Light Dark
August 27, 2018 By Sue Poremba 3 min read
Identity & Access
Data Protection
Fraud Protection

Too many people are lazy when it comes to password management — this should be no surprise to most of us. Since the dawn of digital authentication, users have been known to recycle passwords across accounts without a second thought. As more accounts requiring passwords have come about, and as password requirements became more stringent, it was too difficult to remember them all. So, we stuck with what we knew and changed them only when required.

This system of password management may have sufficed two decades ago, but today, passwords are a major commodity on the Dark Web. Passwords are stolen in data breaches and sold; combined with your username or email, stolen passwords can give cybercriminals the key to massive stores of both corporate and personal data. And breaches conducted with legitimate credentials are difficult to detect — so it’s no wonder password theft is so popular.

Patching Password Management Mistakes

Today we have a relatively sophisticated understanding of how vulnerable our passwords are and the need to adopt better password management. Yet according to research by OpenVPN, a quarter of employees use the same password for all access points, 17 percent admit they use the same password for at least six different accounts and just under half of respondents use the same password for three accounts.

Clearly, old habits die hard, but this particular bad habit could result in identity theft or financial theft for an individual or cost an enterprise millions of dollars in fines, reparations and lost business. It’s also why an increasing number of IT and security decision-makers are searching for new, password-free identity and authentication management systems. But are we ready for a password-free world?

Pushing for Password-Free Authentication

There is a growing push to move away from password-based authentication and use other methods to establish digital identity. The Fast Identity Online (FIDO) Alliance, for example, is creating standards designed to supplant the need for passwords. In theory, it’s a good idea; in practice, it can be complicated. If you eliminate passwords, what do you replace them with? And with what will you bind the authentication factor — the device or the user? Then, how do you re-establish the digital identity of users already within the organization? Finally, what happens if that authentication method fails? What’s the backup plan?

Passwords authenticate access to networks, software and databases, but they also provide a level of security, even if that security layer is increasingly poor and inefficient. This is why speakers and panelists at the Identiverse 2018 conference stated the need for security in any authentication method considered for a password alternative.

They stressed, however, that users will balk at any method that requires too many steps. After all, users fail at password management because they want the process to be as simple as possible. Remembering dozens of unique passwords is too inconvenient; it’s easier to use the same one over and over again, even when we know the risks involved. Nor is there going to be a one-size-fits-all solution. Different users will make different choices depending on the device and the situation. That’s why there’s a need for more differentiators in each use case.

Applying New Methods to Old Habits

There is evidence that we choose the familiar over the safer methods. Biometric authentication seems like an obvious choice to replace passwords. According to the OpenVPN study, “Seventy-seven percent of employees trust biometric passwords, and 62 percent believe they are stronger than traditional alphanumeric codes.” But barely more than half will use biometrics as their availability increases.

Related: IBM Study: Consumers Weigh in on Biometrics, Authentication and the Future of Identity

And we aren’t just eschewing biometrics. IBM’s recent Future of Identity Study showed that only 28% of the general population would enable factor authentication on their accounts in the wake of a data breach.

Companies are offering password-free authentication options, such as the Universal Second Factor (U2F) security key or smartphone applications that use dynamic authentication options. While IT and security professionals embrace these password-free options, it remains to be seen when — and whether — the average user will make the switch.

Despite the more secure authentication methods available, passwords aren’t going anywhere anytime soon. Users are familiar with them, so they trust passwords more than other options. And as long as they are using passwords, they are going to continue to practice poor password management. Getting users out of old password habits will take time. Instead, slowly introduce new authentication methods and give users a chance to make new security best practices their new routine.

Read the 2018 IBM Study on The Future of Identity

 |  |  |  | 
Sue Poremba

More from Identity & Access
April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature