World Password Day: I Hate My PA$SW*RD

Why do companies still insist upon using passwords?

I’d be very surprised if anyone reading this would say they love passwords. In fact, the weakest links in a cybersecurity defense are usernames and their passwords.

Unfortunately, password issues stem from our business policies, governance, technology and products that don’t enforce strong password principals but actually cause users to create weak passwords. We require passwords for services that shouldn’t need them. We force users to create passwords with obscure characters. And we tell users to change passwords every 60 to 90 days. These requirements cause users to establish new passwords without careful thought.

Nobody likes passwords. Consumers don’t like having to create and remember them. The effort required blemishes the quality of their online experience. Businesses don’t appreciate the cost and complexity required in developing, deploying and managing a repository to protect user passwords.

Most of the flaws in password authentication come from the human element. When a user has the same password for social media, logging into a device, online banking, shopping, health care and other websites and one of them is breached, all of their accounts are at risk. Cyberattacks using credential-stuffing steal account credentials to access multiple user accounts. User passwords, software vulnerabilities, security flaws and exploits, when combined as multi-component attacks, can breach virtually any organization.

Users have become the hacker’s path of least resistance. A case in point: The “2017 Verizon Data Breach Investigations Report” found 81%of hacking-related breaches leveraged stolen or weak passwords. In fact, password fatigue is widespread, with many studies showing users welcome different authentication methods.

To gauge the perceived threats organizations face, and the risks of privileged attack vectors, BeyondTrust published its 2019 “Privileged Access Threat Report.” The results have produced some striking information relating to breaches and inadequate cybersecurity practices:

  • 64% of respondents think it likely they have suffered a breach due to employee access, and 58% cite a likely breach due to vendor access.
  • 62% of respondents are worried about the unintentional mishandling of sensitive data by employees, based on the following poor security practices:
    • Writing down passwords (60%)
    • Sending files to personal email accounts (60%)
    • Telling colleagues their passwords (58%)
    • Logging in over unsecured WiFi (57%)
    • Staying logged on (56%)

Password Alternatives

For the near future, the use of passwords continues, even with the increasing consensus among security experts that they should be replaced. All of this leads to the question: Are passwords going away? And if so, replace them with what?

Passphrase authentication: The National Institute for Standards and Technology (NIST) has guidelines that suggest using a passphrase rather than a password. This can be up to 16 characters long, with spaces between words. The randomness of a phrase with spaces between words can make a passphrase impervious to hacking. However, the applications and products that support passphrases are not yet available.

Password-less authentication: Password-less authentication verifies user identity without requiring a password. Rather than a password, proof of identity can be based on something that uniquely identifies the user, such as a mobile phone, app, OTP SMS, hardware token or biometric signature via fingerprint, face or retina.

Web browser authentication: Web browsers that use FIDO key-based protocols with an authentication API and a client to authentication protocol can avoid the need for passwords. The user does nothing, as the authentication is handled automatically in the background by the browser.

Operating system authentication: Software vendors are beginning to offer password-less authentication in their operating systems with business software suites that replace passwords with multi-factor authentication. This includes a new type of user credential that is associated with a PC or mobile device and uses a biometric or PIN that authenticates the user to a directory service account.

The Need for Authentication Standard Bodies

Authentication is an important area that needs much greater focus and attention from standard consortiums. A great example of an organization trying to get its arms around authentication is the FIDO Alliance, which addresses issues around authentication usability problems.

With a focus on authentication standards that help reduce the over-reliance upon passwords, the FIDO Alliance has set out to fundamentally change authentication. They are working on open standards that provide greater security than passwords. Critical to successfully addressing password issues, is making it pain-free for consumers and easier for businesses to deploy and maintain.

The FIDO Alliance creates technical specifications that define an open, scalable and interoperable set of mechanisms to reduce reliance upon passwords to authenticate users. They organize industry certification programs that help safeguard the successful adoption of the specifications. And they present technical specifications to leading standards organizations to help formalize standardization.

Passwords Are a Major Point of Failure

Beyond the security risks, today’s user authentication methods are becoming archaic and impractical for both consumers and businesses. New password-less technologies are beginning to appear, as well as industry-wide consortiums such as the FIDO Alliance. These efforts are at the beginning stages of helping to increase focus upon the potential solutions that will help ease the management of authentication and access while ensuring greater protection of personal and corporate data.

Avatar photo

James Quick

James Quick is Director, Solutions & Advisory at Simeio Solutions. He has a proven track record managing programs that holistically integrate identity and access management with data security and with information security strategy and initiatives. James has delivered cutting edge technology solutions to many of the Fortune Global 500 with proven results.

james-quick has 2 posts and counting.See all posts by james-quick