Passwords Are The Problem (Not Your People)

In the past year, it seems there were more and more articles and surveys that place most of the blame for data breaches on people. Here’s a recent example from Harvard Business Review. While it is true that decisions and actions by end users play a vital role in security risk, blaming people seems unfair, especially when most security tools increase the friction they must endure just to get their jobs done. I would argue that passwords are the problem, not your people.

A Brief Look at History

The use of passwords as a security control in computing is nearly 60 years old. The first use of a password in computing was likely at the Massachusetts Institute of Technology where researchers built a time-sharing computer. The concept started simple enough — a secret word or string of characters used to identify and grant access to a valid user of a computing resource.

For a long time passwords worked just fine as a security control, especially in the personal computer era when applications and data were confined to the local disk & storage on a PC. They were even ok in early networked environments because those networks were private, self-contained and protected by traditional network security controls.

The internet era and more recently cloud and mobile computing, characterized by broad network access and data accessible over the public internet, highlight the limits of the humble password. More and more of our personal and professional work is conducted online in SaaS applications, involving valuable data that is attractive to determined attackers. The 2017 Data Breach Incident Report from Verizon found that 81% of hacking-related breaches leveraged weak, default and/or stolen passwords, underscoring the value of passwords to the bad guys.

We’re long past the useful life of passwords — we just haven’t decommissioned them yet.

Password-Related Security Risk

Passwords alone are not an adequate security control for a number of reasons. They are susceptible to attack through low tech methods like shoulder surfing (exactly what it sounds like) to more sophisticated techniques like keylogging. For many years, phishing has remained one of the most common attack methods. Phishing is typically carried out by sending an email using a deceptive sender address (usually something familiar or trusted) directing the recipient to enter their user credentials into a fake website that looks identical to a valid site. An interesting threat analysis brief published by SecureWorks highlights how threat groups can use URL-shortening services to effectively hide malicious URLs. It’s common to blame users when they fall for phishing attempts but the truth is that most technology generally does a bad job of helping people make good choices.

Password reuse is another practice that creates security risk. In nearly every study of password habits, more than half of the respondents indicate they reuse passwords for at least some of their accounts. This means that even if your internal password databases haven’t been breached, your organization is at risk whenever passwords from an external service are compromised and dumped onto the internet. This hardly seems fair…you’ve done a good job protecting your data and yet you’re still at risk. The incident history bears this out. Ross Kinder recently wrote about how to respond when this happens.

Addressing the Risk

As an industry, we’ve recognized the risks that accrue with passwords and made attempts to address the problem. Typically, one of the first steps is to establish standards for password hygiene in security policies. Most of us have probably worked somewhere with a policy that required unique passwords for every application account and complexity requirements that include some combination of password length, upper and lowercase letters, numbers and special characters. The problem with this is that while passwords that meet the complexity requirements are harder for attackers to crack, they are also effectively impossible for humans to remember. For a funny but sad look into this problem, spend a few minutes with the @PWTooStrong twitter account. It’s no wonder users resort to keeping lists of passwords on sticky notes, or password reuse (a worthy read on the latter from Troy Hunt can be found here) as coping mechanisms.

Another attempt to shore up security involves multi factor authentication (MFA), a method of access control that requires users to present something they know (typically a password) and something they have (usually a rotating or time-based one time passcode) or something they are (ie. a biometric like a fingerprint). MFA has been around since at least the 1990s and in 2001 the Federal Financial Institutions Examination Council (FFIEC) released guidance for banks offering internet-based services to use “enhanced authentication” and advocated for multi factor authentication. In the last 5 years MFA has become more prevalent in consumer services.

The problem with traditional MFA is the negative impact it has on user experience and productivity. MFA is typically a binary proposition — it’s either enabled and on all the time, or it’s off. If it’s turned on, users have an extra hurdle to clear in every sign in attempt - usually entering a one time code from a hardware or software token. This exceeds the frustration budget of most users and many enterprises are conservative in applying MFA as a result.

Therein lies the problem…most of our efforts to address the risk have placed more burden on our users. Asking people to remember passwords that are essentially cryptographic keys is completely unrealistic. Multi factor authentication is a big step in the right direction for security, but it can’t be at maximum friction at all times or users will revolt. The primary motivation of end users is getting their work done and being as productive as possible. Blaming and shaming users when they make mistakes related to security isn’t going to get us anywhere. Instead, security technology needs to do a much better job making it easier for people to keep themselves and your company secure.

It’s Time To Decommission The Password

At Groove.id, we’re on a mission to make the world more secure and confident online by eliminating passwords. Modern technology gives us viable alternatives that can be stacked together in the right order to both eliminate the need for them and make things a whole lot easier and productive for end users.