A: First, let us review the problems with traditional passwords.
- The overwhelming majority (perhaps up to 90%) of users use the same password(s) for everything. Although this is great for remembering your passwords (you only have one or two passwords you have to remember), it is terrible for security. In the event one of your sites becomes compromised and your credentials stolen, all the criminal need do is launch a script that will try the same credentials on thousands of other sites. Within a few minutes all of your data – and often savings and credit cards – are owned by someone else.
- For the minority of users that actually do use a variety of passwords, they will almost always use weak passwords which can be cracked in just a few minutes. Although “weak password” definition will vary among system admins, as a broad generality any password with fewer than 15 characters is weak.
- Most users do not use a password manager, making for very insecure storage of passwords. This forces them to write their passwords down. As I’ve been in the industry for over 30 years, I’ve seen it all – including passwords taped to the bottom of keyboards, the password to the server posted above the receptionist station, and even a 3-ring binder with 72 point type on the cover saying “Office Passwords” left out in the open in the waiting room.
So, back to the question of what is more secure than traditional passwords?
- Strong passwords, unique to every site and service, stored as encrypted within a password manager. I’m very fond of Bitwarden and use it as my own password manager. Bitwarden encrypts each password on the device, with an option to synchronize the encrypted database with your other devices. It also serves as a One Time Use Password generator (authenticator). More on that next.
- Use One Time Use Passwords along with your strong password. Most people know these as authenticator codes. When you enter your credentials to a site, you will be prompted for an authenticator code. These are random numeric codes generated every 30 seconds by an authenticator application. Although all sites don’t yet make use of these, all of the major ones do.
- FIDO key. A FIDO key is a device that looks like a thumb drive that you carry on your person. To access a site you must first attach (via USB or Bluetooth) the key to your device. It will provide strong credentials. FIDO keys work great, but haven’t taken the industry by storm and few users are willing to deal with one more piece of equipment they have to carry.
- Biometrics. You’ve used these. Fingerprint scanners, retina scanners, facial scanners, voice recognition scanners. I even watched a presentation to the military for the implementation of a body odor scanner! And while these work great to provide credentials to access your device, they haven’t been integrated for use with many websites to date.
So, what’s a conscious technology user to do? My recommendation is to stick with strong passwords, using a different one for every site and service. Use your credentials along with a quality password manager and one-time-use-passwords.