Passwords are dead. There’s a better way to log into your accounts.
With cybercrime on the rise, passwords are not safe anymore. Say hello to passkeys, a better way to protect your account security Plus, tech companies are rapidly adopting the passkey technology.
«The 2-minute version»
Let’s say you have diligently set your passwords across your devices that tick all the criteria for a “strong password”. Now, you have to either memorize it by heart or store it somewhere safe, only to repeat the whole process a few months later if you want to follow the protocol of actively updating your passwords every few months. Sounds like a nightmare, doesn’t it?
Did you know? You may think passwords are safe. But turns out, 25% of us use the name of our pets, or the name of a loved one or our birthdays to create our passwords. Not so random. Plus, 67% of us either memorize our passwords or jot it down using pen and paper and 57% of us reuse passwords across devices and services such as Netflix, Spotify, email, social accounts, etc.
The cost is enormous: You may already be familiar with Phishing attacks where online thieves send you an email or a text message impersonating your preferred bank, mobile company, or even Costco or Amazon. Plus, many of these individuals are also employees of companies, and the scale of these attacks, especially with the proliferation of AI has pronouncedly pushed up the estimated cost of global cybercrime, creating a +trillion-dollar headache for individuals and corporations in the world.
Say hello to passkeys: Passkeys are the new account access protocols that are winning hearts in the technology and cybersecurity worlds at the moment, which uses blockchain encryption to cryptographically secures access to your favorite apps and devices. Today, Apple, Amazon, Uber, Google, TikTok, Coinbase, the U.K.’s National Health Service (NHS), and over 100 websites have also started supporting passkeys.
But if you want to wait on the passkeys: You can also fortify your account security with Multi-Factor Authentication. We all know the story of how the SEC’s X (previously, Twitter) account fell prey to a cyberattack as it did not have a MFA layer to protect itself.
Before you go: Please make sure that your answers to your security questions are updated. You don’t want to end up like the unfortunate individual who lost £1.8M in Bitcoin, because he forgot the answers to his security questions.
I have always prided myself on my mastery of weaving crafty passwords for my applications and devices. I am usually diligent about where I use my passwords, how long I have been using them for, and the number of devices they are used on. For example, when I reset my wifi’s password as meAs!es-h0Neyy^likes38Kong last year, I set the laptop down and beamed at myself for a few moments. Such a piece of work! It ticked most of the boxes for a strong password after all.
But it would be a nightmare to share the passwords with guests who would visit us. That still wasn't the most painful part. What if I told you I had a unique password for every app that I used—Netflix, Spotify, Google accounts, bank apps, and devices? Isn’t that a nightmare? Even if I did have a unique password for each app, what if I told you I followed protocol and changed my passwords every 3 months? Creating and memorizing passwords over and over again.
Therein lies the biggest problem with passwords.
What is the problem with our passwords?
Passwords have been around for generations. Their prominence became particularly important as technology penetrated deeper into our lives. Access to technology was authenticated with the help of passwords, a secret word or code used to serve as a security measure against unauthorized access to the technology application that was meant just for you. Hence, it became critical for every human to create their own passwords and then memorize them.
I remember when I set up my Facebook account for the first time. I was excited, and I wanted to have a memorable password. So I took inspiration from a music CD on the desk in front of me and set my first Facebook password as acesHigh@2007. (calling all Iron Maiden fans🤘). By doing so, I would probably fall within the 7% of people below who used a favorite band or song name to create and memorize their password, as per a study conducted last year.
The same study also noted that 67% of the respondents either memorized their passwords or jotted them down using pen and paper, while 13% of the respondents stored them on their devices. Additionally, 57% of the respondents also indicated that they were either reusing their passwords across other services such as Netflix and Spotify, email accounts, social media accounts, or critical apps such as banking services.
Unfortunately, such password management mechanisms introduce severe vulnerability by relying on our personal memories and traits. Worse, reusing passwords across apps adds a layer of redundancy to the vulnerability by using the same passwords for other accounts and devices. Cybersecurity experts advocate for using randomness when creating passwords, but humans are generally bad at being random.
The perceived cost of using passwords
The implicit vulnerability entrenched in the predictability of human behavior makes it easier for cybercriminals to gain unauthorized access to your apps and devices. Having personal information somehow makes it easier for online adversaries to take over the accounts of unsuspecting users, especially if they get their hands on written pieces of records—files, diaries, and documents that store combinations of user ids and passwords. Cyberthieves have an array of attack strategies at their disposal.
First, there are the typical Phishing/Smishing attacks, where online thieves will send you an email or a text message impersonating your preferred bank, mobile company, or even Costco or Amazon. Most of these methods rely on social engineering to trick users into sharing any information that may help hackers learn about their login information.
Research compiled by Exploding Topics estimates that 9 out of every 10 cybersecurity incidents are phishing attacks. Over time, hackers became smarter and used bots to spread malicious software or malware that embedded themselves discreetly in your device and sent your personal data, including passwords, to the hackers. In some cases, perpetrators may also physically gain access to your device or accounts.
Watch this convict coldly explain how he takes advantage of gullible victims to steal iPhones.
