​by Kate O'Flasherty published 2024 Feb 02 

What will the end of passwords look like in practice and what can businesses do to prepare?

It’s widely accepted that passwords are a flawed means of security. People use weak credentials; they can be forgotten, guessed, or exposed in breaches and they’re often reused across services. 

Big tech firms including Microsoft, Apple and Google have been moving towards a passwordless future for several years, with solutions such as security keys and more recently, passkeys, starting to take off as part of multi-factor authentication (MFA) setups. 

The FIDO Alliance – which most big tech players are members of – is pushing hard for the demise of the password. But what exactly does “the end of the password” mean, in practical terms?

The idea is to eliminate dependence on passwords as a “primary mechanism for user authentication”, says Andrew Shikiar, executive director and CMO at the FIDO Alliance. In practical terms, this means the end of using knowledge-based “secrets” as the foundation to create, sign in, and recover online accounts, he says. 

“Passwords simply aren’t fit for purpose to protect today’s connected economy. They are too burdensome for humans to manage effectively and too easy for attackers to leverage to hack into corporate networks.”

The end of passwords: Strong alternatives

There are multiple systems that could help usher in the end of passwords, but no one solution is perfect. For example, biometrics can be secure but come with their own downsides, says Michael Jenkins, CTO at ThreatLocker. “Windows uses facial recognition, which can unlock too quickly, so you might walk away and leave your laptop exposed while it’s still unlocked.”

Fingerprint systems are a lot harder to get around, he says. “But the downside is, it may ask for your PIN number instead. These are a lot easier to guess.”

Passkeys, meanwhile, are “a great idea”, but they still need to be implemented across every website and application, says Darren James, a senior product manager at Specops Software. In addition, they can’t be used for initial login to a device and they aren’t very portable unless you store them on a token – which can be lost, broken, or stolen.

Handling passkeys is very different from passwords, says Mark Stockley, senior threat researcher at Malwarebytes. “Both users and support staff are likely to be less familiar with them, which is a speed bump to adoption.”

Yet Shikiar argues that implementing passkeys for MFA is fairly simple and won’t require most businesses to completely overall their pre-existing security processes. This is because the core functionality is built into the majority of end-user computing devices, enterprise software stacks, and identity management services, he says.

“Many organizations are already using identity management solutions such as Microsoft Entra ID, which already has support for these solutions built-in,” concurs Mark Lomas, technical architect at Probrand. 

However, the end of passwords will be easier in some sectors and businesses than in others. It is important to recognize that certain sectors could be forced to continue to use passwords, says Stewart Parkin, global CTO at Assured Data Protection. “Organizations with legacy systems may be challenged in integrating new technologies, while regulatory requirements in certain industries can create the need to continue password-based authentication.”

Software not tied to modern authentication solutions won't be able to take advantage of modern passwordless solutions, or be linked to Entra ID, says Lomas. “It's typically legacy software that will be unable to make the switch. In this case, you'll need to find other routes to add protection, such as hosting the application in a virtual desktop environment like Azure Virtual Desktop and ensuring that access is protected by a passwordless login solution.”

The end of passwords: A future-proof successor

While there are multiple alternatives to passwords, passkeys are the only successor that “has the same availability and ubiquity”, says Shikiar. Therefore, they are the only currently available means to fully replace passwords, he says.

“Passkeys are built on open standards created within the FIDO Alliance and based on tried and tested cryptographic protocols,” says Shikiar. In addition, the technology is supported by all big tech and is device and operating system-agnostic, he says.

Passkeys are “far and away the best password alternative for online authentication”, agrees Stockley. “They are secure, easy to use and the cost of implementation is likely to get lower as they become more widely supported.”

But it’s important to realize that as we approach the end of passwords, replacements will have to compete with passwords which are themselves universally understood and very cheap to implement. “That's really hard,” says Stockley. “They're an authentication standard that dates from an era when managing low computing resources was the priority. Users understand them, support teams know how to support them and developers know how to implement them.”

Taking this into account, while some organizations may eventually go passwordless altogether, for now, many are supplementing passwords with MFA, says Steven Furnell, IEEE senior member and professor of cyber security at the University of Nottingham.

In the future, he predicts a mixed authentication setup will be the main choice for many businesses. “Some systems and services could use traditional passwords, some MFA, and some passwordless.”

Shikiar says there is “no need for any company to hang onto passwords”, but he does concede they will need to be “phased out over time”.  Initially, companies may keep them to help with account recovery until other possession-based factors are established, says Shikiar. If you do decide to make further moves away from passwords, the transition will depend on the organization, says Shikiar. “Many will have disparate legacy systems to grapple with, while for others it is more straightforward.”

