The password: one of the most talked about things in information security since information security was a ‘thing’ itself. Passwords are pretty much what the notion of encryption was borne of and have, for many years, served as unique keys that allow entry to that which is otherwise inaccessible and, therefore, safe and secure.
However, in the past, connection speeds were slower, each person only had a small handful of passwords to remember and access to a computer was typically only verified if an individual was physically on the network where the system was located. We live in a time where things are quite different.
What’s more, the evolution of cyber-threats has definitely seen the efficiency of the password tested like never before; hackers have found new (and leveraged old) ways to not only bypass them but also crack, abuse and sell them, leading many to question their effectiveness.
Despite this, passwords, whether alone or part of multi-factor authentication, do still play a big role in securing much of our data. Even in an age where biometrics and other forms of more advanced authentication are (rightly so) gaining popularity, for a variety of reasons these are some way off replacing passwords altogether in the mainstream and there are many examples where passwords are still the main authentication credential used.
Yet, we are often subjected to claims that the ‘password is dead’. Well, there’s definitely some truth in that, but what did you use to login to your company workstation this morning? I’d argue that if indeed the password is dying, it’s one slow death. In the meantime, passwords continue to be used, abused and open doors to attackers.
I’d also add that rather than there being anything inherently wrong with passwords as a means of authentication, a lot of the password-related security problems we suffer from are actually caused by a churn of outdated, unrealistic and unworkable password advice banded about which, in all honesty, achieves little other than poor behavior and unwanted, insecure choices.
“I think peoples’ behavior with their passwords has degraded to reflect the number of unworkable and implausible rules they are given”, agrees Raef Meeuwisse, author of Cybersecurity for Beginners.
For so long now we have been telling users to make sure that every password they use is unique but never written down. Alternative advice suggests ensuring that passwords are so complex that they contain upper case and lower case letters, numbers, special characters and spaces. Lastly, many advise forcing corporate environments to change their password to something different every 30 to 120 days.
These are steps that can ensure better password security, but people clearly don’t adhere to them in the desired way, so they often don’t. A need for complex passwords encourages people to keep them as short as possible, manual password rotation can result in people needing to use a traceable pattern, or even writing their credentials down to keep track, all of which is, to say the least, undesirable from a security standpoint.
"If indeed the password is dying, it's one slow death"
That’s not to say that users haven’t grasped the fact that reusing the same password over multiple services is a really bad idea, or that writing passwords down in plain text for anyone to read is a big no no. To the contrary, people are more privacy aware now than they ever have been, but they are yet to find workable alternatives they are comfortable with – this is something the industry needs to address on a wider scale.
Therefore, I think it’s time we take a new approach when it comes to passwords and, instead of reading them the last rites, focus efforts on establishing practical ways to make them secure and workable once again. We should, of course, be exploring other means of authentication too, but we can expect passwords to be used to verify identity for some time to come, even if they will no longer be used as the only form of authentication. We cannot afford to keep suffering the consequences of poor password management. Instead of simply bombarding users with the same old ‘rules’, they should be given the support and means to actually understand and apply good password logic, ideally through a combination of better education and awareness training and reliable password storage applications.
No doubt it’s going to be a challenge, but if there’s one thing I know about the information security community, it really does love a challenge.