With the proliferation of AI, hackers have been able to significantly ramp up their malicious productivity by deploying sophisticated cyberattack contraptions such as Ransomware, Distributed Denial of Service (DDOS) and IoT attacks. The pace of these attacks is rising exponentially because it is not just individuals who are falling for them. Many of these individuals are also employees of companies, and the scale of these attacks has pronouncedly pushed up the estimated cost of global cybercrime, creating a +trillion-dollar headache for individuals and corporations in the world.
Tech companies want you to ditch passwords for passkeys.
Passkeys are the new account access protocols that are winning hearts in the technology and cybersecurity worlds at the moment. I first came across Passkeys when Google started prompting me to change my access method from passwords to passkeys earlier this year.
Google had enabled passkeys as the default access settings for users late last year. Other technology firms are also jumping onto the passkey bandwagon. Apple, Amazon, Uber, TikTok, Coinbase, the U.K.’s National Health Service (NHS), and over 100 websites have started supporting passkeys.
At the heart of the passkey’s technology is a sophisticated setup that borrows a fair bit of cryptographic wizardry from the blockchain encryption world to work on your device and cryptographically secure access to your favorite apps and devices. Cybersecurity experts prefer passkeys over other access methods because the underlying software code is split up into two parts — some of the software code lives on the user’s personal device, acting like the key (private key), while the other part of the code is provided by the app, or the keyhole, that the user is trying to access (public key). The combination of the private key and public key unlocks access for the user to their app. All access across apps is automatically managed by the cryptographic nature of passkeys.
If you are really interested in diving one level deeper into how passkeys will work, folks at technically.dev have a deeper dive into the subtleties of passkeys. For others, Google has a ready reckoner on how passkeys will simplify access to its suite of products.
Sadly, though, banks are still not part of the passkey revolution just yet, at least in the US, but not for security reasons, you might think. According to research conducted by Hypr, a passwordless authentication vendor that works primarily in financial services, banks largely buy into this passkey revolution. But they face numerous challenges in implementing them — with 75% of financial institutions facing challenges primarily related to managing passkey’s cryptographic frameworks with their legacy IT systems.
Not ready for passkeys yet? Beef up your account security
For those who want to sit this one out, all is not rotten in the state of Denmark. While passkey technology itself is not new, the widespread attention it is receiving will certainly pique the interest of some endeavoring hackers who want to take a stab at breaking passkey technology. Then, there are users who may also be in wait-n-watch mode to figure out just how this may impact the daily lives of our beloved technology apps and gadgets.
A few researchers from Germany and the U.S. wrote a paper on passkey adoption and think that while there is general enthusiasm about the technology, the adoption is not going to be a big-bang style but rather a slow process.
At the very least, experts urge online users to fortify their account security with an additional layer of authentication, such as Multi-factor Authentication (MFA). Last month, the U.S. SEC was a victim of a cybersecurity lapse because hackers were able to take advantage of the SEC’s embarrassing vulnerability — the vulnerability being no MFA security in the SEC’s X account. This allowed hackers to post some false news via the SEC's handle on X.
Additionally, some tech platforms are trying to replicate the passkey mechanism to some vague extent by offering users the default option of sending pre-authorized access links to their email. For example, the Substack platform’s default login setting sends pre-authorized links to the email rather than having the user type the password. That way, there is no need to memorize the password or create one.
Many users lean on password managers to manage their galaxy of passwords. Third-party password managers like 1Password, Dashlane, and Bitwarden are popular services that sync your passwords across all devices and other access points at once. Most password managers nowadays also support passkeys too. But there is an inherent risk in putting all your eggs in one basket. Since, password managers end up being the single source of truth containing all your passwords, they are also continuously targeted by hackers, and these services are not completely immune either. LastPass, a password manager that used to be quite popular, was hacked during the pandemic in an embarrassing way, demonstrating the need for robust security mechanisms here as well.
Finally, if you want to have nothing to do with any of the new-world passkey mumbo-jumbo and trust your memory more than anything else, at least make sure the answers to those cursed security questions remain updated. Otherwise, you may end up like this unfortunate individual who lost out on £1.8M in Bitcoin because he could not remember the answers to his security questions.
How do you manage your passwords for all your apps and devices? Did you ever fall prey to some of the phishing incidents online, or locked out of your account because you forgot your answer to your security question(s)?
Let us know in the comments section below…
Uttam & Amrita 👋🏼👋🏼
 | A guest post by
|
I haven't gotten into passkeys yet, but I've had a lot of success using a combination of Bitwarden and Google Authenticator. I use different methods, different password lengths, a couple different phone numbers for two-factor and some other things so I don't have a single point of access.
And no, I'm not paranoid, or even overly cautious. I just sort of stumbled into the jumble over time. 😉
The security questions are easy for me as they’re associated to life events from childhood. Unless I get dementia, I’m ok. The struggle is keeping up with passwords. I make such crazy ones there’s no way I can remember them so they’re written down and kept in a hidden home safe since I don’t trust password managers.
I do change everything associated with WiFi regularly. Bad experiences forced me to do that.