Countless studies have shown that the majority of users choose weak or flat-out dumb passwords. The solution, according to some IT security experts and tech companies: Abandon passwords completely.
One recent study examine a set of more than six million passwords and found that 91% were made up of the same 1,000 passwords. In addition:
- The 10 most common passwords accounted for 14% of all passwords in use
- 4.7% were simply “password”
- 8.5% were either “password” or “123456,” and
- 9.8% were “password,” “123456″ or “12345678.”
Even studies of passwords used for business accounts have found an alarming rate of credentials using “password,” “password1,” “p@ssw0rd,” “welcome” and other common passwords.
To protect those accounts, many businesses have attempted to create and enforce strict password policies to make sure passwords are complex, uncommon and frequently changed.
Time to replace passwords with hardware?
However, there’s another approach some IT security experts recommend instead: Ditch reliance on passwords altogether and switch to two-factor authentication utilizing personal key cards, USB tokens or other physical items.
That’s the approach recommended by Google’s security team in a recent engineering journal IEEE Security & Privacy Magazine. The company’s currently investigating several new ways to skips passwords in authenticating accounts for Gmail and other products, Wired reports.
Potential options include a small USB stick, a ring with an embedded smartcard, or transmissions from a smartphone that unlock the account wirelessly.
Two years ago, Google unveiled an optional two-step authentication method in which users trying to log into Gmail could choose to have a code sent to their phone via text message to prove it was them logging in and not something who’d stolen the password. However, experts have pointed out that code can also be stolen via a phishing scam.
As Google continues working out the best ways to implement new controls for its users, many experts say it’s time for businesses to start considering two-factor authentication to protect their sensitive data, if they aren’t already doing so.