These are exciting times for authentication technologies. We’ve only just begun to explore a new world beyond passwords. Emerging alternatives abound, from biometrics to multifactor authentication (MFA) to behavioral analysis and many other innovative ideas.

Unfortunately, headlines can also lead us to believe a plethora of myths about passwords and the future of authentication. Verizon’s “2017 Data Breach Investigations Report” revealed that most account infiltrations are enabled by a weak, poorly managed or easily guessed password. The solution may lie in alternative authentication methods, improved end user practices or somewhere in between.

6 Prevalent Password Security Misconceptions

Before we can pick a path to follow into the future of authentication, we must first overcome some myths and misconceptions around passwords that are still widely held, even by security professionals.

Myth #1: Passwords Are Nearly Done For

Many IT security professionals believe we’re on the brink of eliminating the password. Although it’s true that over the next few years we’ll begin to rely more on better authentication technologies, including biometrics, it will be many years before we’re living in an alternative authentication utopia.

The problem is intractable for a litany of reasons. For one thing, it requires everybody to buy into the innovations that should replace passwords. Hardware, software and website vendors need to reach consensuses on industry-standardized solutions.

Users often need to accept biometrics, which feel to some like an invasion of privacy. Cyberattacks in the news have boosted public enthusiasm for biometrics, but a two-digit percentage of people say they won’t accept it now or in the future, according to IBM’s 2018 “Future of Identity” study.

Myth #2: Passwords Will Never Be Replaced

It’s true that passwords can and should be replaced with better alternatives, especially with so much data and so many applications that are highly sensitive and interconnected today. It’s also true that someday, even if it’s not in the immediate future, we’ll probably eliminate them altogether. The only questions are “when,” “where” and “with what?”

Web Authentication, or WebAuthn, is a new standard application programming interface (API) by the World Wide Web Consortium (W3C), which some say will improve authentication by taking advantage of security resources the user already has, such as a smartphone, webcam, fingerprint scanner or security key. The user might visit a website, enter a username, then get a pop-up alert on his or her phone. Tapping on the alert completes the login. These methods aren’t new; many existing websites use WebAuthn-like methods to great effect. What’s new about WebAuthn is the promise of baking these methods right into the internet as a common standard.

Microsoft is working on alternatives, too. The company’s Authenticator app enables users to log into their Microsoft accounts using a smartphone. Microsoft is also building security keys based on the Fast IDentity Online (FIDO) Alliance’s FIDO2 standard into Windows Hello, the company’s biometric identification platform in Windows 10. Windows Hello FIDO2 Security Key support has been in a kind of beta for most of this year and will support most major security key formats.

Likewise, Google’s Chrome browser gained a host of powerful security features this year. On one hand, the company has been working on face recognition features for Chrome OS devices — specifically, future devices that have special hardware to enable reliable face recognition. On the other, Google also added a built-in password generator, demonstrating that the company is looking to the future without rushing.

Myth #3: Password Managers Have Solved the Problem

Password managers are a good start; they enable better construction and more frequent changing of passwords because they remove the requirement for the user to memorize every credential.

Unfortunately, password manager use is surprisingly rare. While a whopping 86 percent of Americans rely on memorization to keep each password and 49 percent rely on writing them down on paper, only 12 percent use password managers, according to the Pew Research Center.

Myth #4: Users Will Get the Password Right

Left to their own devices, many users continue to create weak passwords, reuse them on multiple websites (both personal and professional), share them with others, store them on insecure media (such as wetware or paper) and generally put company data and security at risk.

New research from SailPoint revealed a generational difference in password savviness, with younger employees exhibiting the most dangerous password practices. These findings are consistent with the IBM “Future of Identity” study and suggest that users’ password decision-making will likely get worse, not better. It’s a statistical certainty that a significant number of end users will continue to engage in poor password practices — to the detriment of many.

Myth #5: The Problem Is User Ignorance

A recent LastPass survey of users in the U.S., Australia, France, Germany, and the U.K. revealed that 59 percent of people reused passwords on multiple sites, according to a press release. But it’s not the result of ignorance; 91 percent of those surveyed said they know that reusing a password is a security risk. So why do users reuse credentials? The top two reasons are the fear of forgetting (61 percent) and the desire to be in control of their security (50 percent).

Enterprises and IT departments make mistakes, too, sometimes leaving password data in an unencrypted database or otherwise mishandling it.

Myth #6: A Long, Complex Password Is Always Secure

We all know the difference between a good password and a bad one: A good password is longer than eight characters, contains both upper- and lower-case letters and includes symbols. Although the password Password12345! meets this criteria, however, it is still a bad password. It’s possible to create a terribly insecure password while following the rules, such as by using dictionary words, birthdays, pet names and other sequences that are easy to guess. Even the best password is dangerous if shared, old, reused or previously compromised.

In other words, the quality of the password is only one factor in improving password security. It’s important to explore and embrace better authentication alternatives as they become available and determine where they can be implemented. Still, passwords are here to stay indefinitely.

Embrace a Policy-Based Approach to Password Management

Both users and IT staff will make mistakes, even when they know better. It’s important to take a policy-based approach and not leave password management up to users, no matter how effective your security training.

Even in the coming post-password era, the greatest threats will come from phishing attacks and social engineering resulting from poor password management. So embrace the password alternatives, but do better with passwords, too.

To learn more about trends and challenges in password security, listen to the latest episode of the ongoing X-Force Red in Action podcast series, “Spotlight on Password Security With Dustin ‘Evil Mog’ Heywood.”

Listen now

More from Identity & Access

CISA, NSA Issue New IAM Best Practice Guidelines

4 min read - The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) recently released a new 31-page document outlining best practices for identity and access management (IAM) administrators. As the industry increasingly moves towards cloud and hybrid computing environments, managing the complexities of digital identities can be challenging. Nonetheless, the importance of IAM cannot be overstated in today's world, where data security is more critical than ever. Meanwhile, IAM itself can be a source of vulnerability if not implemented…

4 min read

The Importance of Accessible and Inclusive Cybersecurity

4 min read - As the digital world continues to dominate our personal and work lives, it’s no surprise that cybersecurity has become critical for individuals and organizations. But society is racing toward “digital by default”, which can be a hardship for individuals unable to access digital services. People depend on these digital services for essential online services, including financial, housing, welfare, healthcare and educational services. Inclusive security ensures that such services are as widely accessible as possible and provides digital protections to users…

4 min read

What’s Going On With LastPass, and is it Safe to Use?

4 min read - When it comes to password managers, LastPass has been one of the most prominent players in the market. Since 2008, the company has focused on providing secure and convenient solutions to consumers and businesses. Or so it seemed. LastPass has been in the news recently for all the wrong reasons, with multiple reports of data breaches resulting from failed security measures. To make matters worse, many have viewed LastPass's response to these incidents as less than adequate. The company seemed…

4 min read

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

8 min read - View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

8 min read