Password Obituary: But is the Humble Password Really Dead? | FastPassCorp

Password Obituary: But is the Humble Password Really Dead?

This article was originally published by LOGON’s partner FastPassCorp. Click here to view the original article.

The humble password must have read its own obituary many times in recent years given the number of “Passwords are dead” articles that have been published. At a Gartner conference, I recently saw the headline “Walking dead – the password.” But is it really dead? In a recent article posted by SecurityWeek, it was stated that the number of passwords will grow to 300 billion by 2020. This seems to contradict the reports of the demise of the password. So as the number of passwords seemingly continues to increase, why don’t we recognize this and do our best to help the password survive into the future as a strong companion for guarding the doors to our online presence.

Password – you’re OK! Not OK like in perfect. Sure, you have your deficiencies and challenges, but you certainly have strengths and benefits too, which should kick that obituary out to a far-away future!

mr.password graphic

But why do so many experts want the use of passwords to die and disappear? Is it because of the risk that users are unaware of how to protect their passwords, and then share them too freely with others? Or because there are other alternatives that exist. However, though these alternatives may be handy and convenient, even these carry a cost and could potentially be misused by determined high-tech criminals. Some security experts even claim that regardless of the credentials of any system, it is only a question of time before it is breached.

On the other hand, it’s also worth remembering that passwords don’t cost anything, they are instantly available, they can easily be replaced if forgotten, and all types of systems accept them as credentials.

As stated above, all credentials possess risks. For the “more important” systems, users, and situations, multi-factor authentication should always be used. But here, the use of passwords is the perfect companion to other credentials for each user. The traditional categorization of creating good authentication credentials still makes good sense:

password tips

With multi-factor authentication, we combine credentials from these different categories. It is extremely difficult for any criminal hacker to breach them all. It is hard to understand why the first category: “Something only I know” = passwords, should be excluded from the authentication process.

So clearly, passwords are not dead, yet. The question is, if it will ever be a good idea to kill them off? Those who want to kill the use of passwords should present a viable alternative first and justify that the alternative is better than the use of passwords.

Meanwhile, password guardians must take extra steps to secure them better. This means improving the processes while reducing the cost of password systems (such as assistance to users for forgotten and locked passwords). This is easier and cheaper than throwing passwords away and embarking on new methods that might be a bad choice in the long term. One great example of such a method is the SMS one-time-password (OTP), which a few years ago was seen as the natural replacement of passwords. However today, this method is considered riskier than passwords.

multi-factor authentication graphic

Here are some tips on how to address password risks and turn them into strengths.

(For Windows/AD passwords and other corporate applications, like SAP, Oracle, and IBM)

The challenge: To reduce the password-related costs to your business

It is true that we all can create as many passwords as we need. We don’t need to buy anything to create a password! Any PC or smartphone will accept a password without the need to buy an extra device or to deploy special software.

The fact is, however, that users often forget passwords, or their passwords get locked, and the users need assistance— and this assistance carries a cost.

The comeback:

The mitigation against this cost is to give users a self-service portal to reset passwords—even from their locked PC! This will minimize the password retrieval or resetting costs.

The challenge: Users give passwords away— victims to phishing

Hackers often try to get users to give them their passwords through phishing attacks, often successfully.

The comeback:

There are software solutions to help you fight phishing attacks. Their use should be combined with end-user awareness training. Password expiration prevents hackers continuing to use the password they share with the real end-user (i.e., the original password owner).

The challenge: Hackers may guess passwords

Have you ever heard some popular passwords? Hackers try many different popular passwords to see if they can open an account. Unfortunately, some users even reuse their corporate passwords for other private web-applications. When the other system is hacked, this can help hackers if the breached password is identical to the one the end-user uses in the corporate world.

The comeback:

The challenge: Hackers use social engineering

As the well-known, white-hat hacker Kevin Mitnick says: “Why spend hours trying to guess a password, when you can get it by using your phone!” Hackers will call the service desk and impersonate a real user, and try to get the service desk to reset and get the user’s password. They will often be successful.

The comeback:

The mitigation is to implement clear processes for assisted password resets by the service desks with qualified verification of the user. This should involve a high-quality IT-workflow using dynamic and contextual data, including manager approval for the more important users.

Read the original article

FastPass V4 with Identity Verification Manager (IVM) will protect the users, the service desk supporters and the company against such “vishing” (voice-phishing!) attacks.