360 Million Reasons to Destroy All Passwords
In the last week alone, login credentials for over 500 million online accounts were put up for sale by hackers. This included 360 million Myspace accounts, 117 million LinkedIn accounts, and 65 million Tumblr accounts, according to renowned security researcher Troy Hunt.
Let that sink in for a moment. The private login information for over half a billion real people is now available to the highest bidder on the dark web. And those are just the breaches from the last seven days that we know about.
Passwords are a Major Liability
The Myspace, LinkedIn, and Tumblr incidents underscore a hard truth – passwords are more trouble than they‘re worth. Not only are passwords a huge inconvenience for users, they actually make us less secure online.
The average internet user has 90 online accounts according to a study by Dashlane. Ideally, each of those accounts would use a unique, randomly generated password. But in reality, 59% of people reuse the same passwords across multiple sites because remembering 90 distinct passwords is nearly impossible.
Password reuse means that when one website gets breached, hackers can use those same login credentials to break into the user‘s other accounts. The Myspace hacker, for instance, told Motherboard that they intend to "use the data to break into other sites like Facebook."
There have already been numerous cases of hackers "credential stuffing" – trying breached username and password combinations en masse on other popular websites. When Dropbox forced a password reset for 68 million accounts in 2016, the company said "The reset was purely a preventative measure, as we have no indication that your account was improperly accessed. We‘re doing this purely as a precaution due to other websites being breached."
Even so-called "strong" passwords are vulnerable to brute force attacks. The math here is staggering – a 7 character password using upper and lowercase letters has 3,521,614,606,208 permutations. But a dedicated attacker with an off-the-shelf GPU can check over 500,000,000 passwords per second. At that rate, cracking a 7 character password takes just 7 seconds.
The most common advice is to create long, complex passwords with a mix of character types. Complexity does increase the difficulty of brute forcing – a 12 character password with upper and lowercase letters, numbers, and symbols has 475,920,314,814,253,376,475,136 possible combinations and would take over 30,000 years to crack at 500 million attempts per second.
But no human can memorize a unique 12+ character complex password for 90 different accounts. Password managers like LastPass and 1Password solve this problem by generating and storing complex passwords, protected by a single master password. However, the master password becomes a single point of failure – if it‘s compromised, so are all the account credentials stored in the password manager.
Passwords Don‘t Actually Protect Accounts
Here‘s the painful irony: passwords don‘t really matter. Even if a hacker doesn‘t know your password, they can still easily break into your account as long as they have access to your email or phone number.
Whenever you click the "Forgot Password" button on a website, it typically offers to email you a link to reset your password or text you a one-time code. As long as you can access the email inbox or phone number associated with the account, you can log in without knowing the original password.
This account recovery flow is so ubiquitous that it has become the de facto way for hackers to break into accounts. The most high-profile example is the 2014 iCloud hack of celebrity photos. As Wired reported, "Apple‘s ‘Find My iPhone‘ feature and some clever social engineering of Apple tech support by the hackers allowed hackers to brute-force their way into the iCloud backup and access the photos."
In other words, your email and phone number are the skeleton keys that unlock all your online accounts. If a hacker gains access to either of those, they can go to any website you use, click the "Forgot Password" button, and change your password to whatever they want.
The common solution is to enable two-factor authentication (2FA) using SMS. However, this simply shifts the single point of failure from your email to your phone number. Hackers can exploit well-known weaknesses in the SS7 protocol used by cellular networks to intercept text messages, or socially engineer a phone carrier‘s customer support to transfer your phone number to a SIM card they control.
Websites Already Support Passwordless Login
The ubiquity of "Forgot Password" account recovery reveals an important truth – every major website already supports passwordless authentication. They just force you to set a new password at the end of the process.
But from a security and user experience perspective, the password is unnecessary. The website has already verified your identity by confirming you have access to the email address associated with the account. Forcing users to choose and remember yet another password accomplishes nothing.
It‘s time for websites to fully embrace passwordless login. Here‘s how it works:
- You enter your email address on the website‘s login page
- The website emails you a "magic link" that automatically logs you in when clicked
- You click the link and you‘re logged in – no password required
This process is more secure than passwords because it‘s not vulnerable to credential stuffing and reuse. Each magic link is a one-time, account-specific URL that only works for a limited time.
It‘s also far more convenient for users. No more trying to remember which of your 5 go-to passwords you used on a particular site. No more frustrating password reset flows where you struggle to come up with yet another "secure" password that meets the website‘s complex requirements.
