Too many people are lazy when it comes to password management — this should be no surprise to most of us. Since the dawn of digital authentication, users have been known to recycle passwords across accounts without a second thought. As more accounts requiring passwords have come about, and as password requirements became more stringent, it was too difficult to remember them all. So, we stuck with what we knew and changed them only when required.

This system of password management may have sufficed two decades ago, but today, passwords are a major commodity on the Dark Web. Passwords are stolen in data breaches and sold; combined with your username or email, stolen passwords can give cybercriminals the key to massive stores of both corporate and personal data. And breaches conducted with legitimate credentials are difficult to detect — so it’s no wonder password theft is so popular.

Patching Password Management Mistakes

Today we have a relatively sophisticated understanding of how vulnerable our passwords are and the need to adopt better password management. Yet according to research by OpenVPN, a quarter of employees use the same password for all access points, 17 percent admit they use the same password for at least six different accounts and just under half of respondents use the same password for three accounts.

Clearly, old habits die hard, but this particular bad habit could result in identity theft or financial theft for an individual or cost an enterprise millions of dollars in fines, reparations and lost business. It’s also why an increasing number of IT and security decision-makers are searching for new, password-free identity and authentication management systems. But are we ready for a password-free world?

Pushing for Password-Free Authentication

There is a growing push to move away from password-based authentication and use other methods to establish digital identity. The Fast Identity Online (FIDO) Alliance, for example, is creating standards designed to supplant the need for passwords. In theory, it’s a good idea; in practice, it can be complicated. If you eliminate passwords, what do you replace them with? And with what will you bind the authentication factor — the device or the user? Then, how do you re-establish the digital identity of users already within the organization? Finally, what happens if that authentication method fails? What’s the backup plan?

Passwords authenticate access to networks, software and databases, but they also provide a level of security, even if that security layer is increasingly poor and inefficient. This is why speakers and panelists at the Identiverse 2018 conference stated the need for security in any authentication method considered for a password alternative.

They stressed, however, that users will balk at any method that requires too many steps. After all, users fail at password management because they want the process to be as simple as possible. Remembering dozens of unique passwords is too inconvenient; it’s easier to use the same one over and over again, even when we know the risks involved. Nor is there going to be a one-size-fits-all solution. Different users will make different choices depending on the device and the situation. That’s why there’s a need for more differentiators in each use case.

Applying New Methods to Old Habits

There is evidence that we choose the familiar over the safer methods. Biometric authentication seems like an obvious choice to replace passwords. According to the OpenVPN study, “Seventy-seven percent of employees trust biometric passwords, and 62 percent believe they are stronger than traditional alphanumeric codes.” But barely more than half will use biometrics as their availability increases.

And we aren’t just eschewing biometrics. IBM’s recent Future of Identity Study showed that only 28% of the general population would enable factor authentication on their accounts in the wake of a data breach.

Companies are offering password-free authentication options, such as the Universal Second Factor (U2F) security key or smartphone applications that use dynamic authentication options. While IT and security professionals embrace these password-free options, it remains to be seen when — and whether — the average user will make the switch.

Despite the more secure authentication methods available, passwords aren’t going anywhere anytime soon. Users are familiar with them, so they trust passwords more than other options. And as long as they are using passwords, they are going to continue to practice poor password management. Getting users out of old password habits will take time. Instead, slowly introduce new authentication methods and give users a chance to make new security best practices their new routine.

Read the 2018 IBM Study on The Future of Identity

More from Data Protection

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read

IBM Security Guardium Ranked as a Leader in the Data Security Platforms Market

3 min read - KuppingerCole named IBM Security Guardium as an overall leader in their Leadership Compass on Data Security Platforms. IBM was ranked as a leader in all three major categories: Product, Innovation, and Market. With this in mind, let’s examine how KuppingerCole measures today’s solutions and why it’s important for you to have a data security platform that you trust. The Transformation of the Data Security Industry As digital transformation continues to expand, the impact it has had on enterprises is very apparent when…

3 min read

SaaS vs. On-Prem Data Security: Which is Right for You?

2 min read - As businesses increasingly rely on digital data storage and communication, the need for effective data security solutions has become apparent. These solutions can help prevent unauthorized access to sensitive data, detect and respond to security threats and ensure compliance with relevant regulations and standards. However, not all data security solutions are created equal. Are you choosing the right solution for your organization? That answer depends on various factors, such as your industry, size and specific security needs. SaaS vs. On-Premises…

2 min read

Understanding the Backdoor Debate in Cybersecurity

3 min read - The debate over whether backdoor encryption should be implemented to aid law enforcement has been contentious for years. On one side of the fence, the proponents of backdoors argue that they could provide valuable intelligence and help law enforcement investigate criminals or prevent terrorist attacks. On the other side, opponents contend they would weaken overall security and create opportunities for malicious actors to exploit. So which side of the argument is correct? As with most debates, the answer isn't so…

3 min read