You might use your fingerprint or face to unlock your phone, or your smartwatch to log you into websites. You might not. Regardless, you likely are still using traditional passwords to access the majority of your online devices and accounts.
Passwords are shockingly easy to crack or guess, according to surveys by SplashData, Telesign, and Thycotic, as consumers fail to heed frequent warnings about weak or reused passwords. According to the Verizon 2017 Data Breach Investigations Report, more than 80 percent of hacking-related breaches rely on stolen or weak passwords.
Yet predictions of the traditional password’s imminent demise and replacement have proven to be beyond premature. Just like email for messaging, passwords are poised to remain the most common form of digital authentication for quite some time.
“They’re still the main form of online authentication because they are cheap, scale well, and don’t require a lot of technical expertise to implement, so they’ve been difficult to replace,” says Yaron Baitch, principal product manager at password managing company LastPass. And for many people, he says, passwords are “the only line of defense” against cyberattacks.
Many consumers and organizations, wary of complex implementation and maintenance, and comfortable with traditional password authentication, shy away from the added security of multifactor authentication methods, says Laurance Dine, managing principal for the investigative response team at Verizon.
“Alternatives to the traditional password,” Dine says, often “aren’t embraced due to reliance on old security policies, lack of general awareness of the market, time, or even the initial cost involved.”
Some tech and security prognosticators, having observed Apple’s success in getting iOS users to adopt the Touch ID fingerprint reader to unlock devices and app services, have pinned their hopes on biometrics, technology that uses a person’s unique physical characteristics, from his iris to his pulse to his fingerprint, to authenticate his identity.
Biometric authentication could solve many of the password’s woes, says Ryan Merchant, senior manager at password management software company Dashlane. The average American Internet user has at least 150 online accounts, each of which requires a password—and that number is set to double in the next five years, he says. But it introduces other challenges—like what to do about a hacked iris.
“If these are hacked, you can’t simply generate a new eyeball or fingerprint; they’re comprised forever,” he says. And “any replacement which is developed must work universally, as most consumers have a multitude of devices, apps, and operating systems.”
Once personally identifiable information has been compromised, as the Equifax breach revealed last week, consumers and organizations need to be more vigilant about—and pay more to avoid and confront—identity theft.
Greg Touhill, the former first chief information security officer for the U.S. Office of Management and Budget, estimated in March that the cost of maintaining identity management solutions for the more than 22 million government employees whose fingerprints and other personally identifiable information were leaked in the June 2015 breach of the Office of Personnel Management could exceed $1 billion. And while it’s still too early to gauge the full financial impact of the Equifax breach, the company has already lost an estimated $3.5 billion in market value.
Perhaps the strongest sign that the password is as far from extinction as the mosquito is that even the federal government appears to have thrown up its hands in frustration at the impact of password breaches. The National Institute of Standards and Technology published new standards just last month to advise people on creating better passwords.
Instead of choosing a long, complicated string of letters, numbers, and special characters, and changing that complex password frequently, NIST now advises using simple words or phrases, in common English, that are long but memorable, as recommended in a famous XKCD Web comic from August 2011.
If NIST isn’t seeing a passwordless future, maybe consumers shouldn’t either.