Many well-known sites have already moved to magic link login, including Slack and Medium. Slack‘s magic links expire after 30 minutes and can only be used once. Medium‘s links include a unique token that is validated on the back-end.
Hardware Security Keys Offer Even Stronger Passwordless Auth
While email magic links are a big improvement over passwords, they still have a few drawbacks. Users need to have access to their email, and if a user‘s email account is compromised, so are all their magic link logins. There‘s also no easy way to sign out of a device remotely if it‘s lost or stolen.
Hardware security keys offer an even stronger form of passwordless authentication. A security key is a physical device, typically connected via USB or NFC, that stores a private key used for public-key cryptography.
When logging into a website, you plug in the security key and press a button on the device. This signs a cryptographic challenge with the private key, which the website verifies with the corresponding public key. The website knows it‘s you logging in because you physically possess the security key containing the correct private key.
Security keys provide the strongest level of authentication because they‘re impossible to phish or intercept, unlike codes sent via email or SMS. They also enable easy device management – if you lose your security key, you can revoke it and register a new one.
Google has been a pioneer in security key authentication. In 2017, the company announced that requiring security keys for employee logins had completely eliminated phishing attacks. In 2018, Google released the Titan Security Key, a hardware key using the FIDO U2F standard, to the public. Other companies like Yubico sell FIDO-compliant keys as well.
The Benefits of Going Passwordless
Eliminating passwords has massive benefits for both users and businesses. For users, it means no more remembering complex passwords, no more frustrating resets, and a much lower risk of account breaches.
Passwordless logins are a win for businesses too. The average help desk labor cost for a single password reset is about $70, according to Forrester Research. Large US companies allocate over $1 million per year for password-related support costs.
Businesses also face increased security risks and reputation damage from password breaches. The total cost of cybercrime is expected to exceed $6 trillion by 2021, with 81% of breaches due to weak or reused passwords according to the Verizon Data Breach Investigations Report.
Momentum is Building for a Passwordless Future
The movement to eliminate passwords is quickly gaining steam. Microsoft recently announced that it is banning passwords that appear on breach lists, as they did previously for common passwords like "123456." While a step in the right direction, this highlights the core problem with passwords – new breaches mean new banned password lists and more friction for users.
Apple is taking a more aggressive approach, announcing passwordless login via Face ID or Touch ID as a flagship feature of iOS 14 and macOS 11 in June. "Users will be able to log in to websites and apps using Face ID and Touch ID, without having to enter a password," the company said.
The Web Authentication API, which enables passwordless flows, is now supported by all major browsers including Chrome, Firefox, Edge, and Safari. And major tech companies like Google, Mozilla, Microsoft, and Amazon have formed the FIDO Alliance to collaborate on open standards for passwordless authentication.
Innovative startups are also working to eliminate passwords. Beyond Identity, for example, replaces passwords with asymmetric-key cryptography and X.509 certificates. Their zero-trust solution ensures only authorized users and devices can access applications and resources.
Destroy All Passwords
360 million leaked Myspace credentials is 360 million reasons to destroy all passwords. Websites have a responsibility to their users and to the internet at large to move beyond the outdated and insecure password model.
Eliminating passwords will make the web both more secure and more user-friendly. When a website gets breached, users won‘t have to worry about changing passwords or hackers accessing their other accounts. Logging in will be as easy as clicking an emailed link or plugging in a security key – no password memorization required.
The average person spends 11 hours per year typing and resetting passwords according to a study by HYPR. In the US alone, that adds up to over 1.3 billion wasted hours annually. Not to mention the billions of dollars in productivity losses and customer support costs for companies.
Passwords are a relic of a bygone era in computing. It‘s time we relegate them to the dustbin of history and embrace a more secure, convenient passwordless future. The question is not if passwords will become extinct, but when. The sooner the better for the safety and sanity of internet users everywhere.
The good news is that the transition to passwordless is not a heavy lift for most websites. The infrastructure for email magic link logins already exists in the "Forgot Password" flows that every site supports. Passwordless hardware security keys are based on open standards like FIDO U2F and WebAuthn with broad support across operating systems and browsers.
There‘s no need to wait for a complex identity federation protocol to emerge. Any website can go passwordless today with minimal effort. The first companies to fully embrace passwordless authentication will have a massive competitive advantage in the form of happier users, lower support costs, and a nearly impenetrable security posture.
Passwords had a good 50+ year run. But like all aging technologies, their weaknesses have been exposed by the challenges of the modern world. The future of authentication is passwordless – more secure and more convenient for everyone. It‘s up to tech leaders to destroy passwords before they destroy us.