In 2017, analyst firm Cybersecurity Ventures predicted that the total universe of passwords would surpass 300 billion by 2020, noting that hacked or compromised user and privileged accounts would expose organizations to enormous security risks. It’s impossible to know how many active passwords there are today – it’s likely we’ve far exceeded that estimate – but there is no question they are a security nightmare.
The average person juggles anywhere from 20-30 to 70-100 user accounts. This number grows by 25% each year and will continue to grow as working environments become increasingly virtual. More accounts mean more passwords to remember, which we all know is impossible.
To adapt, a majority of people choose simple passwords or reuse old favorites across services. This seemingly innocuous habit has been exploited relentlessly by cybercriminals. According to Verizon, 61% of breaches involved credentials, and the use of stolen credentials was present in 25% of breaches last year.
It begs the question: Why, in 2021, do we still depend on passwords? Billionaires are floating in space, and we’re still using 1960s-era authentication?
Passwordless Advocates, Slow Your Roll
Security vendors have responded to the password problem in a number of ways, from developing new authentication methods (tokens and biometrics) to multi-factor authentication (your password or PIN plus a biometric or your smartphone). At first glance, those technologies point to a promising alternative to passwords. But there are bigger, more systemic obstacles that block us from a passwordless future:
- It’s still too soon for most users
- The password system is embedded everywhere you go online
This puts us, as users, at an awkward intersection: we all hate passwords and know a better solution is possible, but we’re human. We’re interested in other options, but not interested enough. And just because the tech-savvy among us are gung-ho on passwordless doesn’t mean the rest of the world is ready – let alone able – to embrace it. Passwords are here to stay, at least for now, and despite their flaws, they do have redeeming qualities.
Passwords Are Adaptable
As authenticators, the password’s greatest quality is that it can be changed at any time — in fact, a simple password reset is one of the surest ways to prevent the wrong people from accessing your account. Your fingerprint, face, voice, or pulse, however, cannot easily be reset or replaced. Once criminals have your real biometric identity, not much can stop them from using it for eternity. Just because your biometrics are uniquely yours doesn’t mean they are off-limits; any authentication data is subject to compromise. For example, a major breach in a biometrics system used by banks, UK police, and defense firms resulted in the exposure of fingerprints of over 1 million people, as well as facial recognition information and other personal information.
Furthermore, researchers have demonstrated flaws in existing biometric systems that allowed artificial fingerprints to pass authentication. This opens the door for manipulation and segmentation of our biometric data similar to the synthetic identities criminals have been creating for fraud schemes for years.
Passwords Are Device-Agnostic
Netflix always requires a password because they know you’ll want to access their programming anywhere, on any device, even if that device doesn’t technically belong to you. Biometrics, on the other hand, are tied to specific devices and app instances on those devices. In our professional lives, most of us have at least one mobile phone, a computer for work, and a separate one for private use, and may need to jump on a desktop at a regional office or use a colleague’s device to access an app prior to a sales pitch. However, while this practice reduces friction for the user, it’s important to remember that it allows greater flexibility in where criminals can use your password when it is compromised.
Passwords Are A Learned Behavior
According to a survey by LastPass, 72% of IT and security professionals think that end-users in their organization would prefer to continue using passwords, as it is what they are used to. Furthermore, from an organization’s perspective, there is a significant cost associated with training users on a new system and having the proper resources to ensure successful adoption. Any new process is likely to create user friction and irritation, especially as IT resolves initial problems. Passwords remain prevalent because they are convenient and offer ease of use for both developers and users.
Passwordless Isn’t A Panacea
Like any authentication mechanism, passwordless solutions must have contingencies. For example, what happens if the user’s device is lost or stolen? In cases like these, most passwordless solutions default to passwords as a backup, which means passwordless authentication isn’t passwordless after all – and is ultimately no stronger than a password, as it is still vulnerable to all the risks and threats associated with them.
Gartner analysts stated that “passwordless” doesn’t solve every authentication need. In fact, it’s bad practice in nearly every scenario for biometrics to be the sole authenticator. In the highest-security environments such as hospitals, government offices, and financial institutions, users will likely be asked to authenticate their identity multiple times per day with multiple factors, such as biometrics and passwords or PINs.
Passwords Are Problematic, But Not the Problem
It’s not always easy or possible to completely eliminate passwords from legacy implementations. Organizations need a solution to help dig themselves out of the credential security hole they’re in right now. This means accepting the fact that, for a number of practical reasons, passwords are here for the foreseeable future, and maybe aren’t as much to blame as we’d like to believe.
For organizations, the ability to monitor for exposures can mitigate unnecessary risks due to poor password hygiene. So much of our lives exist online, and overall security can be invariably strengthened if we focus not on getting rid of the humble password, but on stripping it of its value to criminals.