Passwords as we know them are dying, here's what will take their place

Weak passwords offer many hackers an entry point into enterprises. Here's what the future of security will look like.

As employees remain the no. 1 cause of company data breaches, it's key for security leaders to look to a common digital entry point for hackers: Passwords.

When examining organizations that had been compromised, 100% of the time a password was leveraged at some point in the malicious campaign, according to Chad Holmes, chief technology, innovation and strategy officer for EY's cybersecurity practice.

"Whether in the initial compromise or down the stream of the killchain, there was always some use of a password in the attack landscape," Holmes said.

Passwords represent a critical vulnerability to most organizations today, Holmes said. "Unfortunately, most of the breaches we see in the news come down to basic security hygiene," he added. "We want to talk about nation states and major threat campaigns, but a lot of it comes down to tackling Security 101 that we're seeing companies still missing."

With this being the case, it's likely that passwords as we currently know them—a string of letters, numbers and special characters—will fall by the wayside in the next three to five years, Holmes said.

Long term, "the terminology around 'password' may not disappear, but the tools and techniques organizations leverage will go away from the concept of a user creating some static password that changes in 30 days, because it's honestly not effective," he added.

We're already seeing the shift in action with the use of biometrics and facial recognition on smartphones and other devices, Holmes said. Users also use those credentials for accessing bank accounts and making payments via mobile devices.

"Passwords become a huge authentication source—we're seeing them become the cornerstone of how organizations are functioning tracking identities," Holmes said. "The identity is the new perimeter for most organizations—not firewalls or clouds. The identity is what they have to track."

Many startups have sprung up in the authentication realm, offering solutions based on both newer and older security techniques.

Hardware authentication devices were in vogue for some time, but often became challenging because employees lost the hardware tokens needed, Holmes said. Most companies moved to software authentication in a variety of different forms, including biometrics and facial recognition scanners.

"Now we're seeing it come full circle back to some level of hardware for a true authentication source, because software is easier to compromise," Holmes said. For example, some companies are building a core piece of the authentication cycle into a chip in different types of devices.

"Especially in the day of IoT when everyone has four devices, authentication needs to be more seamless from the end user perspective," Holmes said. "At the end of the day it needs to be something individual, something a person has on them, and something unique to make sure they can authenticate that the corporate environment knows about."

Market adoption rates will determine how quickly static passwords go out of style, Holmes said. "What will keep the password around is legacy organizations, and those whose maturity level is not where it should be to adopt emerging technology," he added. "So full market replacement of passwords will take a good long time."

And as TechRepublic's Jack Wallen noted, end users tend to be resistant to change, and to desire simplicity when accessing systems and data. Perhaps that's why in 2015, the most popular passwords were "123456" and "password," he wrote.

Best practices

In the meantime, several traditional password best practices have recently been changed. Bill Burr, who originally published password standards as we know them, recently said that many of the password rules he came up with were actually not that helpful. For example, the requirement of using a letter, a number, an uppercase, and a special character isn't useful, and neither is the recommendation of changing your password every 90 days.

Instead, long, easy-to-remember phrases make the best passwords, Burr said. It is also recommended that users only be required to change their password if a breach has been suspected or confirmed.

Holmes also recommends using multi-authentication techniques. "Most of the compromises I work on, if they were using multi-authentication sign-in processes, they wouldn't have gotten breached as widespread as they did," he said.

Businesses should also implement stronger password requirements depending on the criticality of the system, Holmes said. "Don't let users use a standard login to login to critical systems," he added. "There should be passwords that are checked out and checked back in and constantly changed."

Finally, ongoing employee training around cyber hygiene and best practices is also key, Holmes said.