This looks like a no-brainer and depending on your stance on security, the answer might be yes or no. The answer may also vary depending on the situation. Let’s look at this from the point of view of consumers or users of software systems.
What are passwords?
Nowadays, with much of our life being online, we use multiple systems to fulfill our different needs and wants. Each system will have their own username and password. Almost every site or app you use will require you to log in. A study has found that the average person has over 100 passwords. In simple terms, a username and a password create an identity for yourself to identify in the digital world. Usernames are not secrets, per se but unique to the site or app you are using. It can be an email address or a name for instance. Whereas a password is strictly private and should not be shared.
Having username and password together will be sufficient to access resources which are secured. Hence it is a must to secure your password to protect your resources from hackers.
The Yubico study indicates that most enterprises, around 59%, still use username and password as their only login option when logging in to applications. While this is worrisome, on the other hand also understandable.
The first problem is the sheer number of accounts that we currently have. The Covid Pandemic has increased the number of accounts with twenty-five percent. All these accounts have a user ID and password. The user ID is often the same, i.e., an email address or combination of first name or surname. Due to data breaches some passwords have been exposed with the associated usernames – these are treasure troves for hackers.
There are multiple usernames and passwords that you need to remember, as you may have multiple user accounts to access different services.
This has made people use the same password over and over for multiple accounts and some make simple passwords which are easy to remember based on their birthday or favorite person’s or pet’s names.
Research has found that people tend to repeat a pattern when setting up new passwords and majority prefers to keep their old password without renewing it.
A password manager can help you manage and maintain strong passwords, but it adds another step to the login process and often there maybe additional costs associated.
The other problem is that hackers too have several tools at their disposal:
- Lists of already disclosed passwords and usernames.
- Scripts and software for causing brute force and dictionary attacks
- AI systems capable of guessing your passwords
- Methods to hack browsers to steal your browser cookies and storage information
The browser is a vulnerable place to store passwords of your daily accounts.
Not to mention the cost of resetting passwords which is also considerable.
Due to all these facts, we must re-think…. Are Passwords secure in real life?
Why could passwords be easily compromised?
Not all passwords are as completely vulnerable. A password is a set of characters. The more characters and more options (uppercase, lowercase, numbers, special characters) the more time it will take for a so-called brute force attack to guess the password. This table from Hive Systems says it all:
Mind you, this is when unlimited attempts are allowed and utilizing specialized hardware. But nevertheless, passwords are not as secure as you think.
If the system is not having enough security policies like account locking after 3 or 5 invalid login attempts, re-captcha, and standard password policies like having uppercase character, lower case character, special character, a number and minimum of 4 to 8 characters, then, as you can see, it is likely that a hacker can retrieve your password in less than an hour.
Some passwords are easily guessable. Due to poor memory of human beings, people tend to repeat the same password or use simple passwords for all their accounts. Qwerty is such an example as well as zaq1!QAZ which looks safer but is not! (look at your keyboard).
Also not too safe is the use of single passwords for multiple accounts. If one password is compromised, then all the accounts will be compromised. It is quite simple to create a script that will try username as a password on several well-known sites automatically.
Are there better options than Passwords?
Due to all these above reasons caused by human vulnerabilities, today many system developers tend to move away from passwords. Instead, there has been many new ways of account logins, that have been introduced. Also, because not every device has a full-blown keyboard (like a tv set or gaming console). Here are some of the other options you can have instead of your typical username and password option.
Login with OTP
At present, the email and the mobile number are considered as your unique identity. People do not change their personal mobile number as frequently as before. Hence, in this situation the user is allowed to enter either the pre-registered email address or mobile number for the login and receive an OTP (One-time code) to the mode of notification picked. Once valid OTP is entered, the system will automatically log the user and the authentication will be successful. This is a setup that can be used for TVs and gaming consoles as well. But if you lose your mobile phone there is still a chance of vulnerability which is lower than losing a password.
User does not need to remember a password. Having his mobile phone with him is the only requirement. This makes end user’s life free of forgetting passwords.
Login with Magic link
In this option, instead of an OTP the host system will send a one-time link to your email address. When you click on it, you will be successfully authenticated to the system. Here also, if you compromise your email, or mobile phone – then there is a risk involved. But it is still better than losing password. The mobile phone often also has a password, pin code or facial recognition so losing the phone does not automatically mean that hackers have access,
Here also, user does not need to remember a password. Having the email open with is the only requirement. This makes a user’s life free of forgetting passwords.
Login with push notification
Many systems at present have their own mobile apps for example financial solutions and government solutions. The more sensitive the data, the more likely it is that something like this is in use. They will use this app to send a push notification to be accepted by the user. Upon user acceptance, the user will be authenticated. This is far more secure than passwords. Mobile app itself will be secured by biometrics of your mobile device. Therefore, it has double protection compared to passwords (i.e., Authenticators from Microsoft or Google).
User does not need to remember a password. Having his mobile phone with him and keeping the mobile app installed are the only requirements. This makes a user’s life free of forgetting passwords.
By looking at all these options, keeping your passwords to yourself is no more the best option to secure your resources. It is best you think of other alternatives to secure your information.
How to increase the security of Passwords?
If you not satisfied with other authentication options and still insist on using passwords, then you MUST enable security precautions in your system like:
- Account locking after 3 invalid logging attempts. If the system is financial related, then the locked account should only be unlocked by the ADMINISTRATOR
- Enable Re-Captcha after invalid second login attempt
- Tweak Password History settings to stop password reuse/prolong rotation.
- Enable advanced password policies when creating passwords – i.e., increase the character length up to 8 to 12
These precautions will help minimize the user’s suffering due to passwords getting compromised.
In the next two blogs we will look at more secure forms of authentication to be used on top of passwords.
Use Multiple Factor Authentication (MFA) along with username and password authentication
This will do a second step of SMS OTP or push based notification or Device based authentication to double check that the user who is entering the password is the original owner of the device. This will not compromise your system over a password and secure your information from attackers. You can read more about Multifactor Authentication in our second blog.
To provide better user experience enable Adaptive Authentication with MFA
Always giving Multiple Factors during authentication will affect the user experience of the end users. To keep the balance between security and user experience, Adaptive authentication will come in handy. You can read more information on adaptive authentication in our third blog.
Conclusion. Are passwords safe?
Using only username and password for authentication is NO longer a secure way of authentication when we look at the current situation. Due to human vulnerabilities, it is recommended to go for other alternatives of passwords like OTP, Magic links and push notifications Or have multiple factors in the authentication flow along with password authentication to strengthen the security of your user account.