Beyond Passwords

Beyond Passwords

Passwords are at the foundation of security and access control ever since humans felt the need of securing resources and access to it. Passwords have been used and abused since millennium and the best documented example of this is “Open Sesame”. 

The surprising fact is even after millennium passwords are ubiquitous, and mean anything but security. The World Password Day is coming up on 7th of May 2020,  let us see what we have learned in the last decade about passwords.

Passwords are Pain

Passwords are pain for an enterprise, rights from its users to administrators.

    Pain to Manage

A 2016 survey conducted by Intel Security concluded that an average person uses 27 discrete online services. For security reasons it is a must to have different passwords for enterprise applications, social networking sites and online banking but at the same time, very painful to remember all of them. 

People often reuse their enterprise passwords at external sites and vice versa.

Pain to Comply & Govern

Passwords in plain text

Compliance & Governance needs passwords to be complex and securely stored. Time and again we have seen from the incidents at  Robinhood, GitHub, Facebook, Instagram and Citrix that even world class enterprises fail to comply. 

Another big governance failure is to restrict unwarranted sharing of credentials and OTP within an organisation.

Enterprise measures for compliance & governance are defeated due to users' and administrator’s common but insecure practices.

Credential sharing

Pain to Secure

Enterprises spend a significant amount to secure passwords by layering them with additional factors. This increases more things to manage and support but still leaves passwords insecure.

Enterprises are insecure as long as they have passwords in their system

Passwords are Risk

2018  Verizon Data Breach Investigation Report stated that 81% of the breaches that year involved Passwords. Phishing, credential stuffing and stealing passwords from processes or dumps being the top vectors.

Phishing

2019  Verizon Data Breach Investigation Report stated Stolen Credentials is a top most risk for an enterprise, along with web-application vulnerabilities and ransomware.

2020 First quarter is over and things have not changed much. So far we have seen several security incidents involving Passwords.

Cognizant breached by Maze ransomware 

SFO Airport breached with stolen credentials

Compromised Zoom credentials swapped in underground

Passwords are Outdated

The universal availability of mobile devices and newer ways  of authentication it offers, has inspired the world to think Beyond Passwords.

Gartner suggests “Eliminate centrally managed passwords for better security, fewer breaches, lower support costs and enhanced user experience.” in its report Passwordless Approach to improve security

Conclusion

This new decade is a time to go passwordless.