Too Many Passwords to Remember!

Don’t worry, you’re not alone.  According to an Intel Security poll, “37% of people forget a password at least once a week”⁴.  There is no debating that the use of passwords is a necessity in both work and personal lives. The premise is that credential-based authorization is used to provide appropriate access to systems/data and protect information. But somewhere along the way, password management became overwhelming. Perhaps it was when the experts said that we need to change our 8-character, complex passwords every 90 days. Oh and by the way, you can't reuse the password...for a long time. A 2017 report from LastPass estimates that the average business user must keep track of 191 passwords. The report also states that most people that use a password manager like LastPass, for personal accounts start with 20 and double that number within three months.⁸   Personally, I have over 70 unique passwords for personal and business-related accounts.

Similar to using keys or PIN codes to access our homes, vehicles and offices, passwords are supposed to help secure data. A 1994 Washington Post article explained that “Computer passwords are a modern-day adaptation of techniques soldiers have used since ancient times to verify who is approaching in the dark.”  This concept was introduced to the computer-age back in the 1960s when MIT used credentials to allow access to a multi-user time-sharing system. ⁷

Password policies have been a bone of contention between the IT departments and the end-user community for years.  Password character length, complexity, history and periodic changes have been a requirement that frustrates users and burns through hours of IT time.  However, much debate has surfaced around these policies over the past few years.  A 2016 document posted by Microsoft and NIST’s special publication 800-63B, posted in June of 2017 both recommend that longer passwords don’t necessarily mean more secure.  The reports go on to suggest that complex passwords and periodic password changes have a counterproductive result because they are a burden to remember. ^{1 & 6}   This results in simplistic passwords that meet the complexity and length requirements (i.e.  P@55w0rd).

It has been reported in Verizon’s annual security report that password compromise is responsible for 81% of confirmed data breaches. ⁹   This is a significant number that should concern everyone.  Fortunately, some very smart people have been trying to resolve this growing challenge.  Let’s begin with Multi-factor Authentication (MFA).  This concept has been around for many years; generally enforced by larger companies who deployed RSA-type tokens that generate a random number every few minutes.  The password was a combination of a word known by the user, plus the random number.  It was not critical for the known word to be overly complex due to the random number component.  Over time, this concept has evolved, and some online websites have now enabled a form of MFA.  These sites require a challenge question or send you a code via text or email to validate your credentials after you enter your password.  While this approach is effective, it can be a little annoying when you log into multiple sites periodically throughout the day.  Surprisingly, it is estimated that only 50% of popular websites and 26% of companies have implemented MFA capabilities.⁵

At some point in the 2000s, finger print readers began to show-up on laptops.  Since we are all unique, the use of biometric recognition made logical sense.  Biometric recognition allows us to use our face, finger prints, iris, etc. as a replacement for complicated and numerous passwords. Used as a form of MFA or password-less authentication, the concept was exciting.  However, this form of authentication has not been the answer that many thought it would be.  While technology allows us the ability to use biometric recognition, technology advancements are also creating problems.  For example, a recent report denoted that someone used a 3D printer to duplicate a face in order to fool the new Iphone X.  Furthermore, if an account is breached, we cannot simply change our physical attribute, like we change a password.  Finally, there are still widespread concerns around privacy.

Please consider that complex passwords, MFA and biometrics are tools for securing individual accounts; an area in which we have some control.  IT leaders and organizations have a larger challenge in protecting the databases which house our personal information and passwords.  We are relying on the owners of these databases to properly secure these very large targets.  Within reach is a ‘new concept’ called Decentralized Authentication, where passwords are held on your personal devices rather than in a central database.  This solution uses an encrypted public/private key combination to authorize credentials and allow access. ²   However, this is not a stand-alone solution and must be used in conjunction with biometric recognition.  Biometrics are used to authorize the user to the device.  The device then sends a token to the target hosted application to negotiate access; eliminating the storage of personal information on central databases.  This technology is still in the infancy stage.  Companies like Hypr Corp are leading the charge with a viable solution for organizations with a large customer base that access personal information on the web.  We will have to wait and see how decentralized authentication integrates into the corporate environment.

So, what should you be doing about passwords?  Ideally, everyone should be using biometric recognition to access their device(s) and MFA to access website.  However, since not all websites provide MFA, the alternative option is to use a password manager application such as LastPass or Dashlane to manage their unique and complex passwords.   IT leaders should be reviewing their password policies and deploying devices with biometric recognition and MFA to better secure their environments and provide a better user experience.

1. https://www.semperis.com/microsoft-upends-traditional-password-recommendations-with-significant-new-guidance/
2. https://www.forbes.com/sites/forbestechcouncil/2017/10/10/authentication-heralds-a-trust-revolution-in-security/#1a53006857d4
3. https://www.securitymagazine.com/articles/88475-average-business-user-has-191-passwords
4. https://www.buzzfeed.com/josephbernstein/survey-says-people-have-way-too-many-passwords-to-remember?utm_term=.wvxj7Vbdzq#.tb3GV0DrZv
5. https://www.darkreading.com/endpoint/average-employee-manages-nearly-200-passwords/d/d-id/1330304
6. https://pages.nist.gov/800-63-3/sp800-63b.html
7. https://www.forbes.com/sites/forbestechcouncil/2017/10/31/why-do-we-use-usernames-and-passwords/#886a3bf1fda1
8. https://blog.lastpass.com/2017/11/lastpass-reveals-8-truths-about-passwords-in-the-new-password-expose.html/
9. Verizon 2017 Security Report