The end of passwords: Industry experts explore the possibilities and challenges

Passwords have been an industry standard and industry headache for decades. Learn some best practice tips for password administration from tech security insiders.

Password management. Laptop with memo sticks on the screen.

Image: designer491, Getty Images/iStockPhoto

Password management is the bane of end users and IT administrators, but there are options to get the most out of the experience and reduce the headaches. Several industry experts discussed the challenges of and solutions to passwords. 

We talked with Matt Davey, COO at 1Password, an online password management provider; Daniel Smith, head of security research at Radware, a security solutions provider; Rick McElroy, principal security strategist at VMware Carbon Black, a virtual security platform; Matt Wilson, chief information security advisor at BTB Security, a security solutions provider; and Ben Goodman, CISSP and senior vice president of global business and corporate development at identity platform provider ForgeRock.

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)
 
Scott Matteson: What are the current challenges with passwords?

Matt Davey: For many years we've relied on passwords to securely access the apps and services we use daily, both at home and at work. Today, as many of these services move to the cloud and breaches become bigger and more frequent, password authentication is even more critical, particularly for enterprises. 

That's not likely to change. Despite the rise of passwordless authentication like biometrics and Single Sign-On (SSO), passwords continue to provide a vital base layer of security across any application or service. Passwordless forms of authentication all come with their own issues or vulnerabilities, so passwords are your final line of defense should other methods fail. Cybersecurity Ventures estimates that by 2020 there will be at least 100 billion human passwords.

The biggest challenge is getting workers to adhere to modern password requirements—using strong, unique passwords for every account or service they access. This is in part down to education, but primarily the issue is password overload; having too many long, complex, and unique passwords to remember. To overcome this, workers often fall into using the same password for multiple sites, which leaves businesses open to attacks. If one seemingly unimportant platform is breached, it can leave them vulnerable everywhere those login details are used.

Another challenge plaguing enterprise password security is shadow IT, where employees use third-party apps and services in order to more efficiently do their jobs, without letting their IT department know. For example, Carlos in marketing opens an Airtable account, or Anita in legal uses Grammarly to check for grammatical errors. As employees continue to find their own "productivity hacks," they inadvertently create vulnerabilities, like unseen passwords, that their IT department has no knowledge of or control over. 

Matt Wilson: The frustration with managing numerous accounts across a growing number of devices is real, and when humans get frustrated we sometimes look to resolve the issue by making poor tradeoffs without recognizing we're doing so. For some time we've known there's only a handful of categories for "authenticators": something you have (e.g., a debit card), something you know (e.g., a PIN/password), something you are (e.g., fingerprint), and something you do (e.g., use the same ATM every Friday). Memorizing a password has been the easiest way for most people to prove their identity as online services have exploded over the past 25 years.

Since the dawn of the first password we've struggled with largely the same issues; selecting strong, unique, passwords, remembering and storing them, and changing them periodically.

People pick bad passwords and share them across multiple accounts for a very simple reason: It's easier to remember. As attackers have developed and refined their toolsets, they've increased their capabilities to attack our accounts. Their speed of attack, volume of guesses, ability to mask their location/identity, and the "intelligence" they've developed to make better guesses makes protecting our accounts more difficult than ever before.

Rick McElroy: Data gathered over the last 20 years shows that the more you require password complexity and rotation, the more likely users are to write passwords down and increase the number of help desk tickets in the organization. This will affect employee productivity. Using a password is as antiquated as using a standard key on your front door. Sure it's locked but someone can copy the key or pick the lock and still get access. In a world where mobile applications and websites "remember passwords" authentication can become a frustrating experience for users. NIST came out and changed its password guidance a few years back, basically reversing their stance on recommended password strengths and time between rotations.

