Is the Password Obsolete? Cracking the Password Problem

The Problem with Passwords 

Most of us use passwords daily to log into everything from online banking to social media accounts. However, it has become increasingly clear that passwords are a significant cybersecurity risk—not only for individuals but also for businesses, government agencies and other organizations. Just one compromised password can jeopardize an entire organization, giving cyber attackers inside access to sensitive data, systems and applications. In fact, a study of confirmed data breaches by LastPass estimates that more than 80% can be attributed to weak, reused or stolen passwords.  

Passwords can be compromised in several ways.  

• Guessing: Complex passwords are hard to remember and type, so many people still use passwords that are too short, too common and too easy to guess. The most commonly used passwords globally are 12345, 123456, 123456789, qwerty and password. Other common passwords include birthdates, pet names, children’s names, and street names—information that is easily found or guessed.  

• Brute force attacks: Short passwords based on variations of common words and phrases are also highly vulnerable to hacking and brute force attacks. These attacks use software (easily available on the dark web) to test possible user name and password combinations by trial and error. Using brute force methods, most human-generated passwords can be cracked in seconds or minutes. 

• Malware: Malware such as keyloggers, spyware and credential harvesters can capture passwords as they are entered or find stored or cached passwords on the device. Malware typically exploits security vulnerabilities or tricks users into installing it. Once active, it can operate in the background without the user’s knowledge, capturing and sending password data to cybercriminals. 

• Password purchasing: An increasingly popular way for cybercriminals to acquire passwords is to simply buy them online. In 2022, researchers for Spycloud found more than 721.5 million exposed credentials available online, many of them harvested via malware or exposed during large data breaches.  

• Credential stuffing: Because most people reuse passwords across multiple applications, exposed passwords also leave individuals and organizations vulnerable to credential stuffing attacks, in which criminals test stolen credentials against other sites and applications to see if they work.  

• Phishing: Phishing attacks have gotten increasingly sophisticated, with many attacks targeting specific organizations or even individuals within an organization (a technique known as “spear phishing”). Phishing remains one of the most common forms of cyberattacks, tricking people into entering their credentials on fake login screens or otherwise providing them to hackers. Attackers may use social engineering tactics to manipulate individuals into disclosing their passwords, often by posing as trustworthy entities. 

In addition to these security concerns, passwords are difficult and time-consuming to manage for both users and IT departments. Users following good security practices must remember and manage multiple complex passwords throughout the day, leading to “password fatigue” and forgotten passwords. It is also time-consuming for employees to enter passwords on various devices. Password keepers can help, but do not address all the security issues outlined above. Resetting systems, helping users with lost passwords, and responding to potential or actual password breaches can require significant time for the IT department, too.  

Strengthening Authentication Security with RFID and Mobile Credentialing  

The best way to solve the password problem may be to get rid of them completely. Organizations now have better alternatives for user authentication and single sign-on (SSO) to business systems, including RFID cards and smartphone credentialing systems using BLE or NFC.  

With RFID or mobile credentialing, users no longer have to remember or type in a password to log into a system, device or application. Instead, they simply wave their card, token or smartphone near a connected or integrated RFID reader for fast, contactless and password-less authentication. These user authentication methods are easier for both users and IT—there are no passwords to remember or reset, and the access credential can be easily managed via a centralized system if a card or phone is lost or stolen or access levels need to be changed. Usually, users can use the same card or mobile credential they use for facility access to log on to digital devices and applications.  

User authentication via mobile credentialing or RFID card is highly secure and reliable, solving the most common security issues with passwords. Users aren’t entering or storing a password on the system, so phishing and malware attacks are ineffective. Encrypted RFID or mobile credentials are also highly difficult to hack or clone. For even higher levels of security, RFID or mobile credentials can be combined with a password or biometric system for multifactor authentication.  

Password-less authentication systems can help organizations meet emerging cybersecurity standards and guidelines, such as the N1S2 Directive in Europe and the NIST Cybersecurity Framework 2.0 in the US. Organizations are under increasing regulatory pressure to shore up cybersecurity to protect sensitive data and prevent system breaches that could interrupt operations. This is especially critical for government agencies and other organizations involved in defense, public safety, and critical industries such as energy and utilities, transportation, financial services, agriculture and food distribution, healthcare, telecommunications, manufacturing, and others. User authentication standards are an essential component of all cybersecurity regulatory frameworks.  

By strengthening user authentication, organizations increase security levels for the entire enterprise and protect people, assets and data. A secure, reliable authentication system based on RFID or mobile credentialing will help companies and agencies comply with emerging regulatory requirements and prepare for the future of cybersecurity.