Back in 2004 at the RSA Security Conference, Bill Gates was campaigning for the replacement of the password by two-factor authentication or some other secure mechanism. inar dapibus leo.
In 2012, the Trustwave 2012 Global Security Report indicated that 80% (four out of five) of security incidents were linked to the use of weak administrative passwords. In 2016, the aftermath of the breach of 500 million Yahoo accounts in 2014 was still being felt, as stolen access credentials were used to compromise other accounts for which the Yahoo account holders were using the same passwords and credentials. Why do passwords still exist?
In a word, it’s about convenience – passwords are easy (too easy) to handle and use. Even the more complicated ways of constructing passwords can be made relatively easy to use for the password owner.
For example, Il2rtOb@m is a strong (relatively secure) password that would be difficult for anyone or anything to guess. It also happens to stand for “I love to read the OpsCentre blog at midday”, if you take the first letter of each word and change “to” to 2 and “at” to @. This is easy enough to remember, if you are the person who defined it this way (don’t use this password for yourself – but keep reading the blog!).
However, if hackers can’t crack your password, they may be able to phish it out of you, or use other social engineering tricks.
Two-factor authentication takes more effort. Besides “what you know”, another factor such as “what you have” needs to be added. Key fobs and smart cards with code generators are options, but users must remember to carry them around.
On the other hand, mobile phones are widespread enough to be a standard “what you have” factor, and a secret identification code sent to one mobile phone will not normally end up on another phone. Maybe, just maybe, the mobile phone will now be enough to send the simple password into well-earned retirement.