The insanity of using passwords 

Jasson Casey at Beyond Identity argues that passwordless security will soon be taken for granted

 

With the ever-increasing volume of cyber-threats, it’s becoming clear that the traditional reliance on password-based security is now more of a hindrance than a help in the fight against cyber-crime.

 

Despite the obvious vulnerabilities and rising user frustrations associated with passwords, many organisations continue to rely on them as a core component of their security strategy.

 

Part of the reason is our almost innate resistance to change. From the 19th century Luddites who rioted against the introduction of new machinery to modern day weariness at the sheer pace of innovation, convincing people to put time and effort into adopting something new is not always easy.

 

In contrast, there are also many examples of technological innovation that evolved from a crisis, or we mistrusted or largely ignored at first, but we now take for granted.

 

Take Edison’s commercialisation of the lightbulb, for example – now a ubiquitous piece of technology but one which was invented over 40 years previously. More recently, innovations such as Netflix, Skype and video meeting technologies saw huge surges in use during the pandemic.

 

In the case of digital collaboration tools, these have been major contributors to seismic shifts in working practices and culture, which seem set to remain in place for the long term.

 

Passwords are part of the problem

More specifically still, recent research has revealed that a majority of cloud professionals continue to place an undue amount of confidence in the use and security of passwords. What’s more, an overwhelming 83% of them expressed confidence in the security effectiveness of passwords, with over a third declaring their confidence as “very high”.

 

However, these figures sit uncomfortably alongside the grim reality that 80% of all breaches are the result of compromised identities, predominantly due to insecure password practices.

 

The repetitive and demanding routine of password management also has a serious impact on security. Many cloud professionals manage multiple passwords daily, while organisations continue to insist on frequent password changes with the result that password security becomes more of a chore than an effective line of defence.

 

Specifically, over half of the respondents (60%) said they find it frustrating to remember multiple passwords, 52% by having to regularly change their passwords, while another 52% are frustrated by the requirement to choose long passwords containing numbers and symbols.

 

The number of passwords used daily by cloud professionals further underlines these challenges: A quarter of respondents (26%) use 4-5 passwords, with 10% using 10 or more passwords on a daily basis.

 

Adding to the difficulties password users face, many organisations require frequent password changes, with 38% suggesting quarterly updates, 27% monthly changes, and 6% recommending daily or weekly changes. This can be an arduous task that delivers minimal security benefits. 

 

Security risks remain

Adding to the complexity, passwords have proven to be an attractive target for threat actors. Phishing attacks remain common, with a significant portion of respondents admitting to having flagged or accidentally clicked on phishing emails.

 

With such a high potential for user error, reliance on passwords may inadvertently expose organisations to cyber-attacks, further compromising their security.

 

When asked if they’ve ever received a phishing email which they’ve flagged to their security team, over a third of cloud professionals claimed they’d flagged 1-3, 18% flagged 4-6, and nearly a quarter (23%) flagged 7 or more.

 

More worryingly, 11% have received but not flagged a phishing email, and one-fifth (20%) of respondents simply aren’t sure if they’ve ever accidentally clicked on a phishing link. Nearly one-fifth (19%) said colleagues have clicked on a phishing email, and over a quarter admit to doing it themselves - 11% say they’ve done it more than once, and 5% said they do it regularly.

 

Our collective dependence on passwords also takes a toll on user experience, with over half of the same research respondents expressing frustration with remembering multiple passwords and having to regularly change them. Moreover, the trend towards enforcing long passwords containing numbers and symbols contributes further to the user’s woes.

 

The road ahead

This familiar sense of user frustration combined with misplaced confidence in password security creates a precarious situation for organisations relying on passwords to protect their data.

 

A further cause for concern is that despite the frustrations and vulnerabilities associated with password-based security, 74% of cloud professionals still believe in the efficacy of regular password changes as a cyber-security practice.

 

While the popularity of Multi-Factor Authentication (MFA) as an added layer of security is a positive trend, there has been an alarming increase in successful MFA bypass attacks, as seen in high-profile cases for the likes of Coinbase, Twilio, Reddit and Uber.

 

Part of the challenge is that the risks faced by organisations have grown considerably since passwords were first introduced more than half a century ago. In today’s cyber-security context, organisations that are focused on addressing the risks that passwords create should begin shifting their focus towards next-generation ’phishing-resistant’ MFA to provide a more robust defence against cyber-threats.

 

Recognising the vulnerability posed by passwords, the Fast Identity Online (FIDO) Alliance has developed standards to guide the transition towards more secure, passwordless authentication systems. Adopting such solutions is now recommended at the highest levels of government.

 

Increasingly, organisations understand the growing urgency to move away from legacy password systems, and weak MFA, to focus on authentication designed to accelerate the journey to zero trust security paradigms — continuous authentication that eliminates all shared secrets (passwords, codes, links, etc.) criminals harvest to plant ransomware crops.

 

This approach is not only beneficial for security but also enhances the user experience by eliminating the frustrating aspects of password management – a win-win for every stakeholder committed to maximising cyber-security.

 

---

 

Jasson Casey is CTO at Beyond Identity

 

Main image courtesy of iStockPhoto.com