And So Can't You
So far today, I've logged into my laptop, checked my email, edited documents and sync'd them to the cloud, joined online meetings, accessed email on my phone, and never once had to type in my password. In fact, I haven't typed it in months. It's around here somewhere, but I couldn't tell you what it is off the top of my head because I almost never need it.
How is this possible? I'll tell you after a brief history of passwords.
The Good Old Days
Depending on how old you are, you might remember a password something like this:
rockies
Hoo-boy, those were the days! Password length? Who cares! Complexity and special characters? What's that? Hacking? That's a bad cough! And in the evenings, Pa would turn on the wireless and we'd all listen to one of FDR's Fireside Chats.
But then Hacking, Inc. got serious, developed a growth strategy, had an internal re-org, issued some Class C(riminal) bonds, expanded to overseas greenfield locations, developed something called The Dark Web, buried that inside The Deep Web, so IT got scared and started making passwords longer, more complex, and new every 90 days, ushering in:
The #%$^*?@! Era
Once IT learned that nasty people were out there hacking passwords and then using them to steal money, data, and generally cause havoc, they did what humans always do: they made things more complex. Complexity for passwords meant a length of at least 8, forcing users to change passwords every 60 or 90 days, and requiring special characters like #%$^*?@!, which conveniently matched the swear words employees muttered every time they had to pick a new password.
Problem solved! Now all the passwords human beings chose would be nearly impossible to crack! There was only one small problem:
Human beings.
We told people to make a really complex password that wasn't in the dictionary, had crazy characters in it, and that was something they could remember. So, they did exactly what Zipf's Law and the Principle of Least Effort predicted we (they, you, me) would do: created clever shortcuts to comply with the new complex rules. But we all created the same clever shortcuts.
Let me prove it to you with a little game: think of your current work password and compare it to the table below. Give yourself one point for each statement in the table that is true of your password:
Contains part or all of this year ("22" or "2022") | Starts with a capital letter | Ends with "!" | Ends with the number 1 |
Uses @ or 4 for a | Uses 1 (one) for l | Uses $ or 5 for s | Uses 0 (zero) for o |
Uses 5 for s | Is <= 8 characters long | Contains "123", "asd", "jkl", "1qa", "zxc', or "qwe" | Contains >= 4 of the same characters as your previous password |
Do you have more than two or three points? If so, that's because, despite our glorious uniqueness as individual human beings, as a species we all fall into the same incredibly predictable patterns. And the pattern in this case is that we all use the same shortcuts to make complex passwords easier to remember and the bad guys and their password-guessing computers figured this out so we're r3311y n0t f00l1ng @ny0n3.
"Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember but easy for computers to guess"
A famous infographic called correct horse battery staple proved this mathematically by comparing a cryptic, complex password with a series of random common words with all lower-case letters, but that's also easy for a person to remember. (Don't get hung up on entropy calculations in the infographic, just know that a higher number of entropy bits means the password is harder to crack.):
Those complex passwords, it turns out, were hard for people to remember but easy for computers to guess. Somewhere along the way, some really smart IT people realized that all this increasing complexity actually makes your company's information less secure because humans kept un-complexifying passwords. Groups like the FBI, the Department of Homeland Security, and Microsoft slowly started to revise their guidance on what makes a strong password, which led, briefly, to...
The Passphrase Era
The passphrase era was short and boring, so I'll summarize it this way: it turns out that password length is more important than password complexity. Which is why correct horse battery staple is harder for hacking computers to guess* than Tr0ub4dor&3. I know - I struggled to believe this at first too.
But it's not just length. "Take me out to the ballgame" is great lengthwise (27 characters), but it's in no way random. It's an actual phrase that now "phrase guessers" could use as well. Length + randomness + easy to remember are the keys to password success in the passphrase era.
But my guess is, your IT department or Managed Service Provider may not have even let you into the passphrase era yet. They probably still require complexity and changing your password every few months. Old habits die hard, even when they've been proven to not work anymore. If you show this blog to them and they think I'm crazy, have them click on this link to see it in Microsoft's own words.
But I'm not living in The Good Old Days or The Swear Word Era and I waved at The Passphrase Era as I sped right past it. I'm writing this from the future, also known as:
The Passwordless Era
BTW, in the future, we still don't have flying cars which is a bummer. But Beyoncé's first act as President was year-round Daylight Savings Time, so that's nice.
If all you've ever known is passwords, it's hard to even grasp how not having one would even work. I'll show you how I've configured my business login:
When I log in to my laptop, I don't type in a password. It's not even an option. I use one of these three methods:
Touch my finger on the fingerprint reader
Let the built-in laptop camera scan my face, or
Type in a 4-digit PIN
Since my laptop has a dedicated fingerprint key like the one shown in the photo, I use that option most of the time. But typing in a 4-digit PIN is almost as easy.
All three of these login methods have one thing in common: they work only on my local machine, so my password isn't being transmitted over the internet to a server or the cloud when I log in. Smart.
The other thing that makes passwordless login possible is an authenticator app on my phone. Facial recognition, fingerprint scan, or a PIN is great for computer logins, but you still need a way to log on to browser-based company applications like email or your document sharing site, without a password.
If I were to log in to my browser-based email from either a new computer, or a new location, a signal would be sent to the authenticator app on my phone and I would be required to approve the login from that app. This video shows how this works in real life:
Now to be completely honest, I do technically have a password; I just almost never need it. And two interesting things happen when you don't need your password for daily work:
1) Since you don't use your password, you don't need to memorize it. And since you don't need to memorize it, you can make it as long and as complex as you'd like without any of the "0=o, $=s" shenanigans. Or a passphrase of a few random words. Who cares, really, as long as it's stronger than "Password01!"
2) You can write your password down (I did).
All the experts said never to do this, to which I respectfully respond, "Phooey." There's probably no safer place in the world to store a password than on a piece of paper in my house.**
The nice thing about IT these days is that capabilities like passwordless aren't just for big companies anymore. A company of any size could move to a passwordless strategy to increase their security with some planning, technology, and a dash of change management. In fact, it's actually easier for smaller businesses to make moves like this. And they should.
I've seen the future and it's great because passwords and Standard Time are a thing of the past. And also because President Beyoncé's State of The Union concerts are must-see TV.
Fill out the contact form if you'd like to learn more about how we can help you move to the future, or with any of your cyber security or IT needs.
Technologies used:
- Windows 10 Pro (included with laptop)
- Microsoft Authenticator Mobile App (free)
- Microsoft Azure Active Directory (subscription required)
Zipf's Law finds patterns in human behaviors, specifically word usage in writing, because people will generally exert the least effort possible to complete a task. If you like YouTube rabbit holes, here's a deep one on Zipf's Law. Warning: It gets math-y and contains the phrase "hapax legomena." Goodbye forever or return.
* Not anymore it isn't. correct horse battery staple is now one of the most famous passwords in the world. Don't use this as your password. (return)
** If someone breaks into my house, steals the journal that has my password in it, figures out which email address it goes with, and tries to log in, the authenticator app on my phone will ask me to confirm the login. I'll get that prompt and think, "Really? They flipped through my journal and found it?" Then I'll reject the login request and do that several times just to mess with them as payback for breaking into my house before I get around to changing my password and writing it down in my new journal. (return)