SEE: The benefits of a password management policy (TechRepublic)

Ben Goodman: Password and username have been the primary method for authenticating users for years. However, as users create more accounts for social media profiles, email addresses, financial services portals, online gaming profiles, corporate applications and more, users opt to reuse the same password and username combination across all or most logins to save the pain of having to remember multiple sets of credentials. Even with a password manager, there is still a password and username combination being used to log in to applications which means it can still be attacked by a bad actor.

On top of this, even when organizations choose to undergo frequent password resets for their customers and employees, users can still opt to choose a password that is in use on a different profile. This practice is also expensive, as large organizations can spend $1 million annually to facilitate complete password resets. Continuous password resets also make for a horrible user experience.

Finally, even if a user is forced to create or change their current password to include diversified types of characters, millions still choose to use weak passwords such as "123456" as well as "password1" or even "qwerty."

Password reuse creates significant risk for all users and their employers. This is because threat actors with access to one user's set of pilfered login credentials can reuse that password and username to infiltrate accounts with much more sensitive data, including financial, healthcare or professional accounts. As a result, it is not surprising that four out of five global data breaches are caused by weak or stolen passwords.

Scott Matteson: What are the remedies?

Matt Davey: To address the situation, enterprises must address the issue of password overload. The best solution is to implement a management system, like a password manager. That way, employees no longer need to remember many strong, unique passwords — the system remembers them all for them.

Security needs to be convenient. Humans naturally take the path of least resistance, so make the process of creating and using strong passwords easy for employees. When it becomes part of their workflow, eventually good security habits will become second nature. Otherwise, employees will fall back into unsecure workarounds like reusing passwords.

Education and creating an environment where employees feel comfortable asking questions about enterprise security is important, too. Don't villainize people for slipping up—people make mistakes. If you know about security issues as they arise, you can act quickly to address the initial threat and take steps to prevent it happening in the future.

Daniel Smith: Password hygiene is one of the biggest problems that both organizations and individual users face today. 

One of the easiest ways to combat and remedy the issue with password hygiene is through the use of a password manager and the use of multi-factor authentication. Using a password manager naturally encourages users to not reuse passwords, and there are plenty of user friendly options available to both consumers and the enterprise. Multi-factor authentication simply creates an extra step for accessing any account, and can be the barrier needed to stopping unwanted access.

SEE: Top 5 password alternatives (TechRepublic)

Companies, even schools, could be doing more to help educate and provide training for their users. When it comes to password security, users are your first line of defense. If their credentials are compromised, your company is going to have a bad time. When it comes to your users' credentials, security and training processes need to be proactive, encouraging strong password hygiene at the onset.

Matt Wilson: For years, information security professionals have counseled users on good password habits and encouraged their adoption, with limited success. The industry has been on a path of more accessible solutions that make things easier to use, and better habits are forming, but it takes time for the good habits to pay-off. Most users should pick a password generation approach that's effective, but most importantly, works for them. The popular comic XKCD perfectly captures the right mindset.

Ideally, each account would utilize a unique and strong password. Many attackers leverage password guessing lists that include passwords harvested from the numerous breaches over the past few years. However, grouping accounts by risk level is a reasonable trade-off. For example, users might have a unique, strong password for their online banking account, but share a reasonably strong password among multiple individual accounts on hobbyist forums.

Rick McElroy: Behavioral and continual authentication are key. Also, move away from a central store of identities, which can be hacked. The blockchain holds some promise in regards to identification and authentication but projects are still ongoing and being built. Multiple factors must be included in any future secure authentication project. Any authentication system that is static (meaning it relies on one factor) is inherently insecure and doesn't solve the problem fully. Multi-factor authentication goes a long way.

SEE: Infographic: The death of passwords (TechRepublic)

Scott Matteson: What else should we be doing?

Matt Davey: We need to find ways to win back our time and that of IT through automated password solutions. IT professionals spend 20% of their time on passwords, and it's one of the least-efficient uses of their time. Freeing up IT from monitoring and managing password security allows them to become enablers, rather than administrators. 

However, you mustn't prevent people from using the tools they need at work. Enterprises need to find a compromise between employees' needs and security, otherwise, they risk stifling productivity.

