Improving security by saying goodbye to passwords. We explain how.

The history of passwords

The use of passwords goes back a long way:

In the Bible. In chapter 12 of the Book of Judges, during the chaos of the battle between the tribes of Gilead and Ephraim, the soldiers of Gilead used the word "shibboleth" to detect their enemies, as the soldiers of Ephraim pronounced it somewhat differently in their dialect.

In literature. The classic story of Ali Baba and the Forty Thieves was written by French orientalist Antoine Galland in the eighteenth century. The invocation "Open, Sesame!", used in the story to open a cave that has been sealed with magic, is still used to this day.

Nowadays, passwords are an essential component in the field of modern security.

• The first digital password. In 1961, the MIT computer science professor, Fernando Corbato, created the first digital password to solve the issue of multiple users of the shared time computer he had created. Each user needed to access the terminals privately. The solution? Provide each user with a password.
• Password overload. Today, we use passwords for almost everything. We each have an average of more than 100 passwords, and often share them with family, friends or co-workers (do you hear that, Netflix?). Trying to remember them all can be exhausting.

Let's be honest, passwords can be a real nuisance.

Firstly, passwords are only effective if users take them seriously. This means that secure, unique passwords should be used for each service. Not only that, but they should also be updated periodically and used alongside advanced security options such as MFA (Multi-factor authentication) wherever possible.

But of course, we don't live in a perfect world. Users do not usually have time to manage their passwords correctly. Companies can make mistakes. Accidents can occur.

I think we can all agree that any mechanism that only works under perfect circumstances leaves a lot to be desired. Passwords were very useful in their day, but it's time to replace them with a more secure and practical alternative.

Growing consensus

This is no minority opinion, but rather a perspective shared by the vast majority of IT professionals. In 2020, a LastPass survey revealed that 95% of IT professionals believe that passwords represent a security risk for their organisation.

Several bad practices were highlighted, ranging from using weak passwords and reusing old passwords, to the lack of modification of predetermined credentials used in apps and on devices. How many of you have changed the password on your router that was provided by your phone company?

We're not surprised. As commented above, the use of passwords goes back to a time when the shared use of large computers was booming and academics were competing to access large infrared mainframes the size of a fridge. These users needed a secure place to store their files, data and applications, so Professor Fernando Corbato set up a system where each user had a username and password.

Corbato's idea of using unique credentials for each user has been used ever since. Over the decades, security professionals have tried to patch the flaws in the system by introducing new measures and standards.

Companies started storing passwords in their database instead of their plain text to prevent an attacker who accessed them from being able to read this information. Credentials were also encrypted when they had to go through the network. Before the generalised use of SSL, an attacker could connect to an unsafe Wi-Fi network and, via open source tools such as WireShark, capture network traffic and obtain credentials and session cookies.

While these measures mitigate the problem to a certain extent, they do not address intrinsic problems when using passwords. Before the arrival of modern identity management measures, such as multi-factor authentication (MFA) or single sign-on (SSO), nothing prevented an attacker from simply guessing a password. They do not also help in the use of credential stuffing, which involves reusing the filtered credentials or those obtained in an attack, as many users unfortunately tend to use the same credentials across multiple services.

This should not be interpreted as an attack on users for their negligence; Passwords were simply not designed for their current use in systems and applications in the network, which are both massive and generalised.

It's fair to assume that many users seek simplicity, which can result in the use of weak passwords and passwords which are reused for multiple services. There are a number of problems intrinsic to passwords that cannot be resolved easily with cryptography.

