When the world's largest software company decides to support a new technological approach, it's time to pay attention. Microsoft has described passwords as "inconvenient, insecure, and expensive" and is now moving quickly to consolidate new authentication methods. The era of password-less authentication has finally arrived.

In fact, our online lives revolve around passwords. They are the gateway to our social networks, emails, Netflix, to shopping on e-commerce sites, checking bank balances and paying bills and other digital services. Today, we securely access our valuables on the Internet using random combinations of letters, numbers, and special characters. 

At least, it should be that way.

As of September 2021, Microsoft users no longer need to rely on passwords when logging into their accounts. This is because it was noted that users could use their authenticator app, such as Windows Hello, a physical security key, or a verification code sent by SMS-based text message to log into solutions such as Outlook, OneDrive, and other Microsoft services. 

With this change, password-less authentication is becoming popular and a trend among other technology solution providers. 

But what's wrong with the password?

Part of the problem is related to the use of passwords themselves. Every day users need to remember a large number of passwords. That is when they adopt good security practices and set a different value for each account.

According to research by Tech.co, digital users managed an average of 100 passwords each in 2020. This represents a 25% increase from the 70-80 access codes they tracked in 2019. This increase may reflect users' reliance on digital services in response to the events of 2020.

If users need to remember so many passwords, they want to make it as simple as possible for themselves, which often hurts security. A survey by Specops Software found that 29.03% said they used no more than one password for their accounts, meaning they reused the same password throughout their digital presence. 

The survey also shows that only 22.58% of users said they use completely different access codes. The rest revealed that they adopt small variations of the same password for their accounts.

But this is only one of the problems related to the use of passwords.

Eliminating passwords can help prevent ransomware attacks

In the initial stage of a ransomware attack, attackers investigate systems in the same way that a burglar would investigate a home or business. The main difference is that these operations are done on a large scale. Adversaries use a wide range of resources to scour the Internet and find weak points in a company's network.

The most common vulnerability that attackers exploit is the password. After scanning the network and finding network ports that are commonly used by various remote access tools, adversaries attempt a brute-force attack. These attacks are highly automated and use tools that try to log in with millions of common passwords until they find one that works.

Once the attacker finds a certain password, he uses it himself to gain access and initiate the second stage of the attack, or more commonly, sell access to the compromised network to other attackers on the dark web or even in open web forums.

How can eliminating passwords help prevent ransomware?

There are a few strategies for mitigating ransomware attacks that companies can employ. At the top of the list is the implementation of multi-factor authentication (MFA) or two-factor authentication (2FA), especially for systems that provide remote access to IT systems.

The main strategy is passwordless MFA. It removes the use of the password entirely from the authentication transaction and does not rely on other factors considered weak in the authentication process.

Given today's enhanced ransomware threat landscape, relying solely on passwords is unwise. Adding an extra factor, such as a token, to enable multi-factor authentication (MFA) is at least a good practice, but the main practice is to migrate to password-less authentication.

Bill Gates predicted the end of passwords almost 15 years ago

This occurred while he was speaking at the RSA Security Conference in San Francisco, stating that passwords cannot "meet the challenge" of keeping critical information secure. Since then, many companies have heeded the Microsoft founder's words and developed other ways of performing online authentication.

In fact, it is hard not to conclude that password systems will soon become obsolete. In practice, many solutions are still being developed and will take some time to be perfected and popularized, so passwords will remain for some time to come. 

But the bottom line is that the future of passwords comes down to how long companies are willing to maintain security breaches and endless lists of passwords, combined with how quickly cybercriminals perfect new methods to break encryption methods, find ways to perform improper access, and carry out their crimes.