Matt Wilson: Anyone can use a password manager. Password managers are pretty simple to use, some are even free and can encourage good password creation habits by generating and then storing strong and unique passwords. Increasingly, web-browsers have included this functionality, and major operating systems like iOS, Android, MacOS, and Windows have the same capability. Finally, multi-factor authentication (MFA) can provide another layer of authentication. There are known issues for some MFA implementations, and attackers have found workarounds in some instances, but using MFA remains a strong practice.

Scott Matteson: What will replace the password problem in the future?

Matt Davey: Even with the increased adoption of passwordless authentication, individuals and enterprises are still likely to need passwords in the future. 

The most popular methods like using an app, website, or email account to authenticate all require a password to log in initially. And these methods carry similar risks to reusing passwords; if your app or email is compromised, then an attacker can access all of your accounts.

SEE: The 5 most hacked passwords (TechRepublic)

The future will bring more security features like single sign-on (SSO) and wider adoption of biometrics, however, those bring additional challenges. SSO provides a secure solution--but it only supports a fraction of the services available.

There are 30,000+ business apps with more coming online every day. For instance, today just 6,000 are integrated with the leading SSO company.

Biometric authentication used in isolation carries a significant flaw. If your facial recognition or fingerprint data is stolen, again, you'll have the same issues as with password reuse; an attacker can use that data to access other accounts that use biometrics to authenticate. Except, even more concerning, is that you can't just reset your biometric features like you would a password—they're permanent. 

Biometrics, email, and third-party applications are effective when used as a second factor to verify identity, but not as the primary means of authentication. The most secure approach is for enterprises to layer passwordless authentication atop passwords, so if one defense fails, there's always a backup.

Matt Wilson: A number of improvements to the simple password already exist, but adoption of password managers that are built in to popular operating systems needs to increase.
Federated authentication services like those from Apple, Facebook, Microsoft, and Google (to name a few) are another tool that can reduce the amount of password clutter that frustrates end-users.

To some extent Biometrics are in use for transactions and privileged actions (e.g., Apple's TouchID for both phones and laptops). Biometrics have long been proposed as the outright, complete replacement for passwords, but there are downsides and privacy considerations yet to be resolved.

User behavioral analysis is already in place as a scoring factor for many authentication systems, and as the data set on each user grows, so will its usefulness in detecting potentially malicious anomalies.

Rick McElroy: Short term, it looks like hand and fingerprint biomarkers, two-factor authentication with a mobile device and, in a post-COVID-19 world, facial recognition will be rolled out faster than ever. At some point in the future, DNA will probably be used to verify identity in the medical field but may not be applied to say a laptop and windows login currently. Long term, I could see a future where a combination of measurements like a heartbeat and brain waves could be used. These types of identification systems are already being beta tested on battlefields to ensure the right criminals and insurgents are being arrested and to protect innocent lives. I would not be shocked to see that deployed at some point in the future.

SEE: Hackers target World Health Organization in attempt to steal passwords (TechRepublic) 

Ben Goodman: Passwords should become a thing of the past. Today, organizations can solve the challenges that come with passwords by leveraging technology that can provide a passwordless user journey. By adopting a passwordless approach, organizations provide users with frictionless, secure digital experiences. With the use of biometrics or push notifications, organizations can bring the same effortless authentications users have experienced on their smartphones, with technologies like FaceID from Apple or Samsung's Ultrasonic Fingerprint scanner, to every digital touchpoint while ensuring security.

As part of an intelligent authentication strategy, passwordless authentication enables future-proof access that improves the customer experience and ensures security by pushing suspicious users to additional verification.

Gartner predicts 60% of large and global enterprises, as well as 90% of midsize enterprises, will implement passwordless methods in over 50% of use cases by 2022. However, organizations don't need to wait to solve password issues: If you choose the right solution, passwordless authentication is possible today.

Also see