A seed was planted in 1960 that is causing major problems with our lives today. That year, the Compatible Time-Sharing System (CTSS) was introduced at MIT. It was the first computer system to implement a password login, primarily to restrict usage to certain users at specific hours of the day. Rather than guarding sensitive information, passwords guarded a time share.
There is no single issue with passwords in a modern world. There are many. In 1960, MIT users only had to remember one password for one system. Today, every system, app or website requires a login, creating an exponential problem that most users solve by re-using passwords. That bad habit, along with doing whatever we can to make passwords memorable, has created the largest security hole possible in most systems.
The concept of a password is woefully out of date because passwords and humans do not mix. We are not wired to develop passwords with a level of security that will protect everything from medical records to banking transactions. Passwords themselves imply security, when in fact the only security they provide is false. They are a paper tiger.
Put simply, it is past time for passwords to die a swift and painful death.
The fundamental misunderstanding shared by most people is that cybersecurity issues are the result of hackers breaking into a system to perform a cybercrime such as dropping malware into a system. The reality is that cybersecurity criminals don’t break in — they log in. They find username and password combinations from exposed systems and start pounding other systems with that combination. And because humans are predictable and use the same passwords from system to system, these bad actors are able to get into systems because we are lazy.
Passwords have become the weakest link in the chain of security. According to Verizon’s Data Breach Investigations Report, 81% of data breaches are caused by some form of weak, compromised or reused passwords. It is past time for passwords to “pass” into obscurity and be seen for the breach factory they are.
The world is racing toward a passwordless society, with Microsoft recently enabling many clients ability to use a passwordless option. Will system administrators embrace it? Users should demand it. When we have the ability to use biometrics and blockchain technology, why would we continue to live in a modern connected world with a security apparatus that is the equivalent of taking a water gun into World War III?
The next wave of security will include a passwordless world and a zero-trust environment. What is next? We are already somewhat familiar with options such as facial recognition and fingerprints. We can even utilize voiceprint or heartbeat. While facial recognition has been dealt a blow with mask mandates, eventually more biometrics will be used; and we should all be happy about that change.
Until that time, everyone needs to take this outer ring of security seriously. While most people opt for the memorable re-used passwords or just adding a number to the end of their existing password, active measures to improve the current situation should be utilized immediately. Here are the freebies – things every responsible digital citizen should do to enhance your personal and corporate security:
Forget the password — use passphrases.
The investment in a password manager is cheap compared to the risk — spend a few bucks and implement a password that is at least 20 characters long system by system.
If using a password manager is not your gig, then at least turn that old “password123!” you have been using “1nt0$0m3th1ngTh4t!$H4rd3r2Gu3$$”.
We have a gap between the current situation and a passwordless society, so join the fight for the common good. Harden your passwords, and be ready to bid them a fond farewell in the future.
Mark Hodges is vice president of sales and client management of Arkansas IT services firm Edafio Technology Partners. The opinions expressed are those of the author.