Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Jake Madders
Jake Madders
Connect Directly
E-Mail vvv

Will 2021 Mark the End of World Password Day?

We might be leaving the world of mandatory asterisks and interrobangs behind for good.

More than a quarter of us have used the words "password" or "qwerty" as our primary password at some point in our lives, according to Google. Even more alarming, six in 10 of us admit to using the same password across multiple online accounts, from email to online banking, and only a third of us bother to change passwords more than once a year. That's why World Password Day was created. In 2005, security expert Mark Burnett wrote a book called Perfect Passwords, in which he floated the idea of dedicating one day in the calendar each year when everybody should change their passwords.  

Related Content:

6 Ways Passwords Fail Basic Security Tests

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

By 2013, the idea had really caught on and Intel ran with it, making the first Thursday in May the official World Password Day. In 2021, World Password Day falls on May 6, but is it still relevant in its current form?

From phishing scams to distributed denial-of-service attacks, malware to spyware, the security landscape is a lot more complex than it was back in 2005, or even 2013. Most individuals today have so many different online accounts that to devise and remember a unique and complex password for each one is near impossible. It's why so many of us now rely on authenticator apps and digital "vaults" in which to store our passwords, allowing us to simply remember one to unlock them all. This kind of innovation is good; however, it also leads to a creeping realization that the humble password may no longer be fit for purpose. So, what's next?

Has the Password Outlived Its Usefulness?
Bill Gates famously quipped that the password was dead back in 2004. His forecast might have been a little premature, but he was right when he said the traditional password cannot "meet the challenge" of keeping critical information secure. That's as true for businesses as it is for each and every one of you reading this article. As recently as 2018, more than 80% of all data breaches could be attributed to poor passwords. Businesses know this, which is why they're constantly encouraging employees to create ever more complex passwords, layering up password security with things like two-step and certificate-based authentication. But while these technologies might help to mitigate password vulnerability, they can't eradicate it. 

Password-Strengthening Technologies
Technology hasn't yet evolved to a point where we can do away with passwords altogether. Instead, we keep inventing ways of making passwords more secure, propping them up as a viable way in which to secure our data. Two-step authentication does exactly what it sounds like, requiring an additional step in the login process beyond simply entering a password. Once a user has entered the password, that person will be sent a text message with a unique code or be asked to generate one via an authenticator app, which is needed to gain access to their account.

This kind of multifactor authentication certainly offers an additional layer of security. It means that even if hackers crack your password, they aren't going to get very far without your mobile phone or access to your code generator. However, it's not entirely without flaws. For one, it makes the login process extremely tedious for the user, requiring additional hoops to jump through. It also creates an unwanted dependency on third parties, such as mobile service providers. What happens when a user is unable to receive their authenticator code via SMS because they're out of signal range or their operator's network goes down?

Risk-based authentication (RBA), which involves asking users to jump through additional hoops if they exhibit unusual login patterns, such as logging in from a foreign country or via a new IP address, has similar issues. They frustrate users and increase login times.

Certificate-based authentication recognizes humans as fallible guardians of their passwords and does away with them entirely, instead shifting the onus onto the network itself. A user or device can be granted network access for a set period until that access expires, and it's as simple as that. However, this is only useful in very specific circumstances and limits how and where employees can work.

What's Next?
As a society, we've invested a lot of resources into coming up with ways to patch over the password problem. Two-step authentication and RBA ease the symptoms of password vulnerability but don't fix the underlying issue. We've come to depend on these stopgap solutions because there's never been a viable alternative to passwords. That is, until now. We're beginning to see the start of biometric technologies like fingerprint and facial recognition become mainstream that might eventually replace passwords entirely.

Right now, I can pull my smartphone out from my pocket, unlock it by merely looking at it, and then access my banking app via my thumbprint to pay a bill or transfer someone some money. A decade ago, this user journey would have involved entering several passwords, and World Password Day would recommend I update those passwords frequently.

The thing is, no matter how convenient our technology becomes, passwords will always drag down the user experience to a degree, and it's for that reason we might soon be leaving the world of mandatory asterisks and interrobangs behind for good. 

Jake Madders, along with his business partner Jon Lucas, founded Hyve Managed Hosting in 2001. Since then, in his role as Director, Jake has facilitated the growth of Hyve from a small start-up to a hugely successful managed cloud hosting company with a global customer base. ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.
PUBLISHED: 2021-06-23
Heap based buffer overflow in tsMuxer 2.6.16 allows attackers to cause a Denial of Service (DoS) by running the application with a crafted file.