The “death of the password” has been announced for years now, but they’re still around. But why? Passwords are convenient and make sense to people. With the growing use of the Internet for storing and processing sensitive information, data security has become increasingly important, and passwords are a simple way to help achieve it.

Alternatives to passwords exist, like biometric authentication and other schemes, but they’re often either buggy (there’s at least one news story a year about someone breaking facial or fingerprint recognition on a smartphone) or they don’t “make sense” to the average person, so we don’t use them. We’re trying to move away from passwords to the “next level” of account security, but we’re just not there yet.

The State of the Password

Password usage is already massive and still growing. Pretty much everyone uses the Internet, and most places that you want to visit on the Internet want you to register an account with them so that they can track your usage and have your email address on file for sending “useful deals” and other spam. Most of these sites use passwords for security since passwords so work. Setting up a password verification system is pretty simple and doesn’t require the level of fine-tuning and management that biometric and other systems need.

The issue with passwords is that they’re not very secure. For starters, there’s the issue of password reuse. You’ve probably registered dozens of different accounts across the Internet, but how many unique passwords do you really have? According to a survey by LogMeIn, about 95% of people know that password reuse is a bad idea but 59% do it anyway.

And that’s not even considering the dangers associated with weak passwords. Every year, numerous organizations publish a top ten list of the most commonly used passwords included in data breaches, and at the top of the list are always passwords like 123456 and qwerty. Many hackers don’t bother with finding and exploiting zero-day vulnerabilities anymore when it’s so easy to guess passwords or get users to click on a phishing link.

How Hackers Break Your Password

Password cracking has been around for a while now. In the beginning, the password system itself was one of the weak points in password security, especially on Windows systems. The design of the password management system allowed hackers to break passwords into smaller chunks and either attack them in real-time or build dictionaries that matched passwords to their encoded representations stored in a computer. If a match was found, then the hacker had his or her way in.

Since then, things have improved. Password systems are now designed in a way that we, the humans, are the weakest link. A well-designed and well-managed password (i.e. not taped to the underside of your keyboard or stored in a note on your computer or smartphone) can take years to crack, and many hackers don’t have the time or the patience for that. As a result, the hackers primarily target the low-hanging fruit: the passwords that can be guessed.

The massive number of password breaches in recent years have given hackers a lot of data to work with. These datasets are often for sale for very cheap, letting hackers easily build up massive dictionaries of commonly used passwords. Odds are, you’ve been involved in at least one known data breach, which may or may not have included leaked password information. If you’re lucky, it’s the encoded version, which means that the hacker has to crack it first (how confident are you that it can’t be guessed?). If not, it’s out in plaintext for anyone to see.

Once a hacker has a list of common passwords (or “dictionary”), they take advantage of the fact that 59% (or more) of the population has that bad habit of reusing passwords. They might try your email address (the most common type of username) with all of your breached passwords against a list of common websites (Amazon, Netflix, large banks, etc.), or they’ll try a bunch of common passwords with your email address in hope of a match (those passwords are called “common” for a reason). This “credential stuffing” attack may be simple, but it works.

To make things worse, hackers are innovating to streamline the process of breaking into your online account. A new tool called Forge is designed to automate most of the work of password cracking, including organizing dictionaries and managing computational resources. This frees up the hacker to focus their efforts on spending your money or setting up a spambot using your social media accounts.

Keeping Your Accounts Secure

Despite all of the advances in how account security can be managed, it looks like passwords are going to stick around for a while. From a personal perspective, it’s important to take the basic security steps of using a password manager (with unique passwords for all accounts) and enabling multi-factor authentication wherever it is offered.

The issues around password security also affect businesses, making a data security solution an important part of an organization’s cybersecurity plan. If you can’t trust that only legitimate employees have passwords to your critical systems, you need tools capable of monitoring user behaviour and identifying the anomalies that differentiate between an intruder on your system and an employee performing authorized actions for their job.