To mark World Password Day, Google has declared that passwords are the single biggest threat to your online security, reminding us once again just how much passwords suck. It announced plans to automatically add multi-step authentication to its users’ accounts.
It has only been eight years since Intel began promoting World Password Day as an awareness campaign of sorts to tell people about passwords and Google is already trying to wipe passwords from memory. At the 2004 RSA Conference, Bill Gates predicted that passwords would lose importance in the years to come.
Passwords endure
The Windows business has done everything to make that happen. It supported FIDO 2 security keys as authentication and switching to token-based authentication to approve git operations on GitHub, among other projects. The password, like email, has so far defied predictions about obsolescence.
Google’s product management director, Mark Risher, said in a blog post this week that 66% of Americans admit they use the same password for everything, which is the worst way to secure anything. With one password, the hacker can go on a bot-driven credential stuffing campaign on popular sites to see what else the password unlocks. In this case, it would be everything you used it on.
The case for two-step verification
In 2017, a Google software engineer said that less than 10% of active Google accounts were using two-step authentication by choice. Today, the Google two-step verification program has kicked things up a notch. However, this still involves entering passwords.
The second authentication step involves a time-limited authentication code or token sent to a mobile device or generated using mobile app software or hardware or a dedicated security key. Sometimes, it is even a backup code printed out long ago just in case the second-factor device is not available.
What happens to passwords now is up for debate but with time, we’ll know.