measure entails two essential steps: entering your password and inputting a unique number accessible solely by you. By incorporating this additional layer of security, two-step authentication offers enhanced protection if your password is compromised.
Businesses wanting to move into the modern era can consider passwordless technology like biometrics and passkeys. In doing so, however, carefully evaluate how this will integrate with existing systems. Whether we like it or not, users are accustomed to today’s password paradigm. Therefore, any new authentication solution must be carefully developed with acquisition, enrollment and account recovery in mind.
The best advice is to assess your organization's authentication needs, conduct a thorough evaluation of solutions and opt for those capable of satisfying your security concerns. For instance, unified endpoint management (UEM) not only enforces strict password policies but also provides additional security measures to protect your network, applications and devices. UEM tools help to remotely monitor, manage and control enterprise endpoints, enabling you to streamline your security practices.
Whether setting strong passwords or exploring passwordless alternatives, it’s incumbent upon cybersecurity leaders to proactively protect their endpoints. In an ever-more dangerous threat landscape, your data is worth it.