By Michael Daniel, CTA President and CEO
Today is World More Than a Password Day. Not exactly the best-known day on the global calendar, especially since the Nonprofit Cyber Coalition created it this year. Still, it’s an important concept and many organizations are devoting an entire day to promoting the idea. So, what do we mean by “more” than a password and why does it matter?
Conceptually, a password is simply a means of verification or authentication: a way to prove that you are who you say are for purposes of online activity. The problem is that passwords are a very weak means of verification. It’s possible that they worked fine for a few weeks or so in the mid-1980s (although some security experts would probably debate this point), but they unquestionably have been insufficient to prevent malicious activity for a long time.
By themselves passwords are too vulnerable, for both psychological and technological reasons. In general, unless they put a lot of work into it, people are usually bad at developing effective passwords. The way human brains work limits how long and complex most people can make passwords, which means that other people can often guess or deduce the ones we create. Further, the cognitive load generated by having many different accounts and services that need securing tempts us to reuse passwords. Yet, this repetition means that if a bad actor gains access to a password, they can also reuse it to get access to multiple accounts. From a technological perspective, passwords can be stolen if they are improperly stored or just plain old cracked by computers rapidly trying enough combinations.
Thus, to make authentication effective, we need other mechanisms. Fortunately, over the past few decades, technologies have emerged to provide alternative mechanisms. Some of these mechanisms operate alongside passwords (like codes received through text messages), while others can replace passwords entirely (like passkeys). That’s why we are calling it “More Than a Password Day” – you can add another step to a username / password combination or employ another mechanism altogether. What all these mechanisms have in common is that they greatly strengthen the authentication process.
Strengthening the authentication process is very important because it closes off one of the main avenues malicious actors use to improperly access accounts, services, and data. While not impossible to overcome, strong authentication mechanisms pose a formidable challenge even to sophisticated actors. As a result, using more than a password dramatically reduces the risk that a bad actor can compromise an account and radically increases cybersecurity. Further, using more than just a password for authentication has become much easier as providers have worked to improve processes and technologies. In fact, some of the emerging technologies, like passkeys, are even easier to use than passwords. While the process can add some “friction” to on-line activities, the benefits almost always far outweigh the cost. It may not be very glitzy, but using more than a password is one the cheapest, easiest, and most effective security measures out there.
On World More Than a Password Day, the Cyber Threat Alliance urges everyone to use some mechanism other than just a username and password to secure their accounts. You have many options available to fit your needs. It will irritate the bad guys, make you much safer online, and raise the level of cybersecurity across the entire digital ecosystem. What’s not to like about that outcome?