The National Cyber Security Centre (NCSC) recently declared passwords to be fundamentally flawed, so what are the concerns and what can be done about them?
Access and identity management are an essential part of our online lives. They protect our data and ensure sensitive information is only shared with the appropriate people. However, following recent password leaks, billions of access credentials have been exposed, thereby fundamentally weakening the systems relying on them.
Passwords have been used to confirm identity for thousands of years, for example, by guards and sentries to identify friends and official visitors. However, even then, passwords were prone to interception and being used by enemies to falsify identity.
The problem with passwords
The key problem with passwords is that they do not confirm identity, only that someone knows the correct response. The recent leaks have been compounded by the poor password hygiene followed by many users, who use the same password credentials for multiple platforms and services.
Furthermore, recent advances in high-performance computing (HPC) and quantum computing have meant that computers are becoming increasingly powerful and able to crack passwords in a far shorter time than was previously possible.
In 2024, China announced it was able to decrypt 50-bit RSA encryption using quantum computing. Although modern encryption is a minimum of 2048 bits, the research is a fascinating proof of concept, showing where the technology is heading and the implications for the future of cybersecurity.
As the processing capabilities of modern computers continue to grow rapidly, the recommended minimum length and complexity of passwords are becoming longer. It is now recommended that passwords be at least ten characters long, with a mix of letters, numbers, and symbols, and not be a name or word from a dictionary.
Compounding the issue is that not everyone follows appropriate password hygiene, such as not using the same password credentials across multiple accounts or avoiding words/phrases that have a personal connection. Furthermore, the most common passwords are still “123456”, “admin” and “12345678”. At this point, we may as well just give the bad actors our keys.
“The VIPs are the worst security users in the company – they don't want to type even eight characters. I saw in the past some CEOs who are asking their IT people to have only three characters as a password,” says Jean-François Aliotti, co-founder of Almond.
“Now, because of all the leaks that we have seen, there are passwords leaked everywhere. Some of my passwords have been leaked. I use a unique password for each access I have. It's a rule that I follow strictly, and I use password managers for that. But most people don't do that – they have an Excel file with all their passwords, or they have the same password everywhere.”
Regular changes of passwords are commonly enforced, especially for business account login details. The recommended duration varies depending on the sensitivity of the data, but a password change every three to six months is the most common requirement. However, the NCSC has argued against changing passwords due to the potential vulnerabilities it causes, as users can be tempted to rely on passwords that are easier to remember.
It is no longer recommended that access security and identity management be solely reliant upon a password. Instead, there needs to be a layered approach to security, with multiple levels of authentication before granting access.
Alternative solutions
The most common form of additional confirmation is Multi-Factor Authentication (MFA), whereby short-term single-use codes are sent to personal devices held by the user. Codes are typically sent via text, email, or authenticator app, but could also be generated by a 2FA token. However, if someone has already gained access to the secondary device or token, they will be able to confirm the additional verification.
Emails are potentially the most vulnerable form of MFA, as they are equally reliant on passwords, and many personal email accounts are not as strongly protected as they could be.
Biometrics (fingerprints, facial recognition, and voice recognition) are unique to each person, but are not as strong as many believe. Fingerprints can be forged, and voice recognition can be fooled using high-definition recording. Facial recognition can easily be bypassed if a user is caught off guard, as anyone with teenagers will know when friends ‘borrow’ their phones.
“Biometrics are a good thing, but not alone. If someone stole your fingerprint, it's over. You can change your password, but you cannot change your fingerprints,” says Aliotti.
“Biometrics alone are quite dangerous, because if they are stolen, then it's over.”
Passkeys instead of passwords
An alternative authentication system is passkeys. Although the technology is comparatively new, the NCSC has recommended that people use passkeys instead of passwords.
“Adopting passkeys wherever you can is a strong step towards a safer, simpler login experience, and I am pleased that we can now support uptake,” according to Jonathon Ellison, Director for National Resilience, NCSC.
“The headaches that remembering passwords have caused us for decades no longer need to be a part of logging in where users migrate to passkeys – they are a user-friendly alternative which provide stronger overall resilience.
“As we aim to accelerate the UK’s cyber defences at scale, moving to passkeys is something all of us can do to improve the security of everyday digital services and be prepared for modern and future cyber threats.”
When a user seeks to confirm their identity, a push notification is sent to their smartphone. Once their device, such as a smartphone, has been unlocked, a unique passkey is created and sent to the platform/website/service they wish to access, confirming their identity.
Unlike MFA, which relies on traditional methods of user verification, this method does not rely on login information or biometric data being transmitted, thus mitigating interception and key-logging attacks.
“MFAs will continue to be deployed, but what we are seeing right now is that passkeys are the best way, but it will take a lot of time to deploy them at a large scale right now,” says Aliotti.
“Pass keys will be more and more used, and we hope that it will be the dominant way for credentials, as we don't have any other system right now that we are seeing as a brand-new thing.”
The decreasing effectiveness of passwords means they are no longer viable as a sole form of access management. Instead, a layered authentication process, where users need to prove their identity through two or more methods, is strongly recommended.
Furthermore, given the inherent weakness of passwords overall, the robust nature of passkey technology means that passkeys are the NCSC’s recommended access management protocol.
-
Google, Anthropic, and others pledge $915m for carbon removalNews Firms want to show researchers and investors that there's a significant market waiting for them
-
Cloudflare launches new partner initiative to support AI and SASE adoptionNews The vendor has unveiled a new partner designation alongside an AI-powered deployment toolkit designed to simplify security platform migrations
-
Dashlane lifts the lid on attack that saw hackers download encrypted user vaultsNews The company said it has now informed all affected customers, and taken action to shut down the operation
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
AI agents are creating new identity security risks: 1Password wants to solve thatNews The Unified Access system from 1Password will help enterprises manage AI agent access across different devices and users
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations
-
Passwords are a problem: why device-bound passkeys can be the future of secure authenticationIndustry insights AI-driven cyberthreats demand a passwordless future…
