The Death of the Password

The Future is Bright, the Future is Passwordless

The Death of the Password

Is it just me or do you cringe at how Cyber Security has turned from being a respectable profession, into a fashion trend?

I mean it used to be that if you wanted to be in with the IT security crowd, all that you needed was to watch The Office on TV, wear blue Primark shirts, smell of stale nicotine and have an unshaven beard.

But now if you want to be in the red team, blue team or maybe even the A-team, you must show up with Burberry's latest trench coat or handbag, wearing a Rolex.

Jokes aside though, hasn’t Cyber Security just turned into a snob profession, and isn’t that why so many organisations are getting hacked?

Maybe, but what has that got to do with passwords?

To answer that, let’s look back to the past.

My first experience of an exploit was CVE-1999-0146, way back in 1997.

I came across a sample script called httpd-campass that could list the password file of any UNIX server running the NCSA web server. All you needed was telnet.

You could list the password file on a web server with a simple command like:

GET /cgi-bin/campas?%0acat%0a/etc/passwd%0a

No need for rocker scientist tools like Metasploit, Python coding skills or a diploma in hackerology.

Easy enough to fix though.

In the 25 years since we have constantly been told the same thing.

  • Use strong complex passwords.
  • Treat passwords like your toothbrush, don’t share them with anyone, and change them every 90 days.

But what if you are a typical user like me, and you have more than 100 passwords?

You could just use the same password on every site, right?

Nope.

If you do that then what if your password is found in a database of stolen passwords like https://haveibeenpwned.com/Passwords

Here’s an example.

One of my passwords 20 years ago was p1nkp1nk

According to the Haveibeenpwned password database, it has appeared in 430 data breaches.

Oh no — pwned! This password has been seen 430 times before

So, what’s the solution?

  • Use strong passwords
  • Use a different password for every service
  • And use a secure MFA method

But Michael, how the hell do you remember 100 different complex passwords?

You don't. You use a trusted password safe like BitWarden.

Well, at least that’s the short-term solution.

In the longer term, companies like Microsoft are working towards a concept they like to call passwordless, which aims to solve this challenge using a combination of biometrics, trusted mobile devices and modern authentication methods like SAML and OIDC.

So if you happen to work in the Tyrell Corporation, and you want to get started on your journey towards passwordless today, you can start with the Duo Security Passwordless offerings here.

But if you are just an ordinary home user, then use a different strong password for every app, a trusted password manager like Bitwarden, and use MFA. That's all you need