homepage logo

Tech Matters: The evolution of good passwords may be no passwords at all

By Leslie Meredith - Special to the Standard-Examiner | May 11, 2022

Photo supplied

Leslie Meredith

Did you celebrate World Password Day last week? While this holiday may have crossed under your radar, 2022 brings some real news about passwords. In fact, next year we may celebrate the fall of passwords altogether.

Apple, Google and Microsoft announced on World Password Day that they are in the process of turning to passwordless sign-ins for accessing websites and apps across their devices and platforms. The companies announced their joint support for a system created by the FIDO Alliance and the World Wide Web Consortium in a press release last Thursday and said that the new sign-in mechanism will allow for “faster, easier, and more secure sign-ins.”

How will it work? Google outlined the solution in its Safety & Security blog. When you sign into a website or app on your phone, you will simply unlock your phone; your account won’t need a password anymore. Instead, your phone will store a FIDO credential called a passkey which is used to unlock your online account. The passkey is only shown to your online account when you unlock your phone. This system adds an additional level of security by linking logins directly to devices instead of sending data and authenticating identity through remote servers, eliminating the risk of a data breach on those servers.

To sign into a website on your computer, you will need your phone nearby and you’ll be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again. Even if you lose your phone, your passkeys will sync to your new phone from cloud backup, allowing you to pick up where your old device left off. The new sign-in should start rolling out next year. Of course, those without a smartphone will still have to use a password, so don’t expect passwords to disappear overnight.

In the meantime, it is interesting to take a look at how password safety has evolved in parallel with advances in technology. “Ten years ago, a six-character password like ‘Be4r$1’ would have taken a hacker’s tool about 93 years to break,” security firm Trustwave said. “However, now that same password can be figured out in about five seconds due to the availability of faster and more advanced processing speeds and the switch from utilizing central processing units (CPU) to graphics processing units (GPUs) to decipher passwords.”

The strength of today’s passwords relies on a balance of password length and complexity. Organizations and individuals struggle with getting the balance right. As we all know, a long and nonsensical password can be extremely difficult to remember, causing frustration every time a user is locked out of an account. (And that’s why we have so many people using and reusing passwords that are both easy to remember and easy for hackers to crack.)

But you can come up with a password that is long and not found in common hacking programs. For instance, ‘iHatemyc0mpanyspasswords*’ is easy to remember. To create something similar for yourself, think of a phrase and then capitalize a letter or two, substitute a number for a letter like zero for “o” or 3 for “e” and add a special character. To test the strength of your new password, you can test it with Security.org’s password strength tool at https://www.security.org/how-secure-is-my-password/. Because the standards for password strength change over time, it’s a good idea to bookmark this tool and periodically retest your passwords.

Here are general tips to keep in mind when thinking up a new password:

  • Aim for at least 10 characters and add complexity by using symbols, numbers and mixing uppercase and lowercase.
  • Use passphrases, which can be easy to remember as described in the example above.
  • Change passwords about every two to three months to help stay ahead of hackers’ advances.
  • Don’t repeat the same password for different accounts, and don’t use tiny variations of the same password. Why? Because if one gets hacked, the others will be far easier to crack. This can be tough if you are active online, but you can keep track of your passwords on a note on your computer, your phone or on a simple piece of paper.
  • For organizations, IT personnel should incorporate a technique called salt and hash that uses randoms bits of data in stored passwords.
  • IT should also audit employee passwords to make sure they meet security standards.

Leslie Meredith has been writing about technology for more than a decade. As a mom of four, value, usefulness, and online safety take priority. Have a question? Email Leslie at asklesliemeredith@gmail.com.


Join thousands already receiving our daily newsletter.

I'm interested in (please check all that apply)