Too many people are lazy when it comes to password management — this should be no surprise to most of us. Since the dawn of digital authentication, users have been known to recycle passwords across accounts without a second thought. As more accounts requiring passwords have come about, and as password requirements became more stringent, it was too difficult to remember them all. So, we stuck with what we knew and changed them only when required.

This system of password management may have sufficed two decades ago, but today, passwords are a major commodity on the Dark Web. Passwords are stolen in data breaches and sold; combined with your username or email, stolen passwords can give cybercriminals the key to massive stores of both corporate and personal data. And breaches conducted with legitimate credentials are difficult to detect — so it’s no wonder password theft is so popular.

Patching Password Management Mistakes

Today we have a relatively sophisticated understanding of how vulnerable our passwords are and the need to adopt better password management. Yet according to research by OpenVPN, a quarter of employees use the same password for all access points, 17 percent admit they use the same password for at least six different accounts and just under half of respondents use the same password for three accounts.

Clearly, old habits die hard, but this particular bad habit could result in identity theft or financial theft for an individual or cost an enterprise millions of dollars in fines, reparations and lost business. It’s also why an increasing number of IT and security decision-makers are searching for new, password-free identity and authentication management systems. But are we ready for a password-free world?

Pushing for Password-Free Authentication

There is a growing push to move away from password-based authentication and use other methods to establish digital identity. The Fast Identity Online (FIDO) Alliance, for example, is creating standards designed to supplant the need for passwords. In theory, it’s a good idea; in practice, it can be complicated. If you eliminate passwords, what do you replace them with? And with what will you bind the authentication factor — the device or the user? Then, how do you re-establish the digital identity of users already within the organization? Finally, what happens if that authentication method fails? What’s the backup plan?

Passwords authenticate access to networks, software and databases, but they also provide a level of security, even if that security layer is increasingly poor and inefficient. This is why speakers and panelists at the Identiverse 2018 conference stated the need for security in any authentication method considered for a password alternative.

They stressed, however, that users will balk at any method that requires too many steps. After all, users fail at password management because they want the process to be as simple as possible. Remembering dozens of unique passwords is too inconvenient; it’s easier to use the same one over and over again, even when we know the risks involved. Nor is there going to be a one-size-fits-all solution. Different users will make different choices depending on the device and the situation. That’s why there’s a need for more differentiators in each use case.

Applying New Methods to Old Habits

There is evidence that we choose the familiar over the safer methods. Biometric authentication seems like an obvious choice to replace passwords. According to the OpenVPN study, “Seventy-seven percent of employees trust biometric passwords, and 62 percent believe they are stronger than traditional alphanumeric codes.” But barely more than half will use biometrics as their availability increases.

And we aren’t just eschewing biometrics. IBM’s recent Future of Identity Study showed that only 28% of the general population would enable factor authentication on their accounts in the wake of a data breach.

Companies are offering password-free authentication options, such as the Universal Second Factor (U2F) security key or smartphone applications that use dynamic authentication options. While IT and security professionals embrace these password-free options, it remains to be seen when — and whether — the average user will make the switch.

Despite the more secure authentication methods available, passwords aren’t going anywhere anytime soon. Users are familiar with them, so they trust passwords more than other options. And as long as they are using passwords, they are going to continue to practice poor password management. Getting users out of old password habits will take time. Instead, slowly introduce new authentication methods and give users a chance to make new security best practices their new routine.

Read the 2018 IBM Study on The Future of Identity

More from Identity & Access

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Artificial intelligence threats in identity management

4 min read - The 2023 Identity Security Threat Landscape Report from CyberArk identified some valuable insights. 2,300 security professionals surveyed responded with some sobering figures: 68% are concerned about insider threats from employee layoffs and churn 99% expect some type of identity compromise driven by financial cutbacks, geopolitical factors, cloud applications and hybrid work environments 74% are concerned about confidential data loss through employees, ex-employees and third-party vendors. Additionally, many feel digital identity proliferation is on the rise and the attack surface is…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today