Logo

Passwords then, now and in the future: 'Admin123 just doesn’t cut it anymore'

In the Cracked by Jordens series, we look at the cyber security of consumers and businesses in the Netherlands. Today we cover the evolution of passwords.

Published on October 31, 2024

data-1590455_1280.jpg

Everything new is wildly interesting! That's the motto of our DATA+ expert, Elcke Vels. She writes stories about AI and how it affects our society, has a series on cyber security, and interviews Dutch innovation maestros. In her “What if...” column, she also explores intriguing scenarios that deviate from the status quo.

You probably know it: you create an account for an online clothing store and have to come up with a password. Ideally, you'd like to choose the simplest possible combination, but that's no longer allowed these days. The requirements are getting stricter: it must include a special character, at least three digits, and sometimes even a capital letter or extra-long string. What is the state of the world of passwords? And do passwords still fit into the future of digital security? We talked about it with expert Patrick Jordens. He is the director of Trusted Third Party (TT3P): a Dutch company specializing in cybersecurity.

People prefer simple passwords. What are the risks of that?

“If you look at how passwords started in the 1990s, initially they were simple combinations like 'admin,' '1234,' or 'qwerty.' People were less aware of the risks, and the technology around passwords was still in its infancy. Back then, weak passwords were less of a problem because cybercrime was less prevalent. Today, that is very different. However, many people still use their own or their children's names as passwords - passwords that are far too easy to crack.

The increase in cybercrime and the sophisticated methods hackers use, such as attacks and phishing, make strong passwords and additional security measures necessary. Some hackers want to extort consumers or businesses. Countries like China are looking for intellectual property. Russia hacks governments for espionage purposes. In addition, cybercrime can also be aimed at disruption, such as hacking government agencies. Cybercrime has become a profitable business model.”

How are technologies evolving to crack passwords?

“The technology to crack passwords has increased tremendously in recent years. Recent developments in AI, among other things, have led to gaming algorithms capable of cracking 87 million passwords in less than a minute. This kind of technology is also becoming increasingly accessible to a wider audience, giving even young people in attic rooms access to sophisticated hacker tools. However, cyber gangs from the Eastern Bloc should also be considered, for example. They are a bigger concern; you can't catch them easily.”

How can we better defend ourselves against this?

“Nowadays we are required to create stronger and stronger passwords. A password phrase can help; a phrase such as '1kW1lN3tfl1xKeek3n!!!, where you replace the letter e with a 3 and the letter i with a 1 and where you add special punctuation. That's a strong password that you can also remember. It's best to come up with a different password for each platform.

Strong passwords alone are not enough. Phishing and brute-force attacks lurk. That's why multi-factor authentication is important; this is one of the best ways to keep hackers out.

Finally, I would say use a password manager. You can install those on all your devices. When you want to log in, you can easily open the password vault and get the password from there. You can use it to generate strong passwords. It also allows you to check if they have ever been involved in a data breach. Personally, I use Dashlane on my desktop, laptop and phone.”

Do passwords belong to the future?

“I don't think so. Biometrics, such as facial recognition and fingerprints, will become increasingly important. Still, there are snags with these technologies. Organizations must then store biometric data, such as faces, fingerprints, and iris scans. This is complicated because ensuring privacy is complicated but crucial in this regard. Companies must then take extra precautions.

We are increasingly turning to Zero Trust security models. This is a practice where the principle applies: never trust, always verify. Multifactor authentication is part of Zero Trust. It also considers, for example, whether it makes sense to log in from a particular location.”

We will also increasingly use AI to control access. For example, based on AI and real-time information, you can see from which locations most attacks come and whether it is logical for a user to log in from a particular location. This is already happening, but it's going to play an even bigger role.”