Since the invention of the qwerty keyboard in the 1870s and the first employers implemented usernames and passwords in the 1960s, cybersecurity professionals have been behind the eight ball in the fight to protect organizations’ proprietary and personnel data. For decades, security leaders have offered clear training for employees regarding password strength, strong protocols for frequency in password changes, and consistent coaching in spotting/avoiding/reporting phishing attempts. Still, when it comes to organizations’ vulnerability to online hacks, the data clearly indicates that the call is coming from inside the house.
Indeed, statistics show that a successful online hack occurs every 39 seconds, and human error—including insecure usernames and passwords—account for about 90% of the blame for breaches. This can hardly be surprising, given that the most common passwords in the world are 123456, qwerty, and—you guessed it—password.
To address the electronic elephant in the room, a growing number of employers are starting to dismantle password protection as the primary means for safeguarding data. Research from Gartner projected that, as early as 2022, most employers (60% of large organizations and 90% of midsize organizations) will shift to password-less security strategies.
I say bravo, and the sooner the better. In today’s environment, passwords are obsolete and ineffective, for three key reasons:
1. Hackers have gotten smarter—and so have their methods.
By conservative estimates, more than 500 million passwords have been stolen in data breaches in the last several years—including high-profile breaches at Yahoo!, Facebook, and LinkedIn. The list grows daily, and hackers barely have to try to obtain stolen information. They can easily buy lists of not only stolen passwords, but usernames as well; some lists are even available for free. These easy-access password “dictionaries” allow hackers to cast a wide net of guesses across multiple organizations in a matter of seconds. That high level of accessibility, combined with the low level of security common passwords provide, is difficult for even the best security team to compete with.
2. Security technology has evolved as well.
While cybersecurity professionals have an admittedly more difficult job due to hackers stepping up their game, it isn’t like pros have been sitting on their hands. We have used tech evolution to our advantage as well, and data protection methods have leveled up as a result. Biometrics, fingerprints, and facial mapping/recognition all are starting to become more common in replacing passwords for data security now that they are widely available on smartphones and newer laptops.
3. Humans, however, have not kept up.
Security pros generally agree that for passwords to be really effective, they need to be a random mix of 10+ characters, symbols, and numbers. But how many of us can remember a string of 10 random letters and numbers?
Because of this, users stick to things they know—kids’ names, birthdates, favorite sports players/teams, and holidays—and then simply add a number and/or a character to the end (how many of us use $, %, or !). Anything more complicated than that, users tend to write them down (bad) and keep them near the device they log in to (worse).
These perfectly imperfect human tendencies put security teams between a rock and a hard place. Easily guessed or accessed passwords make it easy for bad actors to create an effective attack dictionary with just a few bits of information they may know about their target. Complex and hard-to-remember passwords put an extra burden on IT teams to reset and resend temporary passwords over text or email. Forrester research estimated that about half of IT help desk calls are related to password resets, with each costing about $70.
MFA to Save the Day… and the Data
So, if passwords no longer effectively serve their intended purpose, what do we replace them with? The most obvious answer is multifactor authentication (MFA), well-known among security professionals, but a newer concept for employees. Those who are most familiar with MFA generally use it to access the private information in their personal devices, not the devices/systems they access for work.
That said, Accenture found that 60% of consumers say passwords are cumbersome, and 77% are interested in using alternatives to protect their Internet security. Those are numbers that employers can use as a jumping-off point to introduce employees to MFA for professional purposes and gain greater compliance. According to Microsoft, 99% of online attacks can be blocked by some type of MFA, including:
Biometrics. This type of MFA could provide a big security boost in that employees always have their “password” on them, won’t lose it, and won’t need to be reset. Authentication by reading a user’s iris, fingerprint, and/or recognizing their face/voice are already common for accessing personal devices. However, in a business environment—where access needs to be reconfigured when employees leave an organization or receive new hardware—biometric authentication could bring challenges to security teams.
Text message. Acknowledging the challenges with biometric MFA on an organizational level, the most common form of MFA for employers is via text. While it’s one of the best short-term fixes, by my estimation, SIM card spoofing already is a tool hackers use successfully to gain access to data and systems.
The next logical step, of course, is to extend and embed these consumer-based protection methods to business practices and into organizational cultures. While progress toward these methods becoming commonplace has been slow, it has been steady and makes me hopeful for future advancement.
Greg Reynolds is the Chief Technology Officer at Businessolver, a provider of SaaS-based benefits technology and solutions.