Passwords are meant to protect the sensitive information from the bad guys who want to steal or exploit it. They’re supposed to keep our identities and data safe. And they’re supposed to help keep our companies out of the mounting data breach headlines.
But here’s the thing: they don’t. Relying only on password-based protection isn’t just risky; it’s stupid. It’s time to stop fooling ourselves into a false sense of security. Ask any security professional and they’ll tell you that passwords are ineffective. I’d go a step farther and say that passwords are the weakest link in the security chain. Here’s why:
We are our own worst enemy
Let’s face it: we, humans, suck at creating passwords. We can’t remember what we had for lunch yesterday, let alone complex, gobbledygook passwords. And because we have such poor memories, we default to really dumb password choices including the gems in the latest list of worst passwords. (The Star Wars-themed passwords caught my eye. I’m sure the folks who choose those thought they were being clever. To me it’s just another example just how lame we are at choosing passwords).
If you are one of the rare people who actually uses a complex string of random characters that is at least 8 characters long, with upper and lower case letters, numbers and special characters, I’ll bet those passwords are written down somewhere (perhaps a sticky note stuck to your monitor?). Or even better, they’re typed into a Word or Excel file called “Pa$$w0rds”and uploaded to a cloud storage app so you can access it whenever you need it. Why? So you can remember them!
Sharing is caring — but not when it comes to passwords
Not only are we bad at creating passwords, but we also have really bad password habits, including password sharing. While social media has made sharing almost second nature, there are some things that just shouldn’t be shared. It may seem like common sense, but we’ve all shared passwords with someone – a family member, a boss or a co-worker. In fact, nearly 60% of us admit to sharing password with another employee. While it may not seem like a big deal at the time, it only takes one mistake to put the entire organization at risk.
Reduce, reuse and recycle — except your passwords
I’m all for being green. And while reducing, reusing and recycling are good for the Earth, it’s not good for passwords. Did you know that almost 75% of us use the same exact password for multiple accounts? It’s not surprising considering how many websites and cloud applications we rely on. Using the same or similar password is just easier to remember. But it also makes it a lot easier for attackers to hack your accounts because a breach on one site effectively lets them into all the other accounts using that very same password.
Kill the Password
Passwords suck. They suck at protecting us. They suck to create and maintain. We do all kinds of sucky things to make them less sucky, but we’re just fooling ourselves. Let’s just admit that passwords don’t work. Let’s admit that relying only on passwords is a stupid way to protect our data and identities. Let’s admit that it’s time to kill the password.
We should eliminate passwords with SAML and single sign-on (SSO) anytime we can. We should ALWAYS use two-factor authentication (2FA) or multi-factor authentication (MFA) in front of everything, so that when a password is stolen (which it probably already has been), it doesn’t give the attacker easy access to our applications, data, networks and more.
I can already hear the naysayers. Two-factor authentication? That’s a pain. It’s too hard to implement and manage. It’s too costly. Users will hate it. Well, I’d agree if we were talking about legacy two-factor authentication. But we’ve come a long way, baby. Today, we can leverage cloud-based solutions to simplify implementation. Mobile and biometric technology, which are no longer things that we only see in sci-fi or spy movies, can make two-factor authentication easier for users too. What’s more, two-factor authentication buys us time to implement more advanced forms of authentication that involve big data analytics and user behavior.
Let’s stop making it easy for attackers to steal our stuff. We need to start using new tools like SAML, SSO and modern two-factor authentication to better protect our online selves. It’s time to kill the password.
Click here to read an executive summary about strengthening security by deploying two-factor authentication everywhere.