Passwords have long been the first line of defence against cyber intruders. They\u2019re one of the oldest software security tools, and they\u2019ve been used offline since ancient times \u2013 but the reality is that in today\u2019s environment, relying solely on a password to protect your data just won\u2019t cut it. <\/p>\n\n\n\n
Here\u2019s how passwords are being exposed by cybercriminals, and what you can do to protect your data in a world where your magic word has lost its meaning. <\/p>\n\n\n\n
When it comes to cybersecurity, most people and organisations are only as good as their word \u2013 and that\u2019s proving to be a problem. Inadequate password management has become a gift for cybercriminals, with 80 per cent of data breaches<\/a> now resulting from weak and easy-to-crack passwords. <\/p>\n\n\n\n That\u2019s partly because we keep choosing the same ones. An analysis of over five million leaked passwords revealed that 10 per cent of people<\/a> are using one of the 25 worst passwords. And we\u2019re not just talking about your old Hotmail account here \u2013 high-ranking executives and business owners still struggle with password security, with a recent study<\/a> revealing that \u2018123456\u2019, \u2018qwerty\u2019, and yes, \u2018password\u2019, all rank among the five most popular passwords for CEOs and C-level executives. <\/p>\n\n\n\n The same study revealed that many high-ranking executives use their own names as passwords, with Tiffany, Charlie, Michael and Jordan among the most popular name-themed passwords. <\/p>\n\n\n\n Think your data\u2019s safe behind a password? Think again\u2026<\/p>\n\n\n\n It\u2019s no surprise that our passwords are so predictable. Passwords are meant to be remembered, after all, which leads us to rely on familiar or significant phrases. But this means that while cybercriminals are becoming increasingly sophisticated<\/a>, our passwords continue to be limited by the constraints of human memory and sentimentality. <\/p>\n\n\n\n And no, replacing \u2018password\u2019 with \u2018pa$$w0rd\u2019 won\u2019t fool anyone. Enough people have replaced the same letters in the same words with the same digits and symbols by now that doing so won\u2019t make your password any less hackable.<\/p>\n\n\n\n It\u2019s also human nature to reuse the same passwords across multiple accounts. Again, we\u2019re talking about phrases that you\u2019re supposed<\/em> to be able to remember. But this becomes more and more of a problem with every increasingly common data leak<\/a>, as cybercriminals now have access to billions of old passwords. <\/p>\n\n\n\n This has led to a cybercrime tactic called \u2018credential stuffing\u2019, in which hackers take usernames and passwords acquired from past breaches and try them out on other accounts. These credential stuffing attacks now make up nine in every 10 login attempts<\/a> on major retail sites. Essentially, if a cybercriminal can get hold of a single password, it puts every business and personal account using that same password at risk. <\/p>\n\n\n\n Of course, even if a user comes up with a truly unique password for each of their accounts, human error can still come into play through phishing scams<\/a>. This is a type of social engineering scam in which a cybercriminal uses a fraudulent, but convincing, email message or website to trick a user into giving up their password \u2013 and if one of these scammers targets your business, it can lead to an incredibly costly data breach<\/a>. <\/p>\n\n\n\n With all of these attack vectors taking advantage of passwords, it\u2019s clear that additional security measures need to be put in place. <\/p>\n\n\n\n Countermeasures to the inherent weaknesses of passwords have included password managers (software applications that store passwords in an encrypted database), and multi-factor authentication, a security measure that requires two or more proofs of identity for a user to be granted access. <\/p>\n\n\n\n Multi-factor authentication usually requires a combination of something the user knows (such as a password), something they have (such as a card or token), or something they are (a biometric method, such as scanning a finger print), so that simply knowing a user\u2019s password alone isn\u2019t enough to gain access to their account. <\/p>\n\n\n\n On 5 May 2022 \u2013 World Password Day, no less \u2013 we may have come closer to a world without passwords, with Apple, Google and Microsoft joining forces to announce their support for a passwordless sign-in standard across all of the mobile, desktop and browser platforms they control. <\/p>\n\n\n\n The sign-in protocols, called FIDO, work by creating a cryptographic key pair when you create an account. This is a matched pair of keys \u2013 a private key and a public key \u2013 in which messages are encrypted with one key, and can only be decrypted with the other key. <\/p>\n\n\n\n Under Apple, Google and Microsoft\u2019s plan, your private key would be held on your smartphone, which would become the authentication device that enabled you to unlock your online accounts. <\/p>\n\n\n\n Apple, Google and Microsoft have joined forces to announce their support for a passwordless sign-in standard.<\/p>\n\n\n\n You\u2019d take the same action you take multiple times every day to unlock your phone \u2013 whether that\u2019s a PIN, a fingerprint, or a face scan \u2013 and you could then use your private key to sign into any participating account on that device (or any other nearby device, via Bluetooth) without entering a password. <\/p>\n\n\n\n So, for instance, you could unlock your Apple device and then use your private key to sign into an account on a Google Chrome browser that\u2019s running on Microsoft Windows. <\/p>\n\n\n\n The announcement has been greeted with some scepticism \u2013 predictions about the demise of the password have been circulating for at least a decade, and developers will still have to implement passkeys into their websites and applications before they can think about ditching passwords. <\/p>\n\n\n\nA world without passwords? <\/h3>\n\n\n\n