A password manager program going “passwordless?” Yup. Passwords are the bane of everyone’s existence, and the internet industry is looking to get rid of them. Open-source password manager Bitwarden is making their customers’ vaults accessible without a password.

Passwords haven’t been safe for a long time. They are hard to remember and easy to misplace. They are also the number one target of cybercriminals. So much so that 81 percent of breaches involve weak or stolen passwords.

But if you’re not ready for a passwordless step, there’s still a lot you can do for online security.

First, get good, strong passwords. It seems so obvious, but many people still haven’t gotten the message. NordPass, another password manager, recently listed its 20 most commonly hacked passwords. As you can imagine, password is No. 1, and others include 123456789, qwerty, and other lazy combinations. The company says 18 of the top (or bottom) 20 were hacked in less than a second.

A good password should be long. While the minimum password length for most websites is eight characters, many suggest 12 to 20 characters. All should have at least one upper case letter, a number and a special character. But one good password is not enough. Bitwarden found more than eight of 10 Americans surveyed reuse passwords across websites, and nearly half of them rely on memory to manage their passwords.

If you fit either of those categories, we suggest you get a password manager. There are many on the market, and any one is better than your memory or recycled passwords to access websites. (Click here to see one client’s experience.) Going beyond just using a password, two-factor authentication (2FA) tied to your mobile phone adds an extra layer of protection. When you combine a password manager with 2FA, you have strong protection. But it takes more work to manage this combination than many are ready to do.

If you’re ready to go beyond passwords, you have choices.

Bitwarden says its new mechanism, “uses a public and private key exchange between the web vault and a recognized, authorized mobile device,” allowing users to approve a login from their mobile device. In broad terms, the technology uses more secure alternatives like possession factors (one-time passwords [OTP], registered smartphones), or biometrics (fingerprint, retina scans).

In some passwordless systems, such as biometrics, a user’s distinctive characteristics are compared to an image in a database – instead of comparing a password, you enter to one stored in a database. The system captures a user’s face, extracts numerical data from it, and then compares it with verified data present in the database.

In another method, the website system sends a one-time passcode to a user’s mobile, via an SMS. The user receives it and enters it into the login box. The system then compares the user-entered passcode to the one it had sent.

Some methods use AI to match access requirements to a specific device (computer or mobile phone, for example) with access times (such as early in the morning) and geographical locations. If the website’s system notices a deviation from the normal pattern, it can contact the user to implement a verification process.

Don’t confuse passwordless authentication with 2FA. It simply replaces the password authentication, and it may use some of the techniques used for 2FA. And while it may be safer now, there are no guarantees it will be the silver bullet for online security.

If you have a business that requires customers or clients to use passwords to access your website, you’ll need to choose your authentication method and likely buy appropriate hardware and software. You’ll also need to make sure your customers and clients can use your passwordless system.

We can help you look into systems that might be appropriate for you now or help you develop a plan to design and implement one that meets your budget and timeframe needs. Call us – 973-433-6676 – or email us to talk about it. If you’re a consumer who can take advantage of passwordless website access, we can help you, too.