True North Networks Blog
The end of passwords: Industry experts explore the possibilities and challenges
Passwords have been an industry standard and industry headache for decades. Learn some best practice tips for password administration from tech security insiders.
Password management is the bane of end users and IT administrators, but there are options to get the most out of the experience and reduce the headaches. Several industry experts discussed the challenges of and solutions to passwords.
We talked with Matt Davey, COO at 1Password, an online password management provider; Daniel Smith, head of security research at Radware, a security solutions provider; Rick McElroy, principal security strategist at VMware Carbon Black, a virtual security platform; Matt Wilson, chief information security advisor at BTB Security, a security solutions provider; and Ben Goodman, CISSP and senior vice president of global business and corporate development at identity platform provider ForgeRock.
Matt Davey: For many years we've relied on passwords to securely access the apps and services we use daily, both at home and at work. Today, as many of these services move to the cloud and breaches become bigger and more frequent, password authentication is even more critical, particularly for enterprises.
That's not likely to change. Despite the rise of passwordless authentication like biometrics and Single Sign-On (SSO), passwords continue to provide a vital base layer of security across any application or service. Passwordless forms of authentication all come with their own issues or vulnerabilities, so passwords are your final line of defense should other methods fail. Cybersecurity Ventures estimates that by 2020 there will be at least 100 billion human passwords.
The biggest challenge is getting workers to adhere to modern password requirements—using strong, unique passwords for every account or service they access. This is in part down to education, but primarily the issue is password overload; having too many long, complex, and unique passwords to remember. To overcome this, workers often fall into using the same password for multiple sites, which leaves businesses open to attacks. If one seemingly unimportant platform is breached, it can leave them vulnerable everywhere those login details are used.
Another challenge plaguing enterprise password security is shadow IT, where employees use third-party apps and services in order to more efficiently do their jobs, without letting their IT department know. For example, Carlos in marketing opens an Airtable account, or Anita in legal uses Grammarly to check for grammatical errors. As employees continue to find their own "productivity hacks," they inadvertently create vulnerabilities, like unseen passwords, that their IT department has no knowledge of or control over.
Matt Wilson: The frustration with managing numerous accounts across a growing number of devices is real, and when humans get frustrated we sometimes look to resolve the issue by making poor tradeoffs without recognizing we're doing so. For some time we've known there's only a handful of categories for "authenticators": something you have (e.g., a debit card), something you know (e.g., a PIN/password), something you are (e.g., fingerprint), and something you do (e.g., use the same ATM every Friday). Memorizing a password has been the easiest way for most people to prove their identity as online services have exploded over the past 25 years.
Since the dawn of the first password we've struggled with largely the same issues; selecting strong, unique, passwords, remembering and storing them, and changing them periodically.