Passwords in 2024? Well, no passwords!

Sad statistics

The use of passwords as such represents the alpha and omega when thinking about secure access to information systems, whether we think of this system as an online marketplace, an internal company system or internet banking. However, various media campaigns that try to spread awareness about the safe use of passwords in the light of increasingly frequent intrusions, which were largely caused by “weak passwords”, convince us that we will probably need much more than strict password policies or awareness campaigns.

A recent study by Keeper Security [1] pointed to the fact that 75% of all users simply ignore well-intentioned password security advice and continue to use weak passwords. Moreover, 64% use easy-to-guess passwords with only minimal variations. If this fact in itself was not enough, Bitwarden [2] came up with a study that says that 85% of users have the same password on different sites. This represents grist to the mill for Internet attackers who only need to obtain one user’s password and then try it on other services with a high probability of success. If you think it can’t get any worse, then at the very bottom of the imaginary absurdity, what concerns the “un”complexity of the password is that the most frequently used password is “123456” according to a study provided by NordPass [3]. Of course, even the second most common password “password” is not any better.

So what should a secure password look like?

The topic of a secure password has been highly debated for a long time and there is no absolutely clear consensus on it. One of the recommendations is to use a password of at least 12 characters, which has a combination of upper and lower case letters, characters and numbers. Although this approach is not exactly bad, and we can certainly generate a secure password this way, the Microsoft TechNet blog explains that the complexity of a password (more precisely, its entropy) is calculated as log(C) / log(2) x L where C is the size of the character set and L is the length. Without a long examination of this mathematical formula, we can deduce that the length itself plays a role in this formula, and therefore also in the complexity of the whole password adj. As an example, a 12-character password is 62 trillion times harder to guess than a 6-character password. In short – the longer the better. We can show this effect in the following case of generated passwords using the password manager – Bitwarden [4]. As a character set we will use: lower and upper case letters, special characters, numbers [5]

• 6 character password “8@vNMo” can be guessed in 5 seconds
• 8 character password “r%SpGa7X” can be guessed in 8 hours
• 12 character password “4k3msBF#7B**” guessable in 34 thousand years
• 16 character password “i&Ni$@mC$6mNJAT@” guessable in 1 trillion years

And what kind of article would it be about trends for 2024 if we didn’t mention AI? Some specially trained AI models can predict what passwords would be created on the basis of contextual information and are surprisingly effective at this. Of course, the AI in this case may not guess the password the first time, but it will reduce the possible set of passwords, or suggests a set of passwords for the given user. In addition, AI can detect used passwords just by listening to the sound that the keyboard makes when typing the password, with up to 95% accuracy [6]

As we have shown, creating a complex (i.e. long) and secure password is key if we do not want to become an easy victim of Internet fraud. However, users should also change this password regularly and always use unique passwords for individual services. If we realize that there may be dozens of these services, this initially simple task can turn into a real nightmare. A few tips and tricks that we can use today to manage passwords, but still keep them safe:

Use of password managers

This is a special class of programs that stores our passwords in a special vault that is encrypted with our primary password. In such a case, we only have to remember one password, which is used to unlock the password manager. The password manager will take care of generating passwords for us, adding them to forms or rotating them. These passwords are then generated using high entropy and it is not a problem to have passwords that are 32 characters or more. In addition, these programs are already very user-friendly, they contain extensions to all systems, platforms or even browsers. Many of them are sold for EUR units or even for free.

Of course, the use of password managers is not without risk, and even these companies can be hacked, as evidenced by the recent leak of email addresses from LastPass [7]. However, this risk is much smaller than the risk of using weak passwords or repeating passwords on different sites or services. In addition, we can eliminate this risk if we use multi-factor authentication (MFA).

Multi-factor authentication

In short, we can imagine multi-factor authentication as a way to always use at least 2 independent elements for login. Among these elements, we currently include “something I am – typically biometric authentication with a fingerprint or face”, “something I know – typically a password or pin” and “something I have – typically a grid card or mobile phone”. However, the word independent is very important here. In that case, it wouldn’t help the attacker even if he compromised your password (whether stored in a password manager or not) because he wouldn’t get the second factor. Today, such logging has become the de facto standard for logging into banking systems or when confirming larger transactions. A classic case when the MFA was absent was the recent embezzlement of the X (former twitter) account that belonged to the American Securities Commission – SEC [8].

So where is the password trend headed?

I would venture to say that if the above recommendations are properly followed, the vast majority of users would be safe from attacks aimed at misuse of their password. However, we users are notorious for not following security measures. Even almost one third feel overloaded by this information [1].

Security experts and alliances that issue security standards have also begun to realize this fact, and a rather promising Passkey technology appears on the horizon [9]. Passkey works as authentication without a password. It uses the principles of asymmetric cryptography along with biometric authentication for authentication. For simplicity, we can say that key pairs are generated on the device, which are used to authenticate against the given service. Verification with a biometric fingerprint on the phone then “unlocks” these keys. The keys themselves are then tied to the service/domain, so this procedure becomes resistant to phishing attacks, because the authentication mechanism will not work correctly for the fake domain/service.

Passwordless access represents a promising future in the use of passwords or security elements in the authentication process. However, the technology itself is in its early stages and its implementation is rather rare. However, I believe that this technology will gain sufficient traction and use the so-called network effect.

As we have shown, relying solely on traditional passwords is simply not enough anymore. Innovations in the field of multi-factor authentication, password managers or the emergence of passwordless technologies such as Passkey show us the way forward.

It is important that we as users embrace these new forms of security and realize that the protection of our digital identities is in our hands. Using strong, unique passwords, using password managers and enabling multi-factor authentication should be a staple of our digital habits in 2024 and beyond.

However, despite technological progress and the availability of advanced security tools, the most important part of the article is still the user – you. Your decisions, your willingness to adapt and your vigilance are key. Technologies like Passkey and MFA can give us tools, but without your active participation and engagement, their potential will remain untapped.

Remember that cybersecurity is not just about protecting data, it’s about protecting our digital identity and privacy. We urge you not to stop just reading this article, but to take action – update your passwords, enable multi-factor authentication and start using passwordless options where possible.

SOURCE: Michal Srnec

[1] https://www.keepersecurity.com/password-management-report-unifying-perception-with-reality/ 

[2] https://bitwarden.com/resources/world-password-day/ 

[3] https://nordpass.com/most-common-passwords-list/ 

[4] https://bitwarden.com/ 

[5] https://www.security.org/how-secure-is-my-password/ 

[6] https://arxiv.org/abs/2308.01074 

[7] https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/ 

[8] https://www.theguardian.com/technology/2024/jan/09/sec-twitter-account-hacked-bitcoin-etf-not-approved 

[9] https://passkey.org/