When taking the plunge, Shikiar recommends a prioritization exercise. “Discover those systems that can migrate most easily and are most urgently in need of higher security.”

Transitioning from a password-centric security model requires a systematic approach, says Parkin. Organizations should begin with a comprehensive assessment for risk management, followed by pilot implementations in less critical areas, he says. “The integration of multi-factor authentication as an interim step can pave the way for a more seamless transition.”

Businesses can also take a “privileged user” approach by identifying employees with access to sensitive applications, and examining who is the most vulnerable to attacks, says Shikiar. “Migrate these users to phishing-resistant authentication as soon as possible and from there, you can start to work your way across the wider employee base.” 

Passwords protect some of our most personal information from prying eyes, but despite their critical role, millions are still relying on lacklustre combinations to keep their data safe. And when we say "lacklustre", we really mean it.

A list of the most common passwords of 2023 has been published and shockingly "123456" is in first place. The uncreative password was used over 4.5 million times by users online, researchers say, with the word "admin" a close second with 4 million uses worldwide.

​Cybersecurity researchers worked with the team at NordPass – the password management software developed by the same minds as NordVPN – to put together the definitive list of the most common passwords of the year.

​To do this, they scoured a database of 4.3TB (that's a whopping 4,300,000MB) extracted from a number of high-profile password leaks on the Dark Web to find the passwords that people relied on more than any others. NordPass only received statistical information from the researchers, there was no personal data included in the findings sent to the password management team.

Hackers can break into accounts secured by passwords like "123456" and "admin" in under a second, researchers at NordPass confirmed. If you have any online accounts protected with one of these passwords, then it's time to change to something new – and much more secure.

Some websites have strict conditions for passwords, forcing account holders to use at least one letter, number, and special characters. These conditions have pushed passwords like "P@ssw0rd" into the top 30 passwords worldwide, but unfortunately, it's done little to make users' data safer. According to NordPass, "P@ssw0rd" can be unlocked by hackers in under one second. 

A troubling 70% of the list of most commonly used passwords can be hacked in seconds, researchers say.

Tomas Smalakys, NordPass Chief Technology Officer said: "With the terrifying risks password users encounter, alternative methods in online authentication are now essential.

"Passkey technology, considered the most promising innovation to replace passwords, is successfully paving its way, gaining trust among individuals and progressive companies worldwide. Being among the first password managers to offer this technology, we see people are curious to test new things, as long as this helps eliminate the hassle of passwords."

So, what should you do? NordPass recommends creating a strong password with at least 20 characters and a mixture of upper- and lower-case characters, numbers, and special characters. Personal information that could be easily guessed by those who know you – like birthdays, pet names, and hometowns – should be avoided. Always create a unique password for every online account, NordPass says.

If you're struggling to think of something, using the first letter from each word in a line of poetry, a saying, or a song lyric that you're unlikely to forget can be a great way to quickly generate what appears to be a completely random jumble of characters. 

Password managers are also a popular way of securing your online account. These applications generate secure passwords for every account, with these stored in an encrypted safe that can be accessed from any of your devices. To login, most of these applications only require a quick biometric check – facial recognition on the iPhone or a fingerprint scan on Windows PCs and Android.

NordPass is one option available alongside the likes of LastPass and 1Password.

Google and Apple both offer built-in password managers with their most popular products, dubbed Google Password Manager and iCloud Keychain respectively, that generate and store passwords.

Online accounts are increasingly turning to passkeys as a way to let users sign-in to apps and sites the same way they unlock their devices – using a fingerprint, a face, or an on-screen PIN. Unlike passwords, passkeys are resistant to online attacks like phishing, making them more secure than one-time codes sent via SMS. Microsoft, Google, Apple and the FIDO Alliance are working together to bring passkeys to the web as an industry standard.

Although there are high hopes for passkeys, with Google even calling its rollout "the beginning of the end of the password", they're unlikely to eliminate old-fashioned passwords for some time. For the time being, we're still stuck with passwords for a huge number of our online accounts ...as such, it's time to ditch "password123" and think of something a little stronger. 

Top 10 Most Common Passwords

1. 123456 (used 4,524,867 times)
2. admin (used 4,008,850 times)
3. 12345678 (used 1,371,152 times)
4. 123456789 (used 1,213,047 times)
5. 1234 (used 969,811 times)
6. 12345 (used 728,414 times)
7. password (used 710,321 times)
8. 123 (used 528,086 times)
9. Aa123456 (used 319,725 times)
10. 1234567890 (used 302,709 times)

 Original Article​