These are exciting times for authentication technologies. We’ve only just begun to explore a new world beyond passwords. Emerging alternatives abound, from biometrics to multifactor authentication (MFA) to behavioral analysis and many other innovative ideas.

Unfortunately, headlines can also lead us to believe a plethora of myths about passwords and the future of authentication. Verizon’s “2017 Data Breach Investigations Report” revealed that most account infiltrations are enabled by a weak, poorly managed or easily guessed password. The solution may lie in alternative authentication methods, improved end user practices or somewhere in between.

6 Prevalent Password Security Misconceptions

Before we can pick a path to follow into the future of authentication, we must first overcome some myths and misconceptions around passwords that are still widely held, even by security professionals.

Myth #1: Passwords Are Nearly Done For

Many IT security professionals believe we’re on the brink of eliminating the password. Although it’s true that over the next few years we’ll begin to rely more on better authentication technologies, including biometrics, it will be many years before we’re living in an alternative authentication utopia.

The problem is intractable for a litany of reasons. For one thing, it requires everybody to buy into the innovations that should replace passwords. Hardware, software and website vendors need to reach consensuses on industry-standardized solutions.

Users often need to accept biometrics, which feel to some like an invasion of privacy. Cyberattacks in the news have boosted public enthusiasm for biometrics, but a two-digit percentage of people say they won’t accept it now or in the future, according to IBM’s 2018 “Future of Identity” study.

Myth #2: Passwords Will Never Be Replaced

It’s true that passwords can and should be replaced with better alternatives, especially with so much data and so many applications that are highly sensitive and interconnected today. It’s also true that someday, even if it’s not in the immediate future, we’ll probably eliminate them altogether. The only questions are “when,” “where” and “with what?”

Web Authentication, or WebAuthn, is a new standard application programming interface (API) by the World Wide Web Consortium (W3C), which some say will improve authentication by taking advantage of security resources the user already has, such as a smartphone, webcam, fingerprint scanner or security key. The user might visit a website, enter a username, then get a pop-up alert on his or her phone. Tapping on the alert completes the login. These methods aren’t new; many existing websites use WebAuthn-like methods to great effect. What’s new about WebAuthn is the promise of baking these methods right into the internet as a common standard.

Microsoft is working on alternatives, too. The company’s Authenticator app enables users to log into their Microsoft accounts using a smartphone. Microsoft is also building security keys based on the Fast IDentity Online (FIDO) Alliance’s FIDO2 standard into Windows Hello, the company’s biometric identification platform in Windows 10. Windows Hello FIDO2 Security Key support has been in a kind of beta for most of this year and will support most major security key formats.

Likewise, Google’s Chrome browser gained a host of powerful security features this year. On one hand, the company has been working on face recognition features for Chrome OS devices — specifically, future devices that have special hardware to enable reliable face recognition. On the other, Google also added a built-in password generator, demonstrating that the company is looking to the future without rushing.

Myth #3: Password Managers Have Solved the Problem

Password managers are a good start; they enable better construction and more frequent changing of passwords because they remove the requirement for the user to memorize every credential.

Unfortunately, password manager use is surprisingly rare. While a whopping 86 percent of Americans rely on memorization to keep each password and 49 percent rely on writing them down on paper, only 12 percent use password managers, according to the Pew Research Center.

Myth #4: Users Will Get the Password Right

Left to their own devices, many users continue to create weak passwords, reuse them on multiple websites (both personal and professional), share them with others, store them on insecure media (such as wetware or paper) and generally put company data and security at risk.

New research from SailPoint revealed a generational difference in password savviness, with younger employees exhibiting the most dangerous password practices. These findings are consistent with the IBM “Future of Identity” study and suggest that users’ password decision-making will likely get worse, not better. It’s a statistical certainty that a significant number of end users will continue to engage in poor password practices — to the detriment of many.

Myth #5: The Problem Is User Ignorance

A recent LastPass survey of users in the U.S., Australia, France, Germany, and the U.K. revealed that 59 percent of people reused passwords on multiple sites, according to a press release. But it’s not the result of ignorance; 91 percent of those surveyed said they know that reusing a password is a security risk. So why do users reuse credentials? The top two reasons are the fear of forgetting (61 percent) and the desire to be in control of their security (50 percent).

Enterprises and IT departments make mistakes, too, sometimes leaving password data in an unencrypted database or otherwise mishandling it.

Myth #6: A Long, Complex Password Is Always Secure

We all know the difference between a good password and a bad one: A good password is longer than eight characters, contains both upper- and lower-case letters and includes symbols. Although the password Password12345! meets this criteria, however, it is still a bad password. It’s possible to create a terribly insecure password while following the rules, such as by using dictionary words, birthdays, pet names and other sequences that are easy to guess. Even the best password is dangerous if shared, old, reused or previously compromised.

In other words, the quality of the password is only one factor in improving password security. It’s important to explore and embrace better authentication alternatives as they become available and determine where they can be implemented. Still, passwords are here to stay indefinitely.

Embrace a Policy-Based Approach to Password Management

Both users and IT staff will make mistakes, even when they know better. It’s important to take a policy-based approach and not leave password management up to users, no matter how effective your security training.

Even in the coming post-password era, the greatest threats will come from phishing attacks and social engineering resulting from poor password management. So embrace the password alternatives, but do better with passwords, too.

To learn more about trends and challenges in password security, listen to the latest episode of the ongoing X-Force Red in Action podcast series, “Spotlight on Password Security With Dustin ‘Evil Mog’ Heywood.”

Listen now

More from Identity & Access

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

What is the Future of Password Managers?

In November 2022, LastPass had its second security breach in four months. Although company CEO Karim Toubba assured customers they had nothing to worry about, the incident didn’t inspire confidence in the world’s leading password manager application. Password managers have one vital job: keep your sensitive login credentials secret, so your accounts remain secure. When hackers compromise these software applications, the entire industry of identity and access management (IAM) takes notice. As an alliance of tech giants leads a global push…

Beware of What Is Lurking in the Shadows of Your IT

This post was written with contributions from Joseph Lozowski. Comprehensive incident preparedness requires building out and testing response plans that consider the possibility that threats will bypass all security protections. An example of a threat vector that can bypass security protections is “shadow IT” and it is one that organizations must prepare for. Shadow IT is the use of any hardware or software operating within an enterprise without the knowledge or permission of IT or Security. IBM Security X-Force responds…