January 2, 2019 By Mike Elgan 4 min read

These are exciting times for authentication technologies. We’ve only just begun to explore a new world beyond passwords. Emerging alternatives abound, from biometrics to multifactor authentication (MFA) to behavioral analysis and many other innovative ideas.

Unfortunately, headlines can also lead us to believe a plethora of myths about passwords and the future of authentication. Verizon’s “2017 Data Breach Investigations Report” revealed that most account infiltrations are enabled by a weak, poorly managed or easily guessed password. The solution may lie in alternative authentication methods, improved end user practices or somewhere in between.

6 Prevalent Password Security Misconceptions

Before we can pick a path to follow into the future of authentication, we must first overcome some myths and misconceptions around passwords that are still widely held, even by security professionals.

Myth #1: Passwords Are Nearly Done For

Many IT security professionals believe we’re on the brink of eliminating the password. Although it’s true that over the next few years we’ll begin to rely more on better authentication technologies, including biometrics, it will be many years before we’re living in an alternative authentication utopia.

The problem is intractable for a litany of reasons. For one thing, it requires everybody to buy into the innovations that should replace passwords. Hardware, software and website vendors need to reach consensuses on industry-standardized solutions.

Users often need to accept biometrics, which feel to some like an invasion of privacy. Cyberattacks in the news have boosted public enthusiasm for biometrics, but a two-digit percentage of people say they won’t accept it now or in the future, according to IBM’s 2018 “Future of Identity” study.

Myth #2: Passwords Will Never Be Replaced

It’s true that passwords can and should be replaced with better alternatives, especially with so much data and so many applications that are highly sensitive and interconnected today. It’s also true that someday, even if it’s not in the immediate future, we’ll probably eliminate them altogether. The only questions are “when,” “where” and “with what?”

Web Authentication, or WebAuthn, is a new standard application programming interface (API) by the World Wide Web Consortium (W3C), which some say will improve authentication by taking advantage of security resources the user already has, such as a smartphone, webcam, fingerprint scanner or security key. The user might visit a website, enter a username, then get a pop-up alert on his or her phone. Tapping on the alert completes the login. These methods aren’t new; many existing websites use WebAuthn-like methods to great effect. What’s new about WebAuthn is the promise of baking these methods right into the internet as a common standard.

Microsoft is working on alternatives, too. The company’s Authenticator app enables users to log into their Microsoft accounts using a smartphone. Microsoft is also building security keys based on the Fast IDentity Online (FIDO) Alliance’s FIDO2 standard into Windows Hello, the company’s biometric identification platform in Windows 10. Windows Hello FIDO2 Security Key support has been in a kind of beta for most of this year and will support most major security key formats.

Likewise, Google’s Chrome browser gained a host of powerful security features this year. On one hand, the company has been working on face recognition features for Chrome OS devices — specifically, future devices that have special hardware to enable reliable face recognition. On the other, Google also added a built-in password generator, demonstrating that the company is looking to the future without rushing.

Myth #3: Password Managers Have Solved the Problem

Password managers are a good start; they enable better construction and more frequent changing of passwords because they remove the requirement for the user to memorize every credential.

Unfortunately, password manager use is surprisingly rare. While a whopping 86 percent of Americans rely on memorization to keep each password and 49 percent rely on writing them down on paper, only 12 percent use password managers, according to the Pew Research Center.

Myth #4: Users Will Get the Password Right

Left to their own devices, many users continue to create weak passwords, reuse them on multiple websites (both personal and professional), share them with others, store them on insecure media (such as wetware or paper) and generally put company data and security at risk.

New research from SailPoint revealed a generational difference in password savviness, with younger employees exhibiting the most dangerous password practices. These findings are consistent with the IBM “Future of Identity” study and suggest that users’ password decision-making will likely get worse, not better. It’s a statistical certainty that a significant number of end users will continue to engage in poor password practices — to the detriment of many.

Myth #5: The Problem Is User Ignorance

A recent LastPass survey of users in the U.S., Australia, France, Germany, and the U.K. revealed that 59 percent of people reused passwords on multiple sites, according to a press release. But it’s not the result of ignorance; 91 percent of those surveyed said they know that reusing a password is a security risk. So why do users reuse credentials? The top two reasons are the fear of forgetting (61 percent) and the desire to be in control of their security (50 percent).

Enterprises and IT departments make mistakes, too, sometimes leaving password data in an unencrypted database or otherwise mishandling it.

Myth #6: A Long, Complex Password Is Always Secure

We all know the difference between a good password and a bad one: A good password is longer than eight characters, contains both upper- and lower-case letters and includes symbols. Although the password Password12345! meets this criteria, however, it is still a bad password. It’s possible to create a terribly insecure password while following the rules, such as by using dictionary words, birthdays, pet names and other sequences that are easy to guess. Even the best password is dangerous if shared, old, reused or previously compromised.

In other words, the quality of the password is only one factor in improving password security. It’s important to explore and embrace better authentication alternatives as they become available and determine where they can be implemented. Still, passwords are here to stay indefinitely.

Embrace a Policy-Based Approach to Password Management

Both users and IT staff will make mistakes, even when they know better. It’s important to take a policy-based approach and not leave password management up to users, no matter how effective your security training.

Even in the coming post-password era, the greatest threats will come from phishing attacks and social engineering resulting from poor password management. So embrace the password alternatives, but do better with passwords, too.

To learn more about trends and challenges in password security, listen to the latest episode of the ongoing X-Force Red in Action podcast series, “Spotlight on Password Security With Dustin ‘Evil Mog’ Heywood.”

Listen now

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today