Imagine Alibaba and his band of forty thieves at the portals to the legendary treasure cave. ‘Open Sesame!’ he says, expecting the door to permit him entry. To his surprise, a voice booms: ‘Access denied! We have upgraded our access system. Sesame is no longer valid. Please speak clearly so we can identify you.’
Far-fetched? Maybe. But then again, considering the relative distress most of us have experienced in the world of passwords, maybe not so.
The advent of the digital age has made the use of passwords universal. A password is needed several times a day, for a user to either simply log in to a device or perform some tasks or in using an application or a system. It is estimated that in 2019 on an average, almost 11 hours were spent every year [1] by an individual resetting passwords, or roughly 12 minutes of every workweek. Multiple work areas compel users to create, maintain, repeatedly re-enter, change and remember several passwords during a workday. Nordpass, a Password Management Service in a 2020 report estimates that a normal person using a computer could have almost 70 to 80 passwords [2] to remember.
Enter password fatigue.
Password overload
Looking back, it seems password fatigue was just waiting to happen. Tasked with embedding a safety mindset, Information Security Management Systems (ISMS) teams have been serving up guidelines for fool-proof password creation, recommending specific lengths, special characters, numbers and alphabets, in lower and uppercase. 123456, the most-used password globally (UK’s National Cyber Security Centre study [3] ), was declared unusable. Family names and dates are strongly advised against. Locking unattended keyboards were made mandatory, with users required to log in again, on return.
Betterbuys in its article on Estimating Password Cracking-Times [4] reckons that a 7-character password would take a skilled hacker just 0.29 milliseconds to crack, yet a 12-character password offers greater security with an estimated ‘crack-time’ of 2 centuries!
While the case for these safety measures is very strong – Javelin Strategy and Research estimated that in 2016 alone, there were 13 million recorded cases of identity theft [5] in USA and Verizon’s Data Breach Report of a year earlier said that 81% of data breaches [6] were caused by compromised, weak or reused passwords – the fact remains that it has resulted in a high degree of password fatigue.
Fighting fatigue
As organizations stressed the use of robust passwords to employees, occasionally imposing fines for non-compliance due to the resultant phishing attempts weak passwords encouraged, a contrary response was noticed in users. Users started simplifying, repeating, reusing, and rotating passwords across applications, adding a different digit or alphabet to the original one when prompted to change the password, and even sharing passwords! Some started bucking the trend of password maintenance when presented with 2-factor authentication, by invoking the ‘Forgot Password’ option. The self-belief was palpable. LoginRadius says that as much as 80% of computer users didn’t believe weak passwords posed a security risk, and 63% of users don’t have security and privacy concerns [7] . Even the approach to storing passwords is suggestive of password fatigue. Pew Research Center says in a 2017 report [8] that 49% of Americans feel comfortable to store passwords on a piece of paper, 24% record their password on a computer, and 18% store it on a browser, all of which are potentially unsafe.
Beating the stress
Password Managers like LastPass, 1Password, Dashlane and Keeper were quick to offer users solutions to take the ‘stress’ away from password management. Nordpass introduced its single password application that allowed users to enter a password to access other passwords stored therein.
But the apathy and discontent were tangible, and the stage seemed set for the death of the password.
The Road Ahead
In October last year, Microsoft released its Windows 11 version that uses a pin to log in instead of the traditional password. Apple’s iOS 15 and macOS Monterey operating systems incorporate a new option called Passkeys in iCloud Keychain, and Google continues its efforts to try and make customers stay away from passwords. Bill Gates, Microsoft’s Chairman said at the company’s IT Forum in Copenhagen, that he was pleased at the advent of 64-bit computing, and yes, he foresaw the death of the password and a complete shift in the use of passwords, even for internal access.
Rohan Pinto, a member of the Forbes Technology Council, an elite, by-invite-only community of CISOs and CTOs writes [9] in the Council’s online journal: “Using emerging technologies like internet of things (IoT) devices, advanced biometric authentication and blockchain technology, we can streamline user identity verification with passwordless login. This will create a secure, cost-effective, and efficient identity management ecosystem.”
Blockchain identity management solutions are organized around a distributed decentralized ledger, with the identity of the individual being stored in multiple places by algorithms, making it impossible to breach or circumvent, and hence rendering it hack-proof. The verification is done without disclosing the actual data to anyone, a concept known as zero-knowledge proofs.
Behavioural Biometrics, would rely on access using face, voice, fingerprint, identity cards, heartbeat, IOT devices etc.
Multifactor authentication where multiple devices of the user are used to validate a code received is being touted as a strong contender for the throne of identity management. Blockchain identity management and biometrics however, seem to be ahead of the pack and they may soon become the new normal.
Until then, however, the severely battered password-based identity security system, appears to be taking its curtain call. There is a whole new press being felt for a superior identification management system that will eliminate once and for all, the use of passwords.
The tide is changing, and time will tell us where we are headed.
Even Alibaba would have been happy!
Sources:
[1] Article in N-Business | Link : Up to 11 hours spent every year resetting passwords (thenationalnews.com)
[2] Nordpress report | Link : New_research_an_average_person_has_more_passwords_than_an_average_pop_song_has_words.pdf (npass.app)
[3] NCSC Study | Link : Millions using 123456 as password, security study finds – BBC News
[4] Betterbuys | Link : Estimating Password Cracking Times (betterbuys.com)
[5] Javelin Strategy & Research | Link : Javelin Strategy and Research 13 million cases of passwords cracked – Search (bing.com)
[6] Verizon | Link : 2017_dbir.pdf (verizon.com)
[7] The Death of Passwords by Deepak Gupta | Link : The Death of Passwords [Infographic] | LoginRadius | LoginRadius Blog
[8] PEW Research Centre : Americans, password management and mobile security | Pew Research Center
[9] Rohan Pinto’s article : The Inevitable Death Of Passwords (forbes.com)