"Passwordless" – A step in a more secure future?
As organizations increasingly adopt cloud strategies, traditional methods of authentication may not provide the security needed. Threat actors already know that a lot of people reuse passwords, and security teams need to consistently fight the uphill battle of password hygiene.
While passwords have a long history of use, best practices have evolved along the way. Keep reading as we break down the history of password strategies, and what has come from each milestone.
The birth of the password
In the early days of computing, passwords were primarily used to provide access to internally networked systems. Computers were often located behind closed, locked doors because they took up an entire room. There, the passwords were used to track the amount of time someone spent using the mainframe, but the key to the room was the authentication process itself.
The evolution of the authentication process
As desktop computers became the norm for business processes, passwords and authentication needed to evolve. At this point in time, passwords provided access to both a physical device and the organization’s internal networks. This is due to the fact that computers were still physically connected to the local area network (LAN) using an ethernet cable. Without wireless connectivity or the ability to access the LAN from offsite, authenticating into the device using the password operated as a secure connection.
The internet (and the cloud) changes everything
In more recent years, wireless connectivity and cloud adoption has changed everything about passwords. Passwords and authentication created new attack vectors for threat actors. With a password, they could access corporate resources from anywhere in the world.
Password strategies became increasingly complex. Now, organizations needed to establish and enforce policies including:
- Password length
- A combination of uppercase and lowercase letters
- Special characters
- Password rotation periods
With these new requirements, many people used passwords that were easy to remember, often reusing the same password across multiple locations. In doing this, they undermined the password policies’ purpose, giving threat actors a way to steal credentials or engage in dictionary attacks.
In an attempt to mitigate these new risks, organizations started to adopt multi-factor authentication (MFA), which means that users will need to use a combination of two or more of the following:
- Something they know (password)
- Something they have (token, smartphone)
- Something they are (biometrics)
Unfortunately, malicious actors are still able to find ways around these controls. For example, malicious actors often use social engineering attacks to intercept, phish, and spoof text messages. In the end, even security best practices become problematic and inherently risky.