by Finn Jensen, CEO of FastPassCorp
The humble password must have read its own obituary many times in recent years given the number of “Passwords are dead” articles that have been published. At a Gartner conference, I recently saw the headline “Walking dead – the password.” But is it really dead? In a recent article posted by SecurityWeek, it was stated that the number of passwords will grow to 300 billion by 2020. This seems to contradict the reports of the demise of the password. So as the number of passwords seemingly continues to increase, why don’t we recognize this and do our best to help the password survive into the future as a strong companion for guarding the doors to our online presence
Password – you’re OK! Not OK like in perfect. Sure, you have your deficiencies and challenges, but you certainly have strengths and benefits too, which should kick that obituary out to a far-away future!
But why do so many experts want the use of passwords to die and disappear? Is it because of the risk that users are unaware of how to protect their passwords, and then share them too freely with others? Or because there are other alternatives that exist. However, though these alternatives may be handy and convenient, even these carry a cost and could potentially be misused by determined high-tech criminals. Some security experts even claim that regardless of the credentials of any system, it is only a question of time before it is breached.
On the other hand, it’s also worth remembering that passwords don’t cost anything, they are instantly available, they can easily be replaced if forgotten, and all types of systems accept them as credentials.
As stated above, all credentials possess risks. For the “more important” systems, users, and situations, multi-factor authentication should always be used. But here, the use of passwords is the perfect companion to other credentials for each user. The traditional categorization of creating good authentication credentials still makes good sense:
With multi-factor authentication, we combine credentials from these different categories. It is extremely difficult for any criminal hacker to breach them all. It is hard to understand why the first category: “Something only I know” = passwords, should be excluded from the authentication process.
So clearly, passwords are not dead, yet. The question is, if it will ever be a good idea to kill them off? Those who want to kill the use of passwords should present a viable alternative first and justify that the alternative is better than the use of passwords.
Meanwhile, password guardians must take extra steps to secure them better. This means improving the processes while reducing the cost of password systems (such as assistance to users for forgotten and locked passwords). This is easier and cheaper than throwing passwords away and embarking on new methods that might be a bad choice in the long term. One great example of such a method is the SMS one-time-password (OTP), which a few years ago was seen as the natural replacement of passwords. However today, this method is considered riskier than passwords.
Here are some tips on how to address password risks and turn them into strengths.
(For Windows/AD passwords and other corporate applications, like SAP, Oracle, and IBM)
To reduce the password-related costs to your business
It is true that we all can create as many passwords as we need. We don’t need to buy anything to create a password! Any PC or smartphone will accept a password without the need to buy an extra device or to deploy special software.
Fact is, however, that users often forget passwords, or their passwords get locked, and the users need assistance— and this assistance carries a cost.
The mitigation against this cost is to give users a self-service portal to reset passwords—even from their locked PC! This will minimize the password retrieval or resetting costs.
Hackers may guess passwords
Have you ever heard some popular passwords? Hackers try many different popular passwords to see if they can open an account. Unfortunately, some users even reuse their corporate passwords for other private web-applications. When the other system is hacked, this can help hackers if the breached password is identical to the one the end-user uses in the corporate world.
The mitigation against this problem is a password policy that prevents the use of “popular passwords.” A list of restricted passwords that users can’t use will remedy this problem. Combining it with password expiration that forces users to make new passwords will make it impossible for hackers to guess passwords.
Users give passwords away— victims to phishing
Hackers often try to get users to give them their passwords through phishing attacks, often successfully.
There are software solutions to help you fight phishing attacks. Their use should be combined with end-user awareness training. Password expiration prevents hackers continuing to use the password they share with the real end-user (i.e., the original password owner).
Hackers use social engineering
As the well-known, white-hat hacker Kevin Mitnick says: “Why spend hours trying to guess a password, when you can get it by using your phone!” Hackers will call the service desk and impersonate a real user, and try to get the service desk to reset and get the user’s password. They will often be successful.
The mitigation is to implement clear processes for assisted password resets by the service desks with qualified verification of the user. This should involve a high-quality IT-workflow using dynamic and contextual data, including manager approval for the more important users.
Other credentials to consider
For multi factor authentication, many alternative systems exist. The below table summarizes the benefits and costs of some of the most popular credential types:
Sending a PIN-code or a One-Time Password (OTP) to the user’s smartphone means that the smartphone acts as a token. Transmitting SMS messages carries a cost. Depending on the model, this might be important or not. In some territories, the receiver (i.e., the user) has to carry the cost. This is an obvious problem.
The security issue is that many hackers know how to get copies of the SMS or to be the sole receivers of it. As a consequence, NIST recommends that SMS is only used for non-sensitive systems.
Smart cards are a huge security improvement from magnetic cards! They are practically impossible to copy.
Each card, however, carries a cost. They need readers too. It might be difficult or impossible to read them if the user uses smart devices. But how can we help a user who has lost or forgotten his smart card?
Physical tokens (like Youbee-key) have the same characteristics as smart cards. They are secure, but also carry a cost. The use of such tokens also has limitations in many use-cases.
Fingerprint, voice-recognition, iris recognition, and facial recognition are some advancements that have the clear advantage that we carry them with us, so there are no immediate costs. “Reading” devices are, however, necessary and though they might be free in some smart devices, they usually carry a separate cost when used with PCs.
Security-wise, it is claimed that it is possible to steal or copy the necessary image or bit-map.
Fingerprints can be copied from a glass or other surface. Voices can be emulated by deep-fake programs. Facial recognition has been fooled by videos of the real human.
Perhaps even more important: What happens if the centrally stored bit-maps of our biocredential is hacked? Would all users then have lost their digital identity? A password can easily be changed if someone steals it, but it’s very hard to replace their fingerprints!
With all the amazing benefits we can get out of Password when partnered with advanced credentials, the Password is free than ever to move forward and ignore the naysayers. Password, you are not dead yet! With the right support from us, your human friends, you can even be secure and efficient to enjoy a long future yet!