Timo Poppinga

The misery of passwords:

No medal of honor for the IT industry

The question of whether a password is “weak” or “strong” is not the issue. Because every authentication via password is easily vulnerable. But the responsibility does not lie on the user: The entire IT industry slept through the topic for years.

Phishing, malware, social engineering and leaked password databases: Hardly any cyber criminal still bothers to “try out” passwords, especially since there are much more efficient strategies for gaining access to third-party accounts. Users are powerless against the theft of their passwords from databases, even if they are smart and attentive enough not to fall for fake emails or to prevent malware from being installed on their device.

Social engineering: The human is the weak spot

And even if maximum protection is guaranteed at the technical level, there is still the "human" security risk: How can you really prevent an unsuspecting employee from being fooled by a supposed "network administrator" of the company? If this person on the phone credibly pretends to act on “instructions from the boss” and to deal with an “urgent emergency”, passwords and other sensitive access data can quickly fall into the wrong hands.

Threats from phishing: The distinction between “real” and “fake” is becoming more and more difficult

While a few years ago many phishing attacks could still easily be identified by incorrect spelling or bad design, phishing attacks have now increased not only in terms of quantity but also in quality: As the BSI reports, attackers have just recently benefitted from the insecurities triggered by the Covid-19 pandemic: Well-formulated fake pages that look deceptively real in appearance, not only from bank branches, but also from alleged state offers such as short-time work benefit applications or Corona emergency aid are particularly frightening.

The nonsense of "strong" passwords

Of course there are different qualities of passwords. But: The more complex a password becomes, the more impossible it becomes for users to remember this password. Consequently, he develops auxiliary constructions, such as a password list, which in turn can then be easily attacked. Another experience from real life: With a "strong password", which was stuck under the keyboard in the doctor's room, at the beginning of the year, even as a layperson, I might easily have gained access to all of the hospital's patient files... A better solution is the currently much vaunted “password manager”. However, since it is also based on the “password” authentication method, it is ultimately only a crutch, especially since it cures symptoms instead of the cause and also brings problems both with security and usability.

Where is the genius of the developers?

Innovation drivers are sometimes the protagonists of the modern world, while at the same time they look down disparagingly at the PEBCAK (problem exists between chair and keyboard). Despite some really ingenious developments in IT, authentication processes have long been neglected, with the result that the security level of a bicycle lock with a numeric code is hardly exceeded to this day. The good news:

There is room for hope, because the future is here:

On the basis of asymmetrical procedures with public-private-key cryptography and single sign-on, FIDO-2 / WebAuthn is a technology that combines the highest level of security with practicality and user-friendliness!

The 2-factor or multi-factor authentication (2FA / MFA)

The basis for higher security is multi-factor authentication. It offers an important approach to improving the antiquated identity-proof with username and password. In this process, at least two of three fundamentally different factors are combined to secure a registration:

  1. Knowledge
    e.g. password or PIN
  2. Ownership
    e.g. security token or integrated crypto chip
  3. Properties
    e.g. fingerprint or face recognition

The basis for modern authentication procedures and higher security:

Asymmetric procedures with public-private-key cryptography

As both the user and a "remote station" must have the code (PIN, password, fingerprint) with classic authentication methods, there are two weak points (user and website operator). In asymmetric cryptography, a public key ("public key") and a private key ("private key") complement each other to form a pair of two different keys that can only open access when they work together.

This principle is the basis for authentication procedures that are used, for example, for "Single Sign-On" or "FIDO-2" and WebAuthn.

Single Sign-On - a way to combine convenience and security

The basic idea of single sign-on (SSO) is the authentication of a user via a central service. After the one-time registration on such a platform, this in turn opens up access to other platforms. Providers such as Google, Facebook and Twitter already offer this service. The advantage: Instead of having to remember a separate password for each login, the user can log in to a wide variety of services with a single, secure (!) Password. Disadvantage: The basic password dilemma remains. If the central access is hacked, all downstream accesses are open to attackers. The process is only more secure if a second factor is used for authentication.

The best solution so far: FIDO-2 / WebAuthn - a future-proof technology for secure authentication

In the "FIDO alliance" ("Fast Identity Online"), manufacturers of operating systems (Apple, Google, Microsoft), numerous commercial providers (e.g. Amazon, Master-Card or PayPal) and, last but not least, the German Federal Office for Information Technology (BSI) merged to increase the security standard on the web. WebAuthn is an official standard of the W3C, which is already supported by all relevant browsers and operating systems.

In addition, most modern end devices have a built-in crypto chip that enables authentication via the WebAuthn standard. The principle: On the one hand, the chip generates a private key that remains secret and, on the other hand, a public key that is sent to the service. When you log in later, you only need the user name and the device with which you registered: The server sends a control query to the device, which answers it correctly with the help of the private key. The WebAuthn programming interface is the basis for this process. In addition, it is also possible to log into a WebAuthn-enabled service with a separate crypto chip (e.g. security token) regardless of the end device (PC, smartphone).

An invaluable advantage of WebAuthn: The fact that the data on the crypto chip cannot be copied makes the process extremely secure.

Is your device WebAuthn capable? Test it now on webauthn.io!

By the way, on the webauthn.io website you can test directly whether your device or browser already supports WebAuthn!

We are responsible: let's make the world a little better!

For the security risks and serious material damage caused by authentication with passwords, an IT industry that has shown far too little interest in the use of alternatives is largely responsible. In short: the technology for a significant increase in IT security is there - and there is no reason not to use it. It is our duty as web developers to offer our customers secure, simple and user-oriented solutions. In this way we can (and must!) do our part to ensure that users and website operators have the chance to navigate the web with considerably less risk in the future!

“It's still all too complicated!” - isn't it?

"If I lose the security token, all access options are gone!", "A secure and at the same time conveniently practicable authentication method for the user? That's impossible!"

What do you think? Message me!

- About the author -

Timo Poppinga

Timo Poppinga ist Gründungspartner der zdreicom AG und beschäftigt sich seit über 12 Jahren mit neuen Technologien und sauberem Code. Er ist zertifizierter TYPO3-Consultant und -Developer.

Callback Service

By submitting you accept the privacy policy .


Am Gleisdreieck 1 , D-50823 Cologne


Tichelweg 6 , D-47574 Goch


Mainaustrasse 21 , CH-8008 Zurich


104-0031 Chūō-ku , Kyōbashi 2−8−4