There’s a lot to hate about passwords. The good ones can be hard to remember. It is often difficult to reset them. And even when we do everything right, they can still be hacked by cybercriminals.
The use of passwords dates back to antiquity, but cybersecurity experts have long pushed for their elimination. In the times of ancient Rome, this might have been an impossible task, but with the help of modern technology, they say, humanity has the potential to move beyond passwords and into a world of easier, more secure authentication methods.
This may be easier said than done, but what better time to push for password elimination than World Password Day, which falls on Thursday, May 2nd. It’s a completely made-up celebration, created by Intel in 2013. Traditionally, it serves as a reminder to closely examine your logins and make sure they check the required security boxes.
Passwords last a long time because, on the surface, they seem simple and everyone online today knows how to use them. Furthermore, there simply hasn’t been a scalable alternative to them.
But this is changing. Both businesses and consumers now typically have the option of logging into their devices with biometric indicators, physical keys, authentication apps and now passkeys.
Access keys, which replace passwords with cryptographic keys, are based on protocols and standards created by the FIDO Alliance. Apple released them as part of iOS 16 in 2022, and Google introduced support for them on all major platforms last year. Proponents say access keys offer a better user experience than passwords while eliminating the risks of weak, reused and compromised passwords, not to mention phishing attacks.
Most importantly, passkeys take on the security burden that was previously borne by users, said Anna Pobletts, head of “passwordless” operations at 1Password, a leading provider of password managers that supports passkeys.
With traditional passwords, it’s often up to the user to create and remember them, she said. On the other hand, with access keys, these requirements are directly incorporated into the technology.
“There’s no onus on the user to say, ‘Did I create a good passkey? Did I create the right key? Did I use it in the right place?’ Everything happens automatically,” Pobletts said.
And while cybercriminals will undoubtedly try to target access keys with attacks, just as they did with passwords, they won’t be able to do so on the same massive scale, she said.
In a blog post on Thursday, Google said improving authentication technology continues to be a key part of its efforts to increase overall security, adding that access keys have so far been used to authenticate users more than one billion times across more than 400 million Google accounts.
“This work is more important than ever amid a global election year, growing cyber threats, and the rise of technologies like AI,” Google said on its blog.
The tech giant also said it has rolled out broad support for passkeys in Chrome and Android in order to help developers incorporate the technology into their apps. Companies including Amazon, Dashlane, Docusign, Kayak, Mercari and Shopify have added support for passkeys over the past 12 months, Google said.
Also on Thursday, Microsoft announced the start of password support for its consumer accounts.
“Securing and accessing your digital life doesn’t have to be a hassle, and you shouldn’t have to choose between simple access and secure access.” the company said in a blog post.
But passkeys aren’t yet available for every app or website, so they’re not the answer to all your password problems, at least not yet. In the meantime, password managers can help by remembering long strings of characters for you and keeping them secure.
And a little effort can go a long way in making your passwords great and keeping your data safe. Here are some tips for doing just that.
Tips for good passwords
The longer, the better. At least 16 characters is best. At this point, you don’t need to worry so much about password cracking software. Random strings of characters are best, but passwords, such as a combination of three unrelated words, will be acceptable in most circumstances. Putting a special character, like symbols or punctuation marks, in the middle won’t hurt.
Remember: if you use a password, make sure the words only mean something to you and don’t mean anything important. “Red Sox Rule” might be a great way to show your loyalty to the team, but it’s not a very secure password. Don’t use your birthday or other significant personal date because cybercriminals can find them easily. Song titles and famous quotes are also bad ideas. Avoid cliché substitutions, such as using @ for “at” or “a” and $ for “s”.
Resist the temptation to recycle. Even the best passwords can be stolen and compromised. So limit the consequences by making sure you set unique passwords for all your accounts. Of course, this can be very difficult, as we recommend passphrases of 16 characters or more.
As mentioned before, if you need help, sign up for a password manager. Free and paid options are available. Many internet browsers can also help you with this task, although they don’t always work across devices.
Change can be good. Most experts now say you don’t need to change your passwords regularly. But everyone agrees that you should change them immediately at any sign of compromise.
Keep your data off social media. The more personal details you post, the more cybercriminals will know about you. These small, seemingly unimportant pieces of data can be used to crack your passwords.
While you’re at it, stay away from quizzes posted on Facebook that ask a series of seemingly harmless questions to tell you what city you should live in or what your ideal vacation spot would be. Sure, they’re fun, but they could be collecting personal information that could be used to crack your passwords in the future.
Always, always use 2FA. If your password is compromised, a second layer of protection will go a long way toward protecting you. Two-factor authentication, also called multi-factor authentication, is being used by a growing number of websites and requires someone trying to access your account to also enter a second form of identification.
This could be a code generated by an app, a biometric code such as a fingerprint or facial scan, or a physical security key that you enter into your device. Yes, this will slow you down when accessing the account. But it’s worth keeping your account safe. If 2FA is available, use it.
One warning: If you can, avoid 2FA systems that send a code to your smartphone. SIM swapping, a scam where a cybercriminal takes control of your phone number, is on the rise. If a criminal takes control of your phone number, they will also receive your 2FA text message.
