Passwords are the most common form of authentication used to control access to information because they are simple, inexpensive, and convenient mechanisms to use and implement. At the same time, passwords are also recognised as being an extremely poor form of protection. There are over 10 million username/password pair attacks every day. Using strong passwords lowers overall risk of a security breach, but strong passwords do not replace the need for other effective security controls or to embrace alternative technologies.

Why do we still use passwords?

Many businesses advise their users, often in response to a data breach, to create so-called ‘strong passwords’ that consist of complicated alphanumeric and character sequences. However, there is increasing evidence that passwords are not enough to protect users from attack. The attacker who uses a brute force attack is relying on the fact that he can do tens of billions of password guesses per second.

Users now have so many online accounts, both personal and work related, it has become impossible for them to remember all their username and password combinations. For a password to yield results it needs to be unique, with enough complexity (entropy) and continuously refreshed after a certain period of time. This is close to impossible to a large number of accounts a regular user will use in their daily life. From email to financial applications, office applications, social media, etc.

Why do people choose a weak password when they know better?

Three reasons people gravitate toward easy-to-remember, but weak passwords: convenience and speed, insignificance and memorability. Hackers use a variety of techniques to discover passwords, which include: social engineering, manual password guessing, man-in-the-middle attack (intercepting a password as it is transmitted over a network) or brute-force attacks; the automated guessing of large numbers of passwords until the correct one is found.

Risk of data breaches

In the new GDPR regulations, there are fines for business when facing a data breach with consumers’ personal information. Many of the biggest data breaches have involved hackers stealing user’s passwords, first because it allows the hackers to access the breached account, but also because passwords tend to be re-used across multiple accounts. Pieces of legislations like the NIS Directive have been introduced for critical infrastructure services and cloud services in order implement policies protection access to the system beyond simple username and passwords.

How can we prevent ourselves?

Passwords alone are one authentication factor. They are commonly described as something you know. Additional factors can be something you have and something you are. Some high-value websites and systems, like banking websites and email providers, are starting to use multifactor authentication to