Password practice among many users is….not ideal, to say the least.
Unsecure behaviours like writing them down, sharing them with family and friends and using obvious information like the pet dog or cat’s name are still rampant among users young and old.
To the point that in 2020, amid a massive spike in cyber crime due to the pandemic, ‘123456’ still topped lists of the most common password used online.
With password practice that dire, why don’t we just say goodbye to them completely?
It seems like Microsoft had a similar conclusion. This is why they are now allowing all their users to create passwordless accounts.
Instead of needing to key in your password, you are the key to your account. You log in via Microsoft’s authentication app which allows to you to use fingerprint authentication to unlock your account via your phone. You can also log in via a PIN, or use Windows Hello facial recognition (which you can read more about here) which requires a compatible laptop and camera.
For additional security, you can enable two-step verification and add a password to your account.
Passwordless accounts are another addition to Microsoft's recent drive to introduce innovative and convenient access options to their systems. For example in Windows 10, they introduced dynamic lock, a feature allowing users to 'lock' their desktop via their phone whilst away from their device.
Microsoft argues these passwordless accounts, previously only available for business users of their products, are significantly more safe and secure than passwords.
Passwords can be easily cracked, stolen and forgotten, posing one of the biggest security issues and headaches for users since the dawn of the web.
With this in mind, Microsoft has heavily capitalised on security when promoting their passwordless accounts.
The company has publicised the fact that almost all their employees have made the switch due to the added security. And users logging in to their Microsoft account will be greeted with a box saying: "A passwordless account reduces the risk of phishing and password attacks."
While passwords are unlikely to leave us for quite some time, here we see the development of arguably more secure alternatives that may in the distant future make them obsolete.
But, we shouldn’t be too hasty to make this a reality.
The issue with passwords isn't so much that they are insecure as a form of access, but rather that poor password habits are so rampant that they don't provide the protection they should.
Moving to other authentication methods like a fingerprint scan can be seen as both a secure and insecure access method. Secure in the sense that this information can't be as easily stolen or emulated. And insecure in the sense that the sheer convenience and ease of this access method could make us less vigilant about our security in the long term.
There is also the question of how authentication fits into broader debates on biometric data, specifically the ethics of its use, harvesting and societal impact. Do we want to be in a future position where cyber criminals are seeking to steal our biometric data in order to access our accounts?
So while many users' password habits leave much to be desired, we should also be mindful of the implications of scrapping passwords entirely.
In order to make using passwords more secure, for both individuals and organisations, we all need to make a concerted effort to practice healthy password habits.
This means using a secure method (like a password manager) to create, store and remember complicated and difficult to crack passwords. This means not sharing passwords and updating them on a regular basis.
More than anything, this means being mindful of security risks and not growing complacent with your habits.