Passwords are at the foundation of security and access control ever since humans felt the need of securing resources and access to it. Passwords have been used and abused since millennium and the best documented example of this is “Open Sesame”.
The surprising fact is even after millennium passwords are ubiquitous, and mean anything but security. The World Password Day is coming up on 7th of May 2020, let us see what we have learned in the last decade about passwords.
Passwords are Pain
Passwords are pain for an enterprise, right from its users to administrators.
Pain to Manage
A 2016 survey conducted by Intel Security concluded that an average person uses 27 discrete online services. For security reasons it is a must to have different passwords for enterprise applications, social networking sites and online banking but at the same time, very painful to remember all of them. People often reuse their enterprise passwords at external sites and vice versa.
Pain to Comply & Govern
Compliance & Governance mandate passwords to be complex and securely stored. Time and again we have seen from the incidents at Robinhood, GitHub, Facebook, Instagram and Citrix that even world class enterprises fail to comply. Another big governance failure is to restrict unwarranted sharing of credentials and OTP within an organisation.
Enterprise measures for compliance & governance are defeated due to users’ and administrator’s common but insecure practices.
Pain to Secure
Enterprises spend a significant sum to secure passwords by layering them with additional factors. This increases more things to manage and support but still leaves passwords insecure.
Enterprises are insecure as long as they have passwords in their system
Passwords are Risk
2018 Verizon Data Breach Investigation Report stated that 81% of the breaches that year involved Passwords. Phishing, credential stuffing and stealing passwords from processes or dumps being the top vectors.
2019 Verizon Data Breach Investigation Report stated Stolen Credentials as a top most risk for an enterprise, along with web-application vulnerabilities and ransomware.
2020 First quarter is over and things have not changed much. So far we have seen several security incidents involving Passwords.
Cognizant breached by Maze ransomware
SFO Airport breached with stolen credentials
Compromised Zoom credentials swapped in underground
Passwords are Outdated
The universal availability of mobile devices and newer ways of authentication it offers, has inspired the world to think Beyond Passwords.
Gartner suggests “Eliminate centrally managed passwords for better security, fewer breaches, lower support costs and enhanced user experience.” in its report Passwordless Approach to improve security
Conclusion
This new decade is a time to go passwordless.