Writings from the intersection of law enforcement and the Internet


I currently have 181 passwords in my password manager. Sadly, that's not even all of the passwords I keep as I have some systems and equipment that don't require stringent security so they don't get entered into the Bitwarden application. I maintain one Windows computer where the password is simply “Q”. Passwords for my virtual machines use a common alphanumeric scheme based on the operating system so I always know the password based on the machine. All in all, I probably maintain at least 200 passwords.

My password numbers may be a bit excessive as most people don’t have multiple sock-puppet accounts or feel the need to register their name with every new email service. A 2020 study conducted by NordPass found the average Internet user maintains one hundred passwords. And that's the problem.

Passwords are inherently insecure. While some users take password security seriously, most choose weak passwords for their logins as a habit. We value quick access and convenience more than security. We want to easily access our resources with the least amount of friction possible. Our need for easy-to-use and remember passwords translate into simple passwords and password reuse -one password unlocks many sites for most people.

According to the 2021 Verizon Data Breach Investigation Report, 81% of all data breaches resulted from a compromised password. Advanced computing power has made cracking weak passwords extremely easy and sophisticated phishing campaigns have become more refined and more difficult to identify.

A 2020 survey conducted by Security.org found that 76% of persons between the ages of 25 and 40 years old recycle their passwords between multiple accounts. Attacks such as password spraying and credential stuffing rely on this reuse of passwords.

Are we moving beyond the password? The big three of computer technology, Apple, Google, and Microsoft, have announced their agreement to move forward with the reality of a passwordless Internet. The group issued a joint statement announcing they will expand their support of the FIDO infrastructure.

FIDO – Fast Identity Online, is a set of open-source protocols that eliminate the need for user passwords. Once a user authenticates within the FIDO Alliance network they can sign into any FIDO-enabled website or service through biometrics such as a fingerprint, voice, iris scan, or facial recognition. There will also be the option for sites to allow authentication through the use of a security token such as RSA or Yubikey.

If this is the first time hearing about FIDO – get ready – it's the future. Of course, there are still 100 million computers out there running Windows 7.

Read the statement issued by Apple.