Passwords continue to be a security problem

CISOs say advanced authentication methods must be used in tandem with traditional passwords.

Ten CISOs from across industries have predicted that the days are numbered for the password as the sole authentication method. They see enterprises moving to augment or supplant the traditional password with advanced technologies, such as biometrics.

Security Current, an information and collaboration company, talked with various CISOs to find that they agree that passwords are inherently flawed because they depend on users to create and remember complex sequences of letters, numbers and characters. However, they found that users tend to take the path of least resistance, selecting sequences that are easy to remember – and often easy to crack.

"Despite industry-wide efforts to reinforce this method of authentication and the number of methods available to encrypt and store passwords, the fact that remains is that creating good passwords – and safeguarding them – is as difficult as rocket science," said Nikk Gilbert, ConocoPhillips director of global information protection and assurance.

Passwords are as useful as floppy disks just before their extinction, but to date, we have yet to find a viable solution to replace them, he said.

Despite industry-wide efforts to reinforce this method of authentication and the number of methods available to encrypt and store passwords, it still remains difficult to create and safeguard good passwords. Until an innovative solution is created, we must focus on educating and motivating users to adopt solid security practices.

Aaron's, Inc. CISO Chris Bullock isn't as quick to dismiss the password, and suggests it is a necessary layer in a multi-faceted authentication schema.

"Just like the locks on our front doors can't stop a determined burglar or home invader 100% of the time, we continue to invest in door locks and alarms to protect our property," said Bullock. "When used correctly, passwords can still be an effective layer of defense, yet we should continue to innovate in the area of authentication."

Passwords are about as sexy as locking the front door of your house before you leave for work however, that being said, both are still a rudimentary and necessary instrument of security.

Will the password technology improve and simplify? Of course. Will door locks become better with enhanced doorframes and overall improved door architecture? Certainly.

Just as we look to improve securing our physical world, personal safety and valuables we must look to improve our cyber security, privacy and peace of mind. This doesn’t mean that we discount and eliminate current methods. It simply means we use them as part of the defense layer while we enhance and fortify them, he said.

When used correctly and fortified with other technology (two-factor, biometrics, etc.), passwords can still be an effective layer of defense, yet we should continue to innovate in the area of authentication.

Aetna CISO Jim Routh agrees that no single method of authentication by itself is sufficient, and although technologies like multi-factor authentication and smart cards have been available for years, they do not have the frictionless ease of use that is required for large-scale consumer adoption.

With each newly announced data breach, most enterprises have done little to eliminate passwords as the primary method of authenticating individuals.

Next generation technologies, capabilities that can truly eliminate the use of passwords, can and will reduce risk and improve the user experience. Adaptive cognitive and behavioral techniques combined with a risk engine represent the future of authentication for all industries, he said.

Real-time data points, such as finger swipe speed and pressure on a mobile device screen or typing cadence on a keyboard, can uniquely identify individuals without interruption. Observations of past interactions, such as geolocation or repeated transaction types, build a pattern of your typical behavior.

A robust authentication system has many layers of such inputs that all feed into a risk analysis engine informing applications on how much functionality to provide. Any single authentication attribute by itself is not sufficient to permit access. Applying risk analytics to all of the attributes in combination is the real solution to eliminating passwords.

According to Valley Health CISO Frank Bradshaw, the days of the password serving as a viable method of identification are behind us. Two-factor authentication adds a layer of validation based on something the user has or knows, but these also can be compromised easily.

With technology advancing at such a rapid pace, we must create a frictionless world where we can move about and authenticate without a password that anyone can steal and use, or a token that could be lost or stolen, he said.

Biometric technology is becoming the authentication tool of choice for many enterprises because the focus is on “something you are” verses something you have or know. Biometric credentials are frictionless. You don’t leave them at home, they can’t get lost and it takes a considerable amount of effort to replicate them, he said.

Technology has advanced so that the infrastructure to support multi-factor biometric scanning (you must present a matching fingerprint and retina scan for example) has become a reasonable expense and we will see adoption of this technology increase in the near future.

"Biometrics or multi-leveled, behavioral-based techniques will improve the future of authentication," said Molson Coors CISO Christine Vanderpool. "But managing appropriate levels of access is also critical to data protection because at the end of the day, the bad actors will continue to find ways to steal the information you are protecting if they want it badly enough."

Standard multi-use passwords, the ones we use on a daily basis for almost everything in our lives, are archaic and ineffective at achieving their goal of proving one’s identity.

Passwords are penetrable because they are derived from human nature and most humans take the path of least resistance. Selecting whatever is easiest to create and remember makes for weak, easy-to-crack passwords, which leaves information vulnerable, she said.

One time use passwords or two-factor authentication make passwords more effective; however, the more secure methods of authentication require something that cannot be duplicated, guessed, or stolen, etc.

Biometrics or multi-leveled, behavioral-based techniques will improve the future of authentication, but managing appropriate levels of access is also critical to data protection because at the end of the day, the bad actors will continue to find ways to steal the information you are protecting if they want it badly enough.

Jonathan Chow, CISO at Live Nation Entertainment, says the death of passwords as we know them today is probably over-stating it. However, what can’t be disputed is the steady decline in how effective the traditional password is for securing systems.

The problem is that we as an industry haven’t come up with anything better. For the past 15 years, “next-gen” authentication mechanisms have basically taken on some variant of a one-time code (via token, app or SMS) to supplement “something you know,” or biometrics, or something more obscure. These might be OK for tactical, specific use, but as a paradigm-changing fundamental way to access systems, it’s not there yet, he said.

Join the CSO newsletter!

Error: Please check your email address.

More about BiometricsConocoPhillipsCSOGoogleInc.MolsonNFCTechnologyZuora

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by CSO staff

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place