Too many people are lazy when it comes to password management — this should be no surprise to most of us. Since the dawn of digital authentication, users have been known to recycle passwords across accounts without a second thought. As more accounts requiring passwords have come about, and as password requirements became more stringent, it was too difficult to remember them all. So, we stuck with what we knew and changed them only when required.

This system of password management may have sufficed two decades ago, but today, passwords are a major commodity on the Dark Web. Passwords are stolen in data breaches and sold; combined with your username or email, stolen passwords can give cybercriminals the key to massive stores of both corporate and personal data. And breaches conducted with legitimate credentials are difficult to detect — so it’s no wonder password theft is so popular.

Patching Password Management Mistakes

Today we have a relatively sophisticated understanding of how vulnerable our passwords are and the need to adopt better password management. Yet according to research by OpenVPN, a quarter of employees use the same password for all access points, 17 percent admit they use the same password for at least six different accounts and just under half of respondents use the same password for three accounts.

Clearly, old habits die hard, but this particular bad habit could result in identity theft or financial theft for an individual or cost an enterprise millions of dollars in fines, reparations and lost business. It’s also why an increasing number of IT and security decision-makers are searching for new, password-free identity and authentication management systems. But are we ready for a password-free world?

Pushing for Password-Free Authentication

There is a growing push to move away from password-based authentication and use other methods to establish digital identity. The Fast Identity Online (FIDO) Alliance, for example, is creating standards designed to supplant the need for passwords. In theory, it’s a good idea; in practice, it can be complicated. If you eliminate passwords, what do you replace them with? And with what will you bind the authentication factor — the device or the user? Then, how do you re-establish the digital identity of users already within the organization? Finally, what happens if that authentication method fails? What’s the backup plan?

Passwords authenticate access to networks, software and databases, but they also provide a level of security, even if that security layer is increasingly poor and inefficient. This is why speakers and panelists at the Identiverse 2018 conference stated the need for security in any authentication method considered for a password alternative.

They stressed, however, that users will balk at any method that requires too many steps. After all, users fail at password management because they want the process to be as simple as possible. Remembering dozens of unique passwords is too inconvenient; it’s easier to use the same one over and over again, even when we know the risks involved. Nor is there going to be a one-size-fits-all solution. Different users will make different choices depending on the device and the situation. That’s why there’s a need for more differentiators in each use case.

Applying New Methods to Old Habits

There is evidence that we choose the familiar over the safer methods. Biometric authentication seems like an obvious choice to replace passwords. According to the OpenVPN study, “Seventy-seven percent of employees trust biometric passwords, and 62 percent believe they are stronger than traditional alphanumeric codes.” But barely more than half will use biometrics as their availability increases.

And we aren’t just eschewing biometrics. IBM’s recent Future of Identity Study showed that only 28% of the general population would enable factor authentication on their accounts in the wake of a data breach.

Companies are offering password-free authentication options, such as the Universal Second Factor (U2F) security key or smartphone applications that use dynamic authentication options. While IT and security professionals embrace these password-free options, it remains to be seen when — and whether — the average user will make the switch.

Despite the more secure authentication methods available, passwords aren’t going anywhere anytime soon. Users are familiar with them, so they trust passwords more than other options. And as long as they are using passwords, they are going to continue to practice poor password management. Getting users out of old password habits will take time. Instead, slowly introduce new authentication methods and give users a chance to make new security best practices their new routine.

Read the 2018 IBM Study on The Future of Identity

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today