Passwords should be extinct, but since they aren’t, make them more secure

This is one of those “yes, but…” stories.

Start with the way it should be. Passwords as a means of online authentication should by now be extinct. Put out of our misery. In an ideal world, the theme of the second week of national Cybersecurity Awareness Month (CSAM) would be “Freedom from Passwords!”

First and most important because they’re not secure. No matter how long, complicated, and unique they are, they’re much too easy to steal, either through users being tricked into giving them away or through breaches of the online servers where they are stored. Indeed, underground cybercrime forums are filled with billions of compromised passwords for sale.

Multiple experts, from former Microsoft CEO Bill Gates on down have been saying this for decades. Brett McDowell, former executive director of the FIDO (Fast IDentity Online) Alliance, which has been working for a decade to provide a more secure means of authentication, long ago labeled the term “strong passwords” an oxymoron.

Second, because there are better alternatives — the latest FIDO standard, known as FIDO2, is probably the most prominent. It eliminates the old “something you know” (password or passphrase) and replaces it with “something you have” (token or wearable) and “something you are” (fingerprint, voice, face, iris).

What makes those so much better is that they exist only on your device or on your person. An attacker would have to steal you or your device, which is possible but vastly less likely. They’re not “shared secrets,” like passwords, in which both you and the website or service you’re using have them and a hacker can access thousands to millions of them with a few keystrokes on a laptop.

Also, FIDO is gaining traction — it is increasingly available, and the latest FIDO2 standards are designed to be built directly into operating systems and web browsers. About a year ago, they had been built into Windows 10, Google Play Services on Android, and the Safari, Chrome, Firefox, and Edge web browsers.

And now some of the biggest names in tech — Google, Apple, Intel, Microsoft, PayPal, Facebook, Amazon, VMware, Samsung, Bank of America, Wells Fargo and dozens more, along with all the major web browsers and an increasing number of telecoms — are supporting the FIDO standards.

A long journey

Yes, but…

The way it should be is still not the way it is. Passwords are still the most common way to prove that you are you online.

As Ars Technica put it just this past week, “While every browser in the world supports showing that old [password] text box, passkey support will need to be added to every web browser, every password manager, and every website. It’s going to be a long journey.”

So, as long as that remains true, we all should try to make them as secure as possible, hence the theme for the second week of CSAM: “Passwords and Password Managers.”

But it seems a bit strange that there was no mention of FIDO, and no urging people to adopt passwordless authentication wherever possible.

The federal Cybersecurity and Infrastructure Security Agency (CISA), one of the agencies that oversees CSAM, did not respond to a request for comment about that. But James E. Lee, chief operating officer at the Identity Theft Resource Center, said he believes the CSAM focus should remain on passwords, given that “FIDO is still an emerging passwordless framework that has only recently seen the beginning of a transition into the mainstream. As such, it’s still a little early to push consumers to adopt a set of tools with very limited availability.”

CSAM, operated and overseen by the National Cyber Security Alliance (NCSA) and CISA, is now in its 19th year. Its overall slogan for the month is “It’s easy to stay safe online. #BeCyberSmart.”

Relative safety

Safe is relative, of course. As noted, passwords won’t make you as safe as other, increasingly available, means of authentication. But there are ways to make them better. The first group of password recommendations on the CSAM website are long established. They’re labor- and memory-intensive and offer only incremental security improvements, which is why far too many people ignore them. Still, if you’re going to use passwords, they should be

• Long: At least 12 characters
• Unique: Never reuse passwords
• Complex: None of this “password111,” “admin,” “qwerty,” or “123456” stuff. Passwords that aren’t complex are the equivalent of putting your house key under the welcome mat in front of your door, with an arrow pointing to it. Passwords should be gibberish to anyone but you, so use a combination of upper- and lower-case letters, numbers, and special characters. Some websites even let you include spaces.

The second major recommendation, to use a password manager, offers much more. It truly does make things much easier for users and harder for hackers.

Password managers — there are multiple good ones available — require you to remember just a single, master password, so make it very long and complex. Maybe base it on a phrase that only you would know. The password manager will store all your other username and password combinations in an encrypted database, which means they’ll be gibberish to hackers too. You can create them, or the service will generate them.

The CSAM website notes several other major advantages of a password manager

• It saves time. You won’t ever have to enter a password for anything but the password manager itself.
• It works across all your devices and operating systems.
• It protects your identity.
• Most services will notify you of potential phishing websites.

A third recommendation might sound counterintuitive but will both make things easier for you and won’t make you any less secure. Ignore all those exhortations to change your password regularly.

The National Institute of Standards and Technology has for several years recommended against frequent password changes in its Digital Identity Guidelines. Experts have found that changing passwords frequently can actually make things less secure, since people make them even simpler, or similar to the one they had previously.

The only reason to change your password is “if there is unauthorized access on your account or if it is part of a data breach,” according to the CSAM website.

Bottom line: If you care about your online security — and you should — you can improve it by following these recommendations. But the reality is that improvement will only be marginal. The more urgent overall goal of CSAM ought to be to raise awareness of, and push for the adoption of, better, faster, and more secure options for online authentication than passwords.

That day is coming, Lee said. “Microsoft has moved to a password-free environment internally and is expanding the option — slowly — to its customers. Apple is now offering a passwordless passkey but only for mobile devices with the most current OS. Google has announced plans to follow this FIDO-compliant option in 2023.”

“All these efforts are designed to overcome user behaviors to make people more secure and will make it more difficult for identity criminals to steal and use credentials,” he said.

Which is encouraging news. It can’t come soon enough.