Pardon the spelling, but it fits. It has been 35 years since passwords were deemed inadequate for reasonable security. Yet here we are, still using them – and 12345678 is still the world’s favorite. Too bad AI doesn’t exist. We could really need some help on the intelligence side of things.
Of course I’m mocking, and we deserve it. It’s quite unbelievable. So much talk, so little action. And it’s not like we haven’t had alternatives.
Actually, the more we look at it, the weirder it becomes. Here’s the reality:
- Users hate good (i.e. complicated) passwords for good reasons. Most users actually hate passwords in general. Easy to forget, hard to type correctly, slow to reset – which most users require at least weekly, in many companies daily according to a recent study.
- IT hates passwords. They know they’re bad security but their primary reason is the support load. Many, possibly most help desk operations pin 30-50% of their load on lost passwords and/or locked accounts.
- Alternatives have been there for ages – and this is 2022: They’re in our pockets or on our keychains – easily available, easily accessible, familiar to the users, I could go on.
- The alternatives are cheap – and provide good security.
Surprising? It is – because we have to ask: Given this reality, why are we here? It’s not the users, they’d welcome a passwordless world. That’s why they love their password managers, whether they’re hidden inside a browser or explicit products like 1Password. And they are very comfortable around fingerscanners, retina scanners and facial recognition in cell phones.
It’s not IT either. IT – not all, but many – and most security departments – have made attempts to leave the ancient password-world for at least 10, maybe 20 years. Whether they have been pushing hard enough is a different story. They have not. So I’m not exonerating IT. As a matter of fact, I have another ax to grind with IT: They have been and still are too lenient about legacy systems that should have been eliminated or replaced years ago. Such systems are notoriously difficult (but not impossible) to secure beyond passwords. IT’s ‘relationship’ with passwords was effectively summarized in a recent TechRepublic article:
Due to the challenges faced by users, password-related issues chew up a lot of time and resources for IT and help desk staffers. A third of the support tickets fielded by the IT department are related to passwords, according to those surveyed. For some organizations, more than half of their support tickets are password related. Support incidents involving passwords have risen on average by 30%, leading many of the IT leaders to cite help desk costs as a concern in this area.TechRepublic
Still – the main problem was – and is – the vendors. Software vendors, solution vendors (ERP et al), hardware vendors, even security specialists. Some have just resisted – saying ‘yes’, acting ‘no’ — and silently ignored reality and customer demands. Others have objected to standards they didn’t invent themselves – and so on. Citing costs, complexities or even (nonexistent) customer resistance, many have claimed the challenge is not theirs to fix.
It is, but here’s the thing: They get away with it – which is our fault. The market’s fault. We accept – and in return we get waves of ransomware, theft, break-ins, etc. that cost a fortune, some times lives.
So we keep fixing symptoms and ignoring root causes. Not unusual, quite the opposite, but think about it – what’s your preference: Move on to security and customer conscious partners and vendors, or remain exposed to ransomware attacks and many other cyber threats? Easy choice, isn’t it?
Then comes the hard work. Eliminating passwords is a great start. And overdue.