Arizona Tribune - Passwords under threat as tech giants seek tougher security

"The password era is ending," two senior figures at Microsoft wrote in a July blog post.

The tech giant has been building "more secure" alternatives to log in for years -- and has since May been offering them by default to new users.

Many other online services -- such as artificial intelligence giant OpenAI's ChatGPT chatbot -- require steps like entering a numerical code emailed to a user's known address before granting access to potentially sensitive data.

"Passwords are often weak and people re-use them" across different online services, said Benoit Grunemwald, a cybersecurity expert with Eset.

Sophisticated attackers can crack a word of eight characters or fewer within minutes or even seconds, he pointed out.

And passwords are often the prize booty in data leaks from online platforms, in cases where "they are improperly stored by the people supposed to protect them and keep them safe," Grunemwald said.

One massive database of around 16 billion login credentials amassed from hacked files was discovered in June by researchers from media outlet Cybernews.

The pressure on passwords has tech giants rushing to find safter alternatives.

- Tricky switchover -

One group, the Fast Identity Online Alliance (FIDO) brings together heavyweights including Google, Microsoft, Apple, Amazon and TikTok.

The companies have been working on creating and popularising password-free login methods, especially promoting the use of so-called access keys.

These use a separate device like a smartphone to authorise logins, relying on a pin code or biometric input such as a fingerprint reader or face recognition instead of a password.

Troy Hunt, whose website Have I Been Pwned allows people to check whether their login details have been leaked online, says the new systems have big advantages.

"With passkeys, you cannot accidentally give your passkey to a phishing site" -- a page that mimics the appearance of a provider such as an employer or bank to dupe people into entering their login details -- he said.

But the Australian cybersecurity expert recalled that the last rites have been read for passwords many times before.

"Ten years ago we had the same question... the reality is that we have more passwords now than we ever did before," Hunt said.

Although many large platforms are stepping up login security, large numbers of sites still use simple usernames and passwords as credentials.

The transition to an unfamiliar system can also be confusing for users.

Passkeys have to be set up on a device before they can be used to log in.

Restoring them if a PIN code is forgotten or trusted smartphone lost or stolen is also more complicated than a familiar password reset procedure.

"The thing that passwords have going for them, and the reason that we still have them, is that everybody knows how to use them," Hunt said.

Ultimately the human factor will remain at the heart of computer security, Eset's Grunemwald said.

"People will have to take good care of security on their smartphone and devices, because they'll be the things most targeted" in future, he warned.

A.O.Scott--AT