Thereโs a massive change coming in the world of IT security. Passwords are likely to be replaced by a simpler, more secure system.
Only hereโs the kicker: it isnโt happening yet. Which means we all need to follow best-practice password security tips for a while longer.
In this post, weโre going to give you an overview of whatโs on the horizon and why. But, because things that will happen tomorrow arenโt very good at protecting us today, weโll end this post with password security tips for 2023. This will help to keep you safe until the important changes arrive.
Whatโs Wrong with Passwords?
Too often, theyโre rubbish. And everyone hates them. As attention-seeking as this may sound, itโs true.
A massive 81% of security breaches are caused by compromised, weak or reused passwords. Okay, if people only followed password best practice this wouldnโt happen. But they arenโt, because strong passwords are a hassle to remember. So, they use easy-to-remember ones that are relatively simple to hack. They also reuse the same passwords again and again, which makes which makes them, and their employers, vulnerable on many, many fronts.
Even password managers โ the approach every password security tips post has recommended since forever โ arenโt foolproof. Theyโre targets, too, as the LastPass breach in late 2022 showed us.
Meanwhile, thereโs the hell of resetting passwords. You know the scenario. You forgot your details. But youโve also forgotten the details for the second account used to verify the first one. So you get stuck in a password feedback loop and fear youโre never going to escape.
Summing up, we need something better. For our security and possibly our sanity.
Say Hello to Passkeys: Passwordless Authentication
Thereโs an answer to all of the above.
Passkeys.
Compared to passwords, these password-less logins provide quicker, easier and more secure sign-ins across devices, websites and apps. The tech industry is convinced of the benefits and is keen to swiftly move forward with a transition to this new approach. Apple, Microsoft and Google now all support, or implement their own, passkeys.
Hereโs how they work. Instead of having a password for an account, you enable an โauthenticatorโ, typically your device, to create a secure passkey (cryptographic key pair for that account). Passkeys require either biometric authentication โ think fingerprints or facial recognition โ or a PIN and swipe pattern. Hereโs the crucial point: a scammer canโt easily gain access to passkey-protected accounts unless they have the userโs device in their hand. And, even then, they arenโt getting in without your biometrics or pin/swipe code.
Passkeys can sync across devices securely using Bluetooth, making them seamless and convenient to use. Thereโs never a weak or โmiddlingโ passkey โ they are always strong. And, because accounts canโt be unlocked remotely and the authenticator needs to be on hand, they are resistant to phishing.
At the centre of this big change is the promisingly named FAST ID Online (FIDO) Alliance. It has set the industry standards for passkeys that Microsoft, Google and all of the big players are starting to roll out.
So Passwords are Dead?
Not quite.
Like some tech version of Stockholm syndrome (where victims sympathise with their captors), we continue to hang on to our much-maligned passwords.
The FIDO alliance has acknowledged that itโs not easy to break old habits. Says Andrew Shikiar, executive director, โItโs a learned behaviourโโโthe first thing you do is set up a password. So then the problem is we have a dependence on a really poor foundation. What we need to do is to break that dependence.โ
Easier said than done.
Another tricky problem is that many password-less schemes require a user to have a modern device and at least one other device. That isnโt always going to happen.
Password Security Tips for 2023
So weโve had a glimpse of the promised land of passkeys, but for now we trudge wearily back to the land of passwords.
Itโs crucial until passkeys become ubiquitous that we follow good password hygiene. So hereโs Intersysโ password security tips for 2023, to help you stay as secure as possible until an easier, phishing-proof method becomes commonplace.
Says Intersys MD Matthew Geyman,
โThe objective of a good password is to increase randomness, known in the trade as โbit entropyโ. This makes it harder for brute force cracking, which means guessing all password combinations (usually by deploying automated tools). I recommend a long password made up of three unrelated words. This has the virtue of randomness and, compared to strings of unrelated characters, memorability. Add some extra elements such as capitals and special characters and youโll have an extremely tough nut to crackโ
For instance, a password royalsandart (made up from the words royal, sand and art) will achieve 56 bits of entropy. This is considered strong enough for some purposes.
However, RoyalSandwichTransport, which includes longer words and characters, achieves 125 bits of entropy. This is much stronger.
Use this Password Methodology
- 16 characters or more
- 2 or more capital letters
- 2 or more numbers
- 1 or more special characters
So RoyalS@ndwichTransport72 would be an excellent password choice, with 157 bits of entropy. (But please donโt use it ๐)
How to Create an Even Tougher Password
If you want to add an extra layer of protection:
- Take the elements above
- Add a number of full stops โฆโฆ..
- Add a phone number you know but never write down
Thatโs it. This is an excellent approach until the passkeys become commonplace. At that point securing accounts will get easier โ and your data will be significantly safer.
Intersys is an award-winning IT services company with a dedicated cyber security division. We offer everything from breach response and training to full security operation services. To find out more, call +44 (0)20 3005 4440