Why there’s no such thing as a strong password

In this article, we explain how the escalation of password complexity has become its very weakness.
‍

From the watchwords used by Roman soldiers to the complex ciphers we rely on today, humans have been using passwords for thousands of years. In the early years of computer technology, they seemed ideal for account security – easy to set up, universal across different platforms, and not asking too much from the user.
‍

Yet nowadays, setting up a new password is notoriously painful. Each time we sign up for a new service, we’re required to memorise a new random string of characters – and to be really secure, we then back that up with multi-factor or two-factor authentication (MFA or 2FA).
‍

Shouldn’t developments in technology be making lives easier? The trouble is that passwords rely on our brainpower, but attackers can use the power of computers. And, as Bill Gates predicted nearly 20 years ago, that’s not a war we can win. As IDlayr CEO Paul McGuire explains in a podcast with Cybercrime Magazine, the weakest link in security is us – humans.
‍

Read on to find out how password reliance got to this painful point, the problems it causes for both user experience and security, and what kind of passwordless alternative is already possible.

‍

The relentless push for complexity 

The early password was likely to be something simple, like your child’s or pet’s name. But with such predictability of human behaviour, identity crime was inevitable.

With the massive growth of the Internet, targeted criminal hacking became not only more desirable, it became easy. Such weak passwords didn’t stand up to a bit of guessing or basic research. Soon, attackers no longer even needed to guess or know their target – bots could attempt every dictionary word (and its permutations) imaginable.

Online services had to step up their security in response, locking users out after too many incorrect attempts, leading to inevitable user experience problems. They also started asking for complex elements such as numbers, capital letters, and symbols, in order to make it harder for computers to ‘guess’ (and thereby keep malicious actors out). But in the process, passwords slipped away from their original appeal as something we can remember easily.

The human memory problem

Nowadays, almost every website or app requires a password, all of which should be different from each other if we don’t want one set of breached credentials to lead to many. The average person has a staggering 100 passwords or more – but ‘strong’ passwords are hard for humans to memorise.

There are password management tools to help us keep on top of it all, but they have an accessibility barrier and often don’t work across different devices. IDlayr asked Twitter users how they manage passwords, and the majority (40%) said they use a mental system to keep on top of passwords rather than such a tool – with 21% of respondents even admitting they just reuse the same password.

‍

 

The human mind simply makes mistakes in ways a computer doesn’t: research by IBM found that 95% of cybersecurity breaches are due to human error. That’s not surprising when the majority of users are incredibly lax: the two most commonly found in breaches are still ‘123456’ and ‘password’, both of which have been at the top of the list since SplashData began compiling it a decade ago. It’s clear that a lot of people will always choose the easiest option, and attackers know this.

The cost of passwords

All this human error adds up. Research by the Gartner Group found that 40% of all help desk calls are for password resets, and Forrester Research found the average cost for a single enterprise password reset is about $70, which adds up to the millions for large organisations.

According to Verizon, in a single month, Microsoft had to reset 686,000 passwords for employees, racking up over $12 million in support costs. It’s no wonder Microsoft’s Director of Identity Security, Alex Weinert, has written repeatedly on the vulnerability of passwords.

The bad news: ‘strong’ passwords don’t matter

‍

For all the effort we put in to create and memorise secure passwords, it’s dishearteningly true that attackers can get past them anyway. Passwords are simply based on knowledge, and there’s nothing to stop knowledge from being stolen and shared.

With cybercriminals constantly refining their techniques, even computer-savvy users can be tricked into sharing this information via phishing scams (convincing fake messages that trick users into entering credentials onto false websites) or targeted account takeover attacks. But the user doesn’t even need to slip up for a password to be stolen.

In order to verify that a password is correct, a service has to store it on a database. Naturally, these databases themselves became targets. In the 1970s, ‘hashing’ and ‘salting’ were invented to boost password security, adding encryption and random characters to make passwords indecipherable. However, encryption keys are regularly leaked as well, and this means the hashes of most passwords are also available online for criminals to reverse-engineer.

So what’s the alternative to passwords?

‍

The good news is that your business can improve security and user experience, decreasing support costs, by moving away from passwords. There’s now a passwordless verification method which is mobile-native, universal, and cryptographically secure. We call it SIM-based authentication.
‍

How it works is simple: the user enters their mobile phone number into your app or website, which communicates instantly with the MNO (mobile network operator) to verify that this number is indeed the one linked to the SIM card on the mobile device. This can be used either as a second factor to back up other security checks, or to go fully passwordless. Meanwhile, no user data is either processed or persisted, so nothing can be leaked or stolen.
‍

Because there’s no password or code involved, it’s a powerful and present possession-based check, which can’t be compromised by bad actors or infiltrated remotely. IDlayr can also actively check for SIM swap activity to mitigate the risk of SIM swap fraud.
‍

The verification check happens silently in the background, and the security risk of being human is thereby greatly reduced. The result is an invisible, effortless authentication experience, with stronger security that feels like magic.

How to get started

‍

IDlayr products easily integrate into any client-server application architecture using restful APIs and iOS, Android, React Native and Mobile Web SDKs.
‍

Developers can find all they need to get started in our documentation, including integration guides for all our products. Simply sign up to start integration, and test for free, today – or contact Sales to find out how IDlayr can help your business.