Just in case you didn’t write it down somewhere, and it slipped your mind, here’s your friendly reminder... today is World Password Day!
It’s getting hard to keep track of all these annual days of celebration. How are we expected to remember them all?
Fortunately, good news may be on the horizon as World Password Day – created by Intel in 2013 “to raise awareness about the role strong passwords play in securing all of our digital lives” – may be nearing its last iteration.
In an example of poor planning, this great day has clashed with another key mark of the social calendar – Star Wars Day (May the 4th be with you 😉) and now passwords are under threat from a galactic power.
More on that later, but in the spirit of World Password Day, let’s consider passwords’ use, usefulness, and potential now and in the times ahead.
The Humble Password
It’s commonly agreed that passwords were introduced in the 1960s by the ground-breaking Compatible Time-Sharing System (CTSS) project led by Fernando Corbató at the Massachusetts Institute of Technology (MIT).
Speaking to Wired in 2012, Corbató explained that “The key problem was that we were setting up multiple terminals which were to be used by multiple persons but with each person having his own private set of files. Putting a password on for each individual user as a lock seemed like a very straightforward solution.”
This simple answer proved to be just so, and in the nearly 60 years since their first use, passwords have become a familiar concept worldwide.
Old Dog, New Tricks
Passwords alone started to show weakness in their effectiveness as technology developed and daily lives became increasingly digitalised.
From email to online banking and social media to shopping websites, passwords were needed to protect important sensitive data stored on devices, applications, and the internet – but their ubiquity led to problems.
Many of us, faced with the challenge of remembering multiple unique passwords, cut corners, either recycling passwords across many accounts or using easy-to-remember passwords such as password or 1234.
Alongside this trend – undoubtedly viewing many potential opportunities to access sensitive and valuable personal data - cybercrime increased. According to Statista, the market and consumer data provider, the estimated cost of cybercrime worldwide grew from 0.86 trillion US dollars in 2018 to $11.5 trillion in 2023. This is expected to ‘skyrocket’ to $23.82 trillion by 2027.
These days phishing, social engineering, brute force attacks and many other strategies can be used to crack a password. Specialised software is readily available for hackers, and passwords are routinely leaked online in massive data breaches.
“To see if your data has been compromised in one of these breaches,” Intel said. “Check the website www.haveibeenpwned.com. If your email is there, change your password.”
Progress
A single password is just one way to secure an account. Including a second step in the security process makes it much harder for bad actors to breach it. Using this second step is called two-step or multi-factor authentication (MFA), and it’s a vital security measure to be turned on wherever possible. For critical accounts such as your email, banking, and social media, it’s essential, and should be mandatory.
Many websites and services incorporate MFA into their security process already, and after a password is entered (step one), a numerical code arrives by SMS (step two). Entering this code as the second stage of the process will give the user access to their account, but unlike PIN codes for a bank card or account, this is a one-time use code only, and another will need to be generated the next time you log in.
It’s common for accounts to allow an MFA app instead of SMS to verify access to a secure account by adding the second (of the multiple) factors. Again, the user enters a password as the first factor, and then the app creates a single-use code to input as the second factor.
In a sign of what’s to come, the FIDO Alliance – with leading companies Microsoft, Google, Apple, Amazon, Meta, and VISA represented at the board level – are an open industry association focused on promoting the development of, use of, and compliance with standards to help reduce the world’s over-reliance on passwords.
Under standards set by the FIDO Alliance, tangible security keys can also be employed as a second stage of the security process. As they don’t rely on an application’s notifications or an SMS, they’re regarded as the most secure method, with a Google case study showing, “There has not been a successful phishing attack against their 85,000+ employees since requiring use of physical security keys.”
Biometrics are another possible step to include in your security process. As Intel put it, “Rather than authenticating you with something you have (a Security Key) or something you know (a code), biometrics recognise something you are.” With the camera on your phone or computer, a scan of your face, fingerprint, eye, or voice can provide a personal way to access your data - helping those with poor memories.
In a galaxy far, far away
The news landed today – of all days – that Google has stated going forward, all users can access their Google accounts with passkeys, their cryptographic key solution (the announcement actually came yesterday).
Titled “The beginning of the end of the password”, their blog began as follows:
“For some time, we and others in the industry have been working on a simpler and safer alternative to passwords. While passwords will be with us for some time to come, they are often frustrating to remember and put you at risk if they end up in the wrong hands.
Last year — alongside FIDO Alliance, Apple and Microsoft — we announced we would begin work to support passkeys on our platform as an easier and more secure alternative to passwords. And today, ahead of World Password Day, we’ve begun rolling out support for passkeys across Google Accounts on all major platforms. They’ll be an additional option that people can use to sign in, alongside passwords, 2-Step Verification (2SV), etc.
So maybe by next year’s World Password Day, you won’t even need to use your password, much less remember it!”
Enough said; at least we’ve still got Star Wars.