1. Short passwords are easier to remember, but also easier to guess. Many people still use "password" or "123456" as the password to protect their confidential data. Passwords that are weak or easy to guess are more common than you might expect. A recent study by the NCSC found that around one in six people use their pets' names as their passwords, making them highly predictable. To make things worse, these passwords tend to be reused in several places: One third of people (32%) use the same password to access different accounts.
2. Longer passwords are more difficult to decipher, but also more difficult to remember. Passwords were never designed for the large-scale use we see today. Human brains are simply not designed to remember long chains of letters and numbers, so we will always choose the simplest option.
3. Even the most complex and unique password a user can create is worthless if a company does not store the credentials correctly. When it comes down to it, companies depend on the user's correct use of credentials, and users, in turn, depend on proper protection of the services they use.

A brief summary of attacks against passwords

• 1962: The first known breach occurred when an MIT researcher printed out access passwords and shared them with other users.
• 1966: Also at MIT, a software error caused anyone who started a session on one of its systems to see all of the user passwords. At this early stage of the history of passwords, ethical hackers were more interested in exploring and testing computer systems than in criminal activities.
• The 1970s: The first bad guys start to appear. Some thought it was all a joke, but in the meantime, "phreakers" (or phone pirates) were already making free long-distance calls by pirating phone systems.
• 1988: The infamous Morris worm infected 6,000 computers on the network, a malicious attack which was designed to spread. Throughout the decade, the first multi-factor authentication mechanisms (MFA) appeared, mainly for use in the recently created remote access VPNs.
• 2012: LinkedIn suffered a "data breach" in which hackers managed to access user passwords. It is considered the first socially engineered computer attack and made use of the "Rainbow Table" attack.

The 5 key attacks against passwords in the present day

The sad reality is that many of the tactics used in those early days are still being used to compromise password security to this day. In addition, the criminals evolve alongside technology, and attacks have become increasingly sophisticated. The final result, however, remains the same. In this new digital age, losing security credentials, or putting them at risk, is an absolute nightmare. Unauthorised access to a system can result in serious financial consequences, legal liabilities, sanctions, and reputational damage.

• Phishing: This is currently one of the most common password theft techniques. It uses social engineering techniques, and its success is based on deceiving the victim so that they disclose confidential information.
• Social engineering: This term typically refers to the process of deceiving users to believe that the hacker is a legitimate agent, and is based on the psychological manipulation of people so that they carry out actions or disclose confidential information. A common tactic is for hackers to call a victim pretending to be from technical support, and then request their credentials to access the network in order to help them.
• Brute force attack: This combines different piracy methods based on guessing passwords used to access a system. Most of these attacks use some type of automated processing, which allows for the testing of large amounts of passwords in a system.
• Dictionary attack: This is a slightly more sophisticated example of a brute force attack. It uses an automated process to access the system, supplied by a list of the most common passwords and access phrases. This password dictionary is usually created from previous hacks, and also usually contains the most commonly used passwords.
• Rainbow table attack: Whenever a password is stored in a system, it is usually encrypted using a hash. This makes it impossible to determine the original password without the corresponding hash. To get around it, hackers maintain and share directories that record passwords and their corresponding hashes. These are often created from previous attacks, and they reduce the time it takes to enter a system. It is used in brute force attacks.

Conclusion

Traditional authentication, requiring a username and password, has been the basis of digital identity and security for more than 50 years. Today, with the exponential increase in user accounts, this mechanism is facing new problems. These problems include the correct management of user credentials, the costs of support services and, most importantly, security risks posed by compromised credentials.

These new challenges far outweigh the benefits of passwords, so the option to delete passwords from authentication mechanisms is gaining ground every day.

In short, we know that passwords are the Achilles' heel of IT security, and that the only solution to combat their weaknesses is to increase the use of encryption techniques.

The time has come for serious reflection, and to make the move towards new authentication mechanisms that, in addition to being more secure, improve user experience (UX).

Password authentication is now a part of our reality. You most likely already use non-password technologies in your daily life, such as Touch ID and Face ID by Apple or Microsoft Hello. At work, you can often log in with a fingerprint or smart card, or you can use the authentication based on tokens, in which you demonstrate your identity by generating a one-time password (OTP) through a mobile application.