To Ensure Security, Do Passwords Need to Go Away?

Employees at companies juggle a lot of passwords, both for the applications they need to do their jobs (e.g., corporate email and enterprise apps) and the services in their personal lives that they access at work (e.g., online banking and personal email).

And yet, as companies and users focus more on cybersecurity — especially with data breaches in the headlines — there is a debate about how passwords can be strengthened, or whether they need to be scrapped altogether.

Password security and basic cybersecurity hygiene are key elements, and sometimes the first line of defense for companies. The Department of Homeland Security and the National Cyber Security Alliance (NCSA), a public-private partnership, have for the past 13 years been using October to annually mark National Cyber Security Awareness Month. The first week is focused on basic cybersecurity steps companies and individuals can take to protect themselves.

As part of NCSAM, the White House is promoting an NCSA initiative, “Lock Down Your Login,” a public-private campaign designed to get Americans to use stronger methods of authentication, such as a fingerprint or a one-time code, for their online accounts. The White House estimates that such authentication technology could have prevented about 62 percent of successful data breaches last year.

The Need for Stronger Passwords

For users whose accounts are hacked or exposed, changing passwords is a paramount concern. Last month, Yahoo reported that a 2014 data breach affected at least 500 million user accounts, and the company said users’ names, email addresses, telephone numbers, dates of birth and other information were compromised, the Wall Street Journal noted.

However, according to a report in the New York Times, Yahoo CEO Marissa Mayer “rejected the most basic security measure of all: an automatic reset of all user passwords, a step security experts consider standard after a breach.”

The Times reported that “the stolen passwords were encrypted” and that “Yahoo concluded the risk of misuse was low so it notified users and encouraged them to reset their passwords themselves.”

Most people, however, do not change their passwords for security purposes. Working with market research firm Lab42, security vendor LastPass surveyed 2,000 adults from the U.S., Germany, France, New Zealand, Australia, and the United Kingdom about their password habits. As reported by Dark Reading, 91 percent of those surveyed know it’s risky to reuse passwords, but 61 percent do it anyway. Further, the top reason users change passwords is because they’ve forgotten them; only 29 percent do so for security reasons.

Replacing Passwords with Other Authentication Methods

How can passwords and authentication be strengthened? Some cybersecurity experts say that security questions that are often used to help users reset passwords need to be done away with.

“From their dangerous guessability to the difficulty of changing them after a major breach like Yahoo’s, security questions have proven to be deeply inadequate as contingency mechanisms for passwords,” Wired reports.

“I would like to see this practice go away,” Jim Fenton, an identity privacy and security consultant who runs the blog Insecurity Questions, told Wired regarding security questions. “If passwords are vulnerable, why are security questions somehow so special that they live on forever?”

Fenton notes that data breaches can reveal more personal information that can make guessing security questions easier, thus leading to further breaches if a user’s answers to security questions are reused across different services. “Attackers are getting broader and broader information all of the time about users by aggregating all these different leaks,” he said.

Some companies are trying to move away from passwords entirely, employing different and stronger forms of authentication. Google, for example, has developed what it calls the Trust API, which is aimed at replacing passwords by “mixing together multiple weaker indicators into one solid piece of evidence that you are who you say you are,” the Guardian reports.

The newspaper reports: “Among the pieces of evidence that Google suggests the Trust API could use are some obvious biometric indicators, such as your face shape and voice pattern, as well as some less obvious ones: how you move, how you type and how you swipe on the screen. With the service continually running in the background of the phone, it can keep track of whether those indicators match how it knows you use your phone.”

Meanwhile, Microsoft wants to kill off passwords via its Windows Hello technology, which is designed to let users unlock their Windows 10 devices via biometric methods like fingerprint or iris scans, and facial recognition.