These are exciting times for authentication technologies. We’ve only just begun to explore a new world beyond passwords. Emerging alternatives abound, from biometrics to multifactor authentication (MFA) to behavioral analysis and many other innovative ideas.
Unfortunately, headlines can also lead us to believe a plethora of myths about passwords and the future of authentication. Verizon’s “2017 Data Breach Investigations Report” revealed that most account infiltrations are enabled by a weak, poorly managed or easily guessed password. The solution may lie in alternative authentication methods, improved end user practices or somewhere in between.
6 Prevalent Password Security Misconceptions
Before we can pick a path to follow into the future of authentication, we must first overcome some myths and misconceptions around passwords that are still widely held, even by security professionals.
Myth #1: Passwords Are Nearly Done For
Many IT security professionals believe we’re on the brink of eliminating the password. Although it’s true that over the next few years we’ll begin to rely more on better authentication technologies, including biometrics, it will be many years before we’re living in an alternative authentication utopia.
The problem is intractable for a litany of reasons. For one thing, it requires everybody to buy into the innovations that should replace passwords. Hardware, software and website vendors need to reach consensuses on industry-standardized solutions.
Users often need to accept biometrics, which feel to some like an invasion of privacy. Cyberattacks in the news have boosted public enthusiasm for biometrics, but a two-digit percentage of people say they won’t accept it now or in the future, according to IBM’s 2018 “Future of Identity” study.
Myth #2: Passwords Will Never Be Replaced
It’s true that passwords can and should be replaced with better alternatives, especially with so much data and so many applications that are highly sensitive and interconnected today. It’s also true that someday, even if it’s not in the immediate future, we’ll probably eliminate them altogether. The only questions are “when,” “where” and “with what?”
Web Authentication, or WebAuthn, is a new standard application programming interface (API) by the World Wide Web Consortium (W3C), which some say will improve authentication by taking advantage of security resources the user already has, such as a smartphone, webcam, fingerprint scanner or security key. The user might visit a website, enter a username, then get a pop-up alert on his or her phone. Tapping on the alert completes the login. These methods aren’t new; many existing websites use WebAuthn-like methods to great effect. What’s new about WebAuthn is the promise of baking these methods right into the internet as a common standard.
Microsoft is working on alternatives, too. The company’s Authenticator app enables users to log into their Microsoft accounts using a smartphone. Microsoft is also building security keys based on the Fast IDentity Online (FIDO) Alliance’s FIDO2 standard into Windows Hello, the company’s biometric identification platform in Windows 10. Windows Hello FIDO2 Security Key support has been in a kind of beta for most of this year and will support most major security key formats.
Likewise, Google’s Chrome browser gained a host of powerful security features this year. On one hand, the company has been working on face recognition features for Chrome OS devices — specifically, future devices that have special hardware to enable reliable face recognition. On the other, Google also added a built-in password generator, demonstrating that the company is looking to the future without rushing.
Myth #3: Password Managers Have Solved the Problem
Password managers are a good start; they enable better construction and more frequent changing of passwords because they remove the requirement for the user to memorize every credential.
Unfortunately, password manager use is surprisingly rare. While a whopping 86 percent of Americans rely on memorization to keep each password and 49 percent rely on writing them down on paper, only 12 percent use password managers, according to the Pew Research Center.
Myth #4: Users Will Get the Password Right
Left to their own devices, many users continue to create weak passwords, reuse them on multiple websites (both personal and professional), share them with others, store them on insecure media (such as wetware or paper) and generally put company data and security at risk.
New research from SailPoint revealed a generational difference in password savviness, with younger employees exhibiting the most dangerous password practices. These findings are consistent with the IBM “Future of Identity” study and suggest that users’ password decision-making will likely get worse, not better. It’s a statistical certainty that a significant number of end users will continue to engage in poor password practices — to the detriment of many.
Myth #5: The Problem Is User Ignorance
A recent LastPass survey of users in the U.S., Australia, France, Germany, and the U.K. revealed that 59 percent of people reused passwords on multiple sites, according to a press release. But it’s not the result of ignorance; 91 percent of those surveyed said they know that reusing a password is a security risk. So why do users reuse credentials? The top two reasons are the fear of forgetting (61 percent) and the desire to be in control of their security (50 percent).
Enterprises and IT departments make mistakes, too, sometimes leaving password data in an unencrypted database or otherwise mishandling it.
Myth #6: A Long, Complex Password Is Always Secure
We all know the difference between a good password and a bad one: A good password is longer than eight characters, contains both upper- and lower-case letters and includes symbols. Although the password Password12345! meets this criteria, however, it is still a bad password. It’s possible to create a terribly insecure password while following the rules, such as by using dictionary words, birthdays, pet names and other sequences that are easy to guess. Even the best password is dangerous if shared, old, reused or previously compromised.
In other words, the quality of the password is only one factor in improving password security. It’s important to explore and embrace better authentication alternatives as they become available and determine where they can be implemented. Still, passwords are here to stay indefinitely.
Embrace a Policy-Based Approach to Password Management
Both users and IT staff will make mistakes, even when they know better. It’s important to take a policy-based approach and not leave password management up to users, no matter how effective your security training.
Even in the coming post-password era, the greatest threats will come from phishing attacks and social engineering resulting from poor password management. So embrace the password alternatives, but do better with passwords, too.
To learn more about trends and challenges in password security, listen to the latest episode of the ongoing X-Force Red in Action podcast series, “Spotlight on Password Security With Dustin ‘Evil Mog’ Heywood.”