If you follow along with the Authlogics blog, you will probably expect us to have a hard stance on this topic. We are not in favour of the password, as you will have noticed, but if you ask us if they’re worth fixing… The answer is a very vague, yes… and no.
Let us explain.
Should we have long term continued reliance on passwords? Absolutely not. They are, without a doubt, weak, breachable, and the number one reason for most hacks.
But, sadly, they still exist. Many companies still use them. So, should they be fixed? Most definitely. But not so that they can be leant on for the long-term; but so that they can be gradually phased out in a way that respects the complexities of large businesses today.
Fall from glory
Passwords have served a useful purpose for computers and software since the early ’60s. Initially designed for non-Internet connected devices to allow multiple users to share access to the same computer, as the Internet took our world by storm and the platforms we use went from a single item to some innumerable figure, the password stuck as the favourite means for authentication.
Just a decade ago, we could count on one hand the number of systems we needed passwords for. This meant that we could keep them relatively safe and easily remember what they were.
In today’s ‘always-online’ mode we have hundreds of accounts and access points. And humans, unfortunately, are not great code keepers. With the Internet came hackers and with hackers came regulations and guidelines to increase the complexity of passwords. The challenge with this, however, is that, as we mentioned, humans are not great code keepers. These increased complexities created three kinds of users:
- Those that re-use the same password for every platform
- Those that use a similar password for every platform
- Those who re-set their password on most occasions
Eighty per cent of people, above the age of 18, repeat the same password for all systems, and in just the past 60 days, 60 per cent of people will have had to re-set their password.
Even if consumers and users were miraculously able to remember all their passwords without storing them somewhere, they are still able to be breached.
If a hacker wants to get into an account that is protected only by password authentication, given enough time, they can. Just search in Google for password breach and you’ll be inundated with articles about password breaches. Hackers are more intelligent, more automated and multiple-use passwords just don’t provide protection.
What worked for a non-Internet connected device went on to be the star of authentication for the next 50 years. But much has changed in those 50 years, the technology of hackers in particular, and the password cannot be the one solution any longer.
Passwords need an upgrade and eventual phase-out plan — a little fix, with a long term goal of decommissioning.
How can we fix and phase out the password?
We have the technology we need to move into a password-free future, which can be achieved in three easy steps.
With the password still in place, the first step is to ensure that password protection is in line with the latest compliance; checked against the Authlogics Password Breach Database to meet the new password policy guidelines set by NIST SP 800-63B. Businesses must also establish real-time password breach protection so that no hacks or attempts can go unnoticed.
Multi-factor authentication is the next step to go beyond the knowledge-only solution of passwords and add an extra layer of security, making it harder for hackers to breach. 1.5-factor and 2-factor authentication can be applied to achieve this and move your business away from complete reliance on passwords. However, an MFA solution which does not rely on a password must be chosen.
Removal of passwords is the ultimate goal. While they are in the picture, there is a vulnerability, so the final step is to introduce a password-less solution to enable authentication flexibility and scalability.
So, are passwords worth fixing?
Coming back to the original question and our vague yes/no answer, we have to fall down strongly on the side of Yes, and should be fixed by removing the password completely; any short-term fix, as we outlined, is literally that, a short term fix. If you want to remain compliant and secure, the only option is to replace the archaic and unsafe password management systems. Technology has moved on in leaps and bounds over the last 50 years and it’s time business moved with it to embrace security and compliance as key goals for underpinning business success through resilience. Remember, all publicity is not good publicity for your company when it contains the word ‘hacked’.
Are passwords worth fixing? – Where to find out more
To learn more about multi-factor authentication solutions to improve the efficacy of passwords, or how you can begin to phase them out, please get in touch with us.