EXPERT PANEL: Is replacing the password realistic and should we even try?

Passwords have always been like Japanese Knotweed – once you have introduced them it is almost impossible to get rid of. But is this still the case? Is trying to replace passwords realistic? Or should we all just get better at managing them? We asked the experts for their opinion…

“While they’re unlikely to disappear anytime soon, passwords have certainly outlived their usefulness as the primary form of online authentication. Indeed, numerous studies attribute password compromise as the root cause for the vast majority of data breaches that have taken place in recent years, due to the way in which user credentials are stored and managed in vulnerable, and easily exposed, central databases. Far more secure methods of authentication, including biometrics, are now readily available at our fingerprints, which can greatly improve security and privacy for consumers accessing online services, while improving the user experience.

“Rather than continuing to place the onus on users to intermittently change their passwords and increase their complexity, which simply tends to lead to the same easy to remember details being used across platforms, we should look to adopting a modern, de-centralised approach to authentication. What this means is that users authenticate themselves locally using a private key on their device to sign a cryptographic authentication with the service provider’s server – this ensures that biometric and other authentication data never leaves the user’s device to be stored on a database that ultimately could be leveraged by a hacker. This vision is far from unrealistic, as many of the world’s leading businesses have already freed themselves from being dependent on passwords and improved their company security by leveraging authentication mechanisms that are already on their users’ smartphones, tablets, and computers – from fingerprint, iris, face or voice recognition, to portable hardware security keys.”

Shikiar-10 (High) FIDO

Author: Andrew Shikiar, CMO of the FIDO Alliance

“The simple truth is, no matter how complicated they are, there is no such thing as a safe static password. A password that does not change can easily be hacked, should the hacker find this out through methods like social engineering. Any business that handles customer data owes it to their customers to roll-out more vigorous authentication procedures such as one-time passwords and two-factor authentication methods. These are basic controls that can be easily implemented to add that extra layer of protection. If businesses continue to rely on the static password, we’ll continue to see regular security breaches occur on a daily basis.”

Hart Jason 01 - Gemalto

Author: Jason Hart, CTO, Data Protection, Gemalto

“Passwords are here to stay in the short term, so it’s important that we get them right. It’s easier within a corporate context, where an organisation can set rules around setting these, like length and character type, but harder as a consumer, as we are faced with numerous online providers that might (and do) have their own rules and where there is therefore no consistency. Unique, complex passwords can be created by using a rule and some simple steps to create variability. Another option is to use a password manager for accounts that are less critical and have no financial information (i.e. credit card) linked to the account. In addition, it’s important to see this problem in context. Passwords shouldn’t be the only thing we use to authenticate.

“It’s important to remember that we use a password to confirm our identity. So often today our e-mail address is the identity itself (i.e. our username). Many people have just one e-mail address and it’s often easy to guess, which compounds the problem. This is especially true if we use the same password across multiple sites: if our username and password are stolen in a security breach at an online provider’s site, they can also be recycled by an attacker – who can try them on many different sites in the hope that the same identity and authentication (username and password) have been used across the board. There’s a growing move towards the use of biometrics – fingerprints, iris scans, etc. – as a replacement for passwords, but in my view, they should rather be used to confirm our identity, with a password (or other mechanism – or ideally more than one) used to confirm that identity. If I choose a poor password and it is compromised, I can change it: if my fingerprint is compromised, there’s nothing I can do about it.”

David Emm

Author: David Emm, Principal Security Researcher, Kaspersky Lab

“Passwords are to the digital age what seatbelts were to the auto industry – they’re fundamental to online safety and as such aren’t likely to go anywhere soon. They protect your identity, finances, and other critical personal information now that most of this information resides in the cloud. However, thanks to the advent of password managers, password usage is evolving. Consumers who use password managers do not need to invent, know, type or remember any of their passwords. In a sense, a user of a password manager has digital accounts, not passwords. These tools have already started to kill the password by making the actual passwords irrelevant to users.

“For most people, properly managing passwords verges on impossible, given the exploding number of devices and digital services on which we have all become increasingly reliant. You may not be able to control the security architecture of the digital services you use every day and that hold so much of your data, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the “containment” doctrine. Have different passwords on each service so that if one is compromised the damage does not spread.

“Users should regularly change their passwords as breaches often go undetected for months, and sometimes years, so you never know when your account might have been exposed. Tools called password changers are critical for this process as they can instantly change your passwords for hundreds of sites in a single-click. This makes it extremely easy to ensure that your accounts are always being safeguarded against unknown threats.”

emmanuel-schalit

Author: Emmanuel Schalit, CEO, Dashlane

“The demise of passwords has been predicted for a number of years, especially with the emergence of biometric authentication going mainstream. However, despite this, passwords are not going away any time soon. Not only are they essential to encrypting data in a way that alternative methods such as biometrics simply cannot achieve, but they are the only method that works in every context, on every device, and are unbiased when it comes to the data subject.

“Furthermore, at present, a complex password is a requirement of many online services, including online stores and banks. The average person has nearly 200 passwords, and that number is growing every year. So the password certainly won’t be disappearing over night.

“A more realistic option is turning multi-factor authentication on across all accounts. It adds an extra layer of protection that will ensure an attacker won’t be able to access your account, even if they did obtain the password. However, currently, multi-factor authentication isn’t supported widely enough across web services, and isn’t adopted frequently enough by users, to offset the risks that weak passwords pose. While we’re moving in the right direction, change is happening too slowly. Until universal coverage with multi-factor authentication (or even behavioural or contextual authentication) is available, companies and consumers alike need to invest in strengthening password-protected services in use.”

“There’s definitely room for improvement when it comes to consumers managing passwords. We recently conducted a study on the Psychology of Passwords and found that many people are still practicing poor password habits, even though there’s a heightened awareness of what they should and shouldn’t do when it comes to online security. For example, 59 per cent of people are mostly, or always, using the same password, even though 91 per cent know it’s a security risk.

“In order to overcome this, it’s important to take into account human behaviour. Memorising special characters, capitals and numbers across all online accounts isn’t natural; if it was, we wouldn’t be so inclined to use the same passwords in the first place! Thankfully, getting passwords under control can be as simple as using a password manager, which means users only have to remember one, master password. All the work is done for you, and it’s the easiest way to ensure accounts are secure and protected.”

Sandor_Palfy_LogMeIn

Author: Sandor Palfy, CTO, LastPass

“The data varies, but some surveys have determined that the average person has 100+ online accounts. Those numbers are on track to double in five years. Even with two-step verification, unique passwords for every site, and digital lockers to aggregate login info, the model is unsustainable. Combine that with the fact that many people still value experience over security — the number one password in 2017? 1234567 — and you’re looking at an unmitigated data security disaster. In the future, we will get rid of passwords altogether and leverage blockchain technology, encryption and biometrics to create a much more secure and private system.”

Alastair Johston - Nuggets

Author: Alastair Johnson, CEO and Founder, Nuggets

“Replacing passwords in today’s environment is not realistic as they are embedded into the structure of many environments that have little incentive to change. We have seen a great deal of progress in not replacing passwords but augmenting them with multifactor authentication, biometrics, and conditional access. Conditional access allows for additional validation to take place if the user is utilizing an unknown device or coming from an unknown location. Biometrics on mobile devices has done a good job of masking the fact that a password is in use and makes it easier for a user to authenticate. Federated login is also gaining traction—allowing users to use their Facebook, LinkedIn, or Google account to authenticate to other properties.”

SW_headshot_Tim2

Author: Tim Brown, VP Security at SolarWinds MSP