There’s a lot to hate about passwords. Good ones can be hard to remember. They’re often a pain to reset. And even when we do everything right, they can still be cracked by cybercriminals.
The use of passwords dates back to antiquity, but cybersecurity experts have long pushed for their elimination. In the days of ancient Rome, that might have been an impossible task, but with the help of modern technology, they say, humanity has the potential to move beyond passwords and into a world of easier, more secure authentication methods.
That may be more easily said than done, but what better occasion to push for the elimination of the password than World Password Day, which falls on May 2. It’s a totally made-up celebration created by Intel back in 2013. Traditionally, it’s intended as a reminder to take a close look at your logins and make sure they check the required security boxes.
Passwords have long endured because on the surface, they seem simple and everyone online today knows how to use them. On top of that, there just hasn’t been a scalable alternative to them.
But that’s changing. Both businesses and consumers now usually have the option of logging into their devices with biometric indicators, physical keys, authentication apps and now passkeys.
Passkeys, which replace passwords with cryptographic keys, are built on protocols and standards created by the FIDO Alliance. Apple rolled them out as part of iOS 16 in 2022, and Google introduced support for them on all major platforms last year. Proponents say passkeys offer a better user experience than passwords, while eliminating the risks of weak, reused and compromised passwords, not to mention phishing attacks.
Most importantly, passkeys take on the security burden that was previously shouldered by users, said Anna Pobletts, head of “Passwordless” operations for 1Password, a leading password-manager provider that supports passkeys.
With traditional passwords, it’s usually on the user to create them and remember them, she said. Conversely, with passkeys, those requirements are directly built into the technology.
“There’s no burden on the user to say, ‘Did I make a good passkey? Did I make the right one? Did I use it in the right place?’ It all just happens automatically,” Pobletts said.
And while cybercriminals will undoubtedly try to target passkeys with attacks, just as they have with passwords, they won’t be able to do it on the same massive scale, she said.
In a Thursday blog post, Google said improving authentication technology continues to be a key part of its efforts to boost overall security, adding that passkeys have so far been used to authenticate users more than one billion times over 400 million Google accounts.
“This work is more important than ever amid a global election year, growing cyber threats and the rise of technology like AI,” Google said in its blog post.
The tech giant also said that it has launched broad support for passkeys in Chrome and Android in order to help developers bake the technology into their apps. Companies including Amazon, Dashlane, Docusign, Kayak, Mercari and Shopify have all added support for passkeys over the past 12 months, Google said.
But that’s not yet true for every app or website, so passkeys aren’t the answer to all of your password woes, at least not yet. In the meantime, password managers can help by remembering long strings of characters for you while keeping them safe.
And a little effort can go a long way toward making your passwords great ones and keeping your data safe. Here are some tips for doing just that.
Tips for good passwords
Longer is better. At least 16 characters is best. At that point, you don’t have to worry so much about password-cracking software. Random sequences of characters are best, but passphrases, such as a combination of three unrelated words, will be OK in most circumstances. Throwing in a special character, such as symbols or punctuation marks, in the middle won’t hurt.
Remember: If you use a passphrase, make sure the words only have meaning to you and don’t signify anything important. “Red Sox Rule” might be a great way to show your loyalty to the team, but it isn’t a terribly secure passphrase. Don’t use your birthday or another significant personal date because cybercriminals can find them easily. Song titles and famous quotations are also bad ideas. Avoid cliche substitutions, such as using @ for “at” or “a,” and $ for the “s.”
Resist the temptation to recycle. Even the best passwords can be stolen and compromised. So limit the fallout by making sure you set unique passwords for all of your accounts. Sure, that could be a lot to handle since we’re recommending 16-character or longer pass phrases.
As mentioned before, if you need help, sign up for a password manager. Both free and paid options are available. Many internet browsers can also help you out with this task, though they don’t always work across your various devices.
Change can be good. Most experts now say that you don’t actually need to change your passwords on a regular basis. But they all agree that you should change them right away at any hint of compromise.
Keep your details off social media. The more personal details you post, the more cybercriminals know about you. Those little, seemingly unimportant, bits of data could be used to crack your passwords.
While you’re at it, stay away from quizzes you see posted on Facebook that ask a series of seemingly harmless questions in order to tell you what city you should live in or what your ideal vacation spot would be. Sure, they’re fun, but they might be collecting personal information that could be used to crack your passwords down the road.
Always, always use 2FA. If your password does get compromised, a second layer of protection will go a long way toward protecting you. Two-factor authentication, also called multifactor authentication, is being used by a growing number of sites and requires someone trying to access your account to also enter a second form of ID.
It could be a code generated by an app, a biometric like a fingerprint or facial scan, or a physical security key that you insert into your device. Yes, that will slow you down as you access the account. But it’s worth it to keep your account safe. If 2FA is available, use it.
One word of warning: If you can, avoid 2FA systems that text a code to your smartphone. SIM swapping, a scam in which a cybercriminal takes over your phone number, is on the rise. If a criminal takes over your phone number, they’ll get your 2FA text message, too.