You are here

Dear Password, It’s Not Me, It’s You

“Dear password, we’ve been together for over 28 years now. As a matter of fact, you were my first authentication mode. You made sense at one point in my life when I needed something that simply just worked. Now, you aren’t enough for me ; I need more — something you can’t offer. It’s time for me to move on and leave you in my past. We grew up together since telnet; we worked perfectly together with Secure Shell (SSH), even though at the time there were better alternatives, such as keys. But now, I’ve sat back for too long now and watched others abuse you, and I love you too much to watch people treat you like you’re nothing but password123 or letmein.”

- Love always, Alissa Knight

Indeed, passwords are beginning to see their life come to an eventual end as they are retired by organizations seeking alternatives to single-factor authentication, especially as companies move to the cloud, for which employees don’t want to have to memorize every password despite the availability of password vaults such as LastPass. The fact of the matter is that passwords are only as secure as the level of security awareness of the people setting them, and humans will forever be the weakest link in security.

The vulnerability created by passwords as a single form of authentication couldn’t have been better emphasized than in previous worm outbreaks, such as SQL Slammer worm, which propagated using commonly used passwords. Solutions such as CyberArk have been created to address the problem of the same “domain admin” password being reused across multiple servers in an Active Directory domain. CyberArk enables users to temporarily use a one-time password that expires and can’t be used again. This renders any malware that propagates using common passwords unable to pivot across all servers in the network using the same password. But what about end-user passwords?

As cloud apps replace legacy on-premises software, organizations are looking to tie all of their enterprise on-premises and cloud apps together into a single sign-on experience for their users using tools such as Duo (recently acquired by Cisco for US$2.35 billion) and Okta. The sad state of affairs in password authentication has degraded further as statistics become more widely published on how often passwords are reused across different sites, poorly written web apps that don’t enforce strong password security, and the prevalence of users who never change their password because the app or website doesn’t require it. Scammers are even using recent password dumps made public to email victims with their password, informing them that they hacked their computer and found they were visiting pornography sites, which they would make public if not paid off using bitcoin.

The fact of the matter is that single-factor authentication that just relies on passwords needs to be rendered obsolete as a trusted form of authentication. All web apps should require multifactor authentication and no longer allow just a password. Multifactor authentication doesn’t require costly fobs anymore and can easily support code-generator apps installed on a mobile phone, such as Microsoft Authenticator or Google Authenticator, or at the very least, use email for a one-time code.

Stories such as the Ashley Madison breach (in which hackers made off with 40 million passwords), the 150 million passwords compromised at MyFitnessPal, and the growing number of password leaks over the past decade should further underscore the importance of a global move away from passwords.

In an upcoming Aite Group report, I will be examining alternative enterprise solutions to passwords—especially in the context of financial technology and financial services companies—interviewing users to get firsthand experiences with alternative solutions covering enterprise rollouts, and reviewing lessons learned to help you decide whether or not these solutions are truly “enterprise-ready.”