Need more convincing before placing your order? Check this out
Everyday, passwords are used to access a variety of different services and platforms, whether for personal or professional use, each requiring a password. But how many of those passwords are truly secure?
The average internet user of today has at least 90 online accounts, a statistic that continues to rise. While traditional text-based passwords are still the most popular form of authentication, their very design is flawed. Passwords must be both easy to remember and hard to guess, but must often simultaneously fulfill multiple requirements, such as a minimum length, inclusion of upper- and lower-case characters, numbers and special characters. This makes them more difficult to remember and leads to potentially insecure strategies.
To cope with the difficulty of remembering several possibly illogical and random bits of information, it is common to adopt strategies that are often cybersecurity risks. Reusing passwords, writing them down, sharing them between different users or choosing simple, easy-to-guess combinations. Even when password requirements differ between platforms, they are frequently reused with only minor adaptations, such as changing “abc123” to “abc1234”, which does little to improve security.
A password is only useful if the user can remember it. To help with memorization, some researchers suggest mnemonic phrase-based passwords, where users use the first letter of each word in a sentence. Another suggestion is to use chunking, breaking a password into several, more meaningful sections (e.g. MySecureP@ssword2025!). Though these methods may improve recall, they can reduce the randomness of passwords (such as by including a smaller set of characters), making them easier to crack.
A more effective approach is to use a password manager, removing the burden of memorization almost entirely. Ironically, the password manager still frequently requires the use of a password to secure other passwords, though perhaps more effort may be put into that password. While this in large part removes the weakest element of text-based authentication, it still does not provide full protection against phishing attacks or breaches of stored credentials. For instance, it was recently reported by Forbes that the Google chrome password manager had been breached using AI. It seems then, passwords and password managers themselves are not reliable enough. This highlights a deeper issue: even when strengthened with additional techniques, passwords remain imperfect as a security measure.
If passwords are unreliable, is it possible to strengthen them with additional security layers?
Multi-factor authentication (MFA), adds an extra step such as one-time codes or phone approvals, which is an important improvement. Unfortunately, the many popular forms of second factors, are both inconvenient and have been stated by NIST to be phishable. SMS based one-time codes for instance, can be intercepted, by effectively transferring a victim’s phone number to a SIM card controlled by the attacker. In addition, relying on a secondary device for part of the authentication adds friction to the user experience, making it more cumbersome. Even with MFA, the fundamental problem remains, passwords are still required as the first line of defense and are still vulnerable.
The solution lies in eliminating the use of passwords altogether. Passwordless authentication relies on what you have (e.g. an OFFPAD) and who you are (biometrics), instead of what you know (a password). FIDO-based authentication solutions, such as the OFFPAD, provide a more secure and more user friendly alternative. Utilizing public key cryptography, they are resistant to phishing and credential theft. Additionally, unlike traditional passwords, they cannot be copied, guessed or stolen through traditional attacks. Further, they remove the frustration of remembering or managing passwords, enhancing the user experience.
As technology evolves, so must our authentication methods. Passwordless authentication offers a way forward with no passwords to forget, no codes to enter and no risk of being phished. FIDO adoption is growing across major platforms and the future of authentication is shifting. Perhaps it’s time to embrace a more secure and user-friendly approach.
NIST SP 800-63 Digital Identity Guidelines. (n.d.). Pages.nist.gov. https://pages.nist.gov/800-63-4/
Ogbanufe, O. (2023). Securing online accounts and assets: An examination of personal investments and protection motivation. International Journal of Information Management, 68, 102590. https://doi.org/10.1016/j.ijinfomgt.2022.102590
Passkeys (Passkey Authentication). (n.d.). FIDO Alliance. https://fidoalliance.org/passkeys/
Woods, N., & Siponen, M. (2018). Too many passwords? How understanding our memory can increase password memorability. International Journal of Human-Computer Studies, 111, 36–48. https://doi.org/10.1016/j.ijhcs.2017.11.002
Woods, N., & Siponen, M. T. (2024). How Memory Anxiety Can Influence Password Security Behavior. Computers & Security, 137, 103589–103589. https://doi.org/10.1016/j.cose.2023.103589
Winder, D. (2025, March 21). New AI Attack Compromises Google Chrome’s Password Manager. Forbes. https://www.forbes.com/sites/daveywinder/2025/03/21/google-chrome-passwords-alert-beware-the-rise-of-the-ai-infostealers/
Yıldırım, M., & Mackie, I. (2019). Encouraging users to improve password security and memorability. International Journal of Information Security, 18(6), 741–759. https://doi.org/10.1007/s10207-019-00429-y
