Passwords are like Plastic; Lets get rid of ’em

Passwords are at the foundation of security and access control ever since humans felt the need of securing resources and access to it. Passwords have been used and abused since millennium and the best documented example of this is “Open Sesame”. 

The surprising fact is even after millennium passwords are ubiquitous, and mean anything but security. The World Password Day is coming up on 7th of May 2020,  let us see what we have learned in the last decade about passwords.

Passwords are Pain

Passwords are pain for an enterprise, right from its users to administrators.

Pain to Manage

A 2016 survey conducted by Intel Security concluded that an average person uses 27 discrete online services. For security reasons it is a must to have different passwords for enterprise applications, social networking sites and online banking but at the same time, very painful to remember all of them. People often reuse their enterprise passwords at external sites and vice versa.

Pain to Comply & Govern

Compliance & Governance mandate passwords to be complex and securely stored. Time and again we have seen from the incidents at  Robinhood, GitHub, Facebook, Instagram and Citrix that even world class enterprises fail to comply. Another big governance failure is to restrict unwarranted sharing of credentials and OTP within an organisation.

Enterprise measures for compliance & governance are defeated due to users’ and administrator’s common but insecure practices.

Passwords in plain text
Passwords in plain text

Pain to Secure

Enterprises spend a significant sum to secure passwords by layering them with additional factors. This increases more things to manage and support but still leaves passwords insecure.

Enterprises are insecure as long as they have passwords in their system

Credential sharing
Credential sharing

Passwords are Risk

2018  Verizon Data Breach Investigation Report stated that 81% of the breaches that year involved Passwords. Phishing, credential stuffing and stealing passwords from processes or dumps being the top vectors.

2019  Verizon Data Breach Investigation Report stated Stolen Credentials as a top most risk for an enterprise, along with web-application vulnerabilities and ransomware.

2020 First quarter is over and things have not changed much. So far we have seen several security incidents involving Passwords.

Cognizant breached by Maze ransomware
SFO Airport breached with stolen credentials
Compromised Zoom credentials swapped in underground

Phishing
Phishing

Passwords are Outdated

The universal availability of mobile devices and newer ways  of authentication it offers, has inspired the world to think Beyond Passwords.

Gartner suggests “Eliminate centrally managed passwords for better security, fewer breaches, lower support costs and enhanced user experience.” in its report Passwordless Approach to improve security

Conclusion

This new decade is a time to go passwordless.