Let’s face it, none of us love passwords. How many times have you tried logging in to an account only to be faced with the message: that password is incorrect. Research suggests that consumers spend on average 12 days of their lifetime trying to remember and reset passwords.
But passwords aren’t just time-consuming and frustrating. They also pose several security issues. It’s widely acknowledged among security experts that we need more secure ways of protecting our digital identities and online accounts. We’ll examine what this might involve. But first, let’s take a look at why it’s time to ditch passwords for good.
Passwords are out-of-date
The first password is thought to date back to 1961 at the Massachusetts Institute of Technology (MIT). As part of MIT's Compatible Time-Sharing System, all students were given a secure password to log on to the computer, to ensure that everyone had an equal chance of using it. But students quickly figured out they could hog more computer time by hacking the system and printing out the passwords. It became clear quite quickly that the password approach wasn’t foolproof.
Yet today, we’re still using pretty much the same system that was invented back in the 1960s. We’ve seen a huge amount of digital innovation and transformation over the last 50 odd years. But passwords have hardly changed. What other digital method has stuck around for so long?
Passwords are easy to hack because....
Most passwords are bad
The majority of passwords are embarrassingly simple, and this makes them easy to guess. A report into over 1.4 billion stolen passwords saw that some of the worst included “password”, “qwerty”, “111111” and “123456”. They are easy to remember, but also easy to crack.
Many people reuse passwords
According to a recent report, 61% of people use the same or similar password across different accounts, despite knowing it’s not secure. This means that if a criminal cracks the password once, they can use these credentials to break into other online accounts that use the same, or similar, passwords. It only takes seconds for hacking software to test thousands of credentials against popular retail sites and online banks.
We have so many online accounts
There’s one key reason people choose bad passwords, or reuse passwords: they just have too many to remember. If you stop and think about how many online accounts you have, it can quickly add up into the hundreds. Unless you keep a record (which in itself is bad practice—weren’t we always told, don’t write your passwords down) it’s impossible to remember a unique password for every single account.
Technology makes a hacker’s life easier
Technology benefits everyone, and that includes the bad guys. There are many ways criminals can leverage technology to gain access to people’s passwords, but one of the most common is malware viruses. Millions of computers are infected with viruses that capture keystrokes and log passwords. Even if you use strong, unique passwords that you change regularly, if your computer is infected, you can’t prevent a hacker from accessing your passwords.
Passwords are the main cause of data breaches
This is a big problem for business. Weak, stolen or reused passwords are estimated to be the cause of 81% of breaches. If your business has gaps in its password management, your customers’ data could be compromised.
Compromised passwords affect both consumers and businesses
Consumers take a financial hit
The after-effects of an account hack or identity theft can be detrimental. 14 million US citizens fell victim to identity fraud online in 2018. And stolen credentials can be used to fund online purchases, secure a line of fake credit, or even open up the opportunity for synthetic identity fraud. This can all damage a victim’s credit rating. Not to mention, victims can lose a lot of money.
Businesses have to deal with account takeovers
Your customers won’t be happy in the event of an account takeover. If their account is compromised, and a criminal makes fraudulent purchases, your business must deal with the consequences. The process of giving your customer access to their account again can be difficult. You have to guarantee it’s really them trying to regain access to their account. And this process is likely to be slow and cumbersome for them—they might need to change a range of log in details.
Businesses can face chargebacks
Disgruntled customers want compensation. If their account is compromised, you’ll likely have to pay out in the form of a chargeback. In the retail industry alone, chargeback costs reach an astronomical $40 billion per year.
Password management is a headache for businesses
The cost of supporting password systems can be significant for your business. Staffing and infrastructure are both expensive and time-consuming. The true cost of account recovery might be more than you think. Up to 50% of all help-desk calls are about password resets, and costs can climb to up to $70 per incident.
Is going passwordless easier said than done?
IT research firm Gartner predicts that 60% of businesses will halve their dependency on passwords by 2022. But if we aren’t using passwords, what will we use?
Steps have already been taken to improve security around passwords. For example, two-factor authentication (2FA) can help add another layer of security to a log in credential and password. However, 2FA has its own flaws. Some methods are more secure than others, but criminals continue to find their way around them.
One key step businesses can take is to seek assurance in their customers’ identities. By leveraging identity verification in the form of identity document checks and biometrics, your business can remove the need for passwords altogether, while increasing security.
At Onfido, we’re supporters of a passwordless future. And we believe that identity will play a key role in this future. Take a look at some of the recent ways we’ve been supporting the move to passwordless.