Every year, billions of personal and corporate accounts get hacked. And every year, organizations respond in the same way: Enforcing stricter password policies. The result? A false sense of accomplishment and a short-lived boost to security, followed by a return to the usual: insecure passwords and, of course, more compromised accounts.
In this post, we will examine why password policies are a band-aid approach that will not solve the security woes of organizations, and why a more fundamental solution is needed to prevent corporate account breaches.
The recurring theme of password breaches
The statistics of data breaches and account hacks speak to the inefficiency of password policies. Account-related security incidents are seeing no drop-in frequency and scale, reports compiled by different cybersecurity firms show.
According to the risk-based Security’s 2019-Q3 Data Breach QuickView Report, a total of 7.9 billion user records were hacked in 5,183 breaches. This is an alarming figure, especially when one considers that it includes firms such as Capital One (100 million breached records) and Quest Diagnostics (11.9 million records), both of which handle sensitive financial and health-related information. This represents a substantial increase compared to their 2018-Q3 report, with the total number of breaches going up 33.3 percent and the total number of records exposed more than doubled – up 112 percent. The data becomes even more concerning with the Verizon 2019 Data Breach Report, stating that around 70 percent of data breaches are initiated through stolen credentials.
The inefficiency of password policies
By banking on password policies, organizations are putting the burden of securing accounts on the shoulders of the users. The costs, however, are incurred not only by the users but by their organizations as well. Here are some of the key pain points of password policies.
The rotating forgotten password
When an organization imposes a password policy of periodically changing passwords, what it entails is that many users become locked out of their accounts, which leads to more helpdesk resource drainage and an increase in the costs of support. And when a password change is only given as a recommendation to users, it is often ignored.
A recent survey by Carnegie Melon and Indiana universities found that only 33 percent of users change their passwords when they realize their service provider has been breached, and only 13 percent do so within the first three months of the breach. Unfortunately, most of those who do change their passwords use a weak replacement for their old ones.
Complexity makes it easier to fail
Meanwhile, increasing complexity requirements for passwords (longer passwords, diverse characters, etc.) put a cognitive strain on the users to come up with passwords they often forget—which leads to even more helpdesk costs. The alternative? Writing down the password on a piece of paper or worse, storing it in a file on the computer undermines the very idea of secure passwords in the first place.
In this regard, the findings of “2020 State of Password,” a recent Ponemon Institute survey, are damning: “Forty-nine percent of IT security respondents and 51 percent of Individuals share passwords with colleagues to access business accounts. Fifty-nine percent of IT security respondents report that their organization relies on human memory to manage passwords, while 42 percent say sticky notes are used.”
And let’s not forget that password complexity is a moving target. As computers grow stronger, brute-force password hacking methods become more efficient, and organizations are forced to make their passwords even more complex to stay ahead of the attackers. But the human brain, the hardware users have at their disposal to memorize passwords, isn’t growing in complexity and computation power.
How many passwords can you memorize?
Password policies require users to have a unique password for each account and avoid reusing passwords across different accounts. But given that each user has dozens of corporate and personal accounts, how likely is it that they will abide by this rule? Very unlikely. In fact, most users either reuse passwords across their accounts and when they don’t, they either use very simple passwords or very similar passwords, so that they can remember them. Alternatively, they write all their passwords in a single file or on a piece of paper, which makes things even worse.
The two-factor authentication nightmare
Another traditional go-to password policy is enforcing two-factor authentication on employee accounts. This usually adds to the friction and frustration of the user experience, to say nothing of accidentally uninstalled authentication apps, lost physical keys, and other headaches they entail (which obviously further increase support and helpdesk costs). When 2FA is offered as a recommended security measure, employees often ignore it or disable it for the sake of convenience.
The endless teaching cycle
Password policies also incur education costs, including teaching staff members about phishing and social engineering protection and keeping them up to date with the latest security trends and threats. For instance, hackers have been investing in the coronavirus lockdown situation to prey on employees and students and tricking them into revealing their credentials.
And to be honest, keeping up with password policies becomes so hard, that even security teams often neglect them. From the Ponemon survey: “Contrary to popular belief, IT security professionals— who we’d expect to take the utmost precaution when it comes to security—isn’t much better than the individual users represented in this study. In fact, both groups are engaging in risky practices, including reusing and sharing passwords in the workplace and accessing workplace apps from their personal mobile devices without using two-factor authentication (2FA).”
The hated stash of secrets
Finally, even if you enforce the most stringent password policy, your security woes won’t go away. You have a large store of passwords that, if in the wrong hands, can wreak havoc. Organizations must go to great lengths to protect password databases against attackers—and regulators.
The protection of password databases incurs additional overhead costs of network security, as well as making sure passwords are hashed and salted in storage to prevent any possible data breach from compromising employee accounts.
Organizations must also make sure their storage and handling of account passwords are in conformance with the constantly changing regulations, which also happen to vary across different jurisdictions. And falling afoul of those regulations can be very costly, to say the least.
So what is the best password policy?
Decades of password-based security have proven that users choose convenience over security—unless they have both. And the struggle to find the right password policy that finds the right balance between the two conflicting goals is increasingly proving to be a lost cause.
So, what is the best password policy? Odd as it may sound, it’s one that includes no passwords. Passwordless authentication has proven to be the answer to all the woes iterated above. Passwordless authentication replaces the old secret-memorizing security scheme with cutting-edge technology that is both secure and pleasant to use. From a convenience standpoint, it obviates the need for:
- Creating and remembering long and complex passwords
- Changing passwords every once in a while
- Having many unique passwords
From an administration standpoint, it removes much of the overhead organizations incur for having to respond to password-related problems such as account lockouts, forgotten passwords, etc.
And from a security standpoint, it solves many problems including the following:
- No more phishing attacks due to hacked passwords
- No need to worry about securing password databases
- Protection against man-in-the-middle, password-stuffing attacks, and other advanced cyberthreats