Passwords set to become obsolete as companies take security out of our hands

As stolen passwords are the reason behind most hacks, is now the time to wave goodbye?

Of the billions of data hacks in 2018 a huge 81% were down to stolen or leaked passwords. Why? Because while technology is becoming more advanced, our ability to create effective passwords and therefore protect our data and money online is not progressing anywhere near as fast.

'123456'

In 2018, the average cost to a company for a data breach was $3.92 million (£3.39m), while the average cost per individual record was $141 (£122), according to IBM research, and yet the most common password remains the faithful stalwart ‘123456’.

In fact, analysis by the UK National Cyber Security Centre in April 2019 found that a staggering 23.2 million victims worldwide had used the simple numerical combination and come undone.

Other easily hacked passwords included the name ‘ashley’, band ‘blink182’, and Premier League football team ‘liverpool’. The classic ‘password’ had seen 3.6 million breaches.

Killing off passwords

It seems we can’t be trusted to protect ourselves online, and several tech companies are taking action to get rid of passwords altogether. After three years of talks The FIDO Alliance launched in 2012, which is an initiative by PayPal, Lenovo, Validity Sensors, Nok Nok Labs, Infineon and Agnitio to kill off the password.  

Google joined in 2013, and two years later announced its intention to remove passwords entirely from Android phones to rely on something far more personal: biometric indicators such as facial recognition and fingerprints.

Four years later, and passwords are still present on Android phone applications, but in August 2019 Google announced that Android users will be able to log into certain web services through Chrome with just their fingerprint.

Google isn’t the only one starting to do away with the humble password. In late 2018 using FIDO technology Microsoft created Windows Hello, a biometric log-in system for the Microsoft Edge browser, so that users could log into Microsoft products such as Outlook and Skype without using a password.

It makes sense: most of us have been using a touch entry to our iPhones since 2013, and modern-day passports have chips that enable you to be identified by facial biometric authentication as another level of security. But this is the first time that fingerprints will be able to unlock accounts in a web browser, without any password at all.

How to protect your accounts

Despite these developments it’s not quite there yet. The fingerprint unlocking only works for certain, selected programmes, and it will be years before biometrics replace every instance of a password. 

With the average person having 200 internet accounts that need passwords, according to research by ESET, it’s not surprising we try to keep things simple and memorable. In fact, despite 91% of people knowing they shouldn’t use the same password for multiple accounts, 59% still do, at both home and at work.

So in the meantime the advice from experts is to use a password manager such as 1Password or LastPass, where a system creates complex, unique passwords for you, and you don’t even have to remember them. This doesn’t ensure complete protection – at work someone else’s weak password could put the whole database at risk – but it’s the best way to protect yourself.

If you’re worried you might have been hacked for your basic password, check your email and passwords at haveibeenpwned.com, a site set up by Microsoft regional director Troy Hunt to index email addresses and passwords that have been seen in breaches.