A once tried-and-true security measure, passwords have failed to develop at a rate necessary to keep up with the vastness of the web and huge increase in the number of online accounts. In our new reality, they have become a legacy authenticator and specific point of vulnerability.
With hackers able to crack passwords with ease and gain access to sensitive information from both organisations and individuals, we’re already seeing a shift away from using passwords. Recently, Microsoft announced it will be removing passwords for billions of users after seeing double the amount of attacks on them since 2023. This, along with other major tech companies such as Amazon enabling passkeys, shows a growing movement towards passwordless.
Despite seeing this gradual shift, the National Institute of Standards and Technology (NIST) recently published updated guidance suggesting the transition to passwordless won’t happen overnight. The institute recommends using simpler, but longer, passwords over more complex ones. With users often reusing passwords, using predictable sequences to meet requirements or keeping a record of them, organisations are currently highly vulnerable to cyberattacks. Immediately improving password habits while taking gradual steps to transition to more widespread passwordless authentication is the only way to reduce the risk of compromise.
Problematic passwords and their fallout
News of cyberattacks in which passwords are the point of vulnerability is becoming increasingly frequent. In this past year alone, nearly 10 billion passwords were leaked in the biggest breach discovered, RockYou2024, and Russian hackers stole the passwords of 600 UK Ministry of Defence personnel. These events reveal the scale of the issue and how poor password habits have fed into it.
Exacerbating the problem is the tendency for individuals to reuse passwords across multiple accounts, multiplying their risk of exposure in the event of a breach. All of this leaves users and organisations vulnerable to credential stuffing, in which attackers inject stolen credentials into login forms, or other brute force attacks. Also, human error caused by “password fatigue” – the mental toll of managing multiple different passwords across different accounts – compounds the problem as users opt to take shortcuts. It’s clear then passwords have become an outdated method of security.
The point of contention: Security vs convenience
While it appears passwords have long since had their day, their ease of use is what keeps them alive. Although security is the top priority for 78% of users, ease of use is a very close second (76%). This reflects the need for seamless online experiences which don’t compromise security.
Positively, interest in alternative methods of authentication has risen. Users are adopting biometric identification, such as facial recognition as well as one-time logins and multi-factor authentication (MFA). Organisations using these methods benefit as users feel more in control of their log-in experience without detracting from the ease of use.
Passwordless to take prominence
By nature, passwordless authentication could be the solution to balance security concerns and ease of use as it reduces the human risk element caused by poor password habits and can also be a cheaper method for organisations as it doesn’t rely on password management or storage solutions. Single sign-on, a form of passwordless, also helps the user experience by allowing users to gain access to multiple applications and services through one set of credentials, subsequently reducing attack vectors.
Although the shift to passwordless authentication won’t happen overnight, a growing number of users are receptive to it, especially those with concerns around the security of their personal data. With big tech moving to adopt passwordless, we will soon see more organisations following suit.
The path to a passwordless future
While passwordless remains on the horizon, there are important steps individuals and organisations can take to strengthen online security. In line with NIST’s guidance, organisations should encourage the use of longer passwords over more complex ones for employees and customers. Tools that generate strong passwords, and MFA, can further sure up defences while moving to passwordless.
Passwords remain a significant weakness in an ever-evolving threat landscape. By following updated guidance from NIST and other initiatives, we can accelerate the shift to passwordless authentication. This transition promises not only greater security but also the seamless digital experiences users increasingly demand. By educating organisations and individuals about the benefits of ultra-secure authentication methods, we can take significant steps toward a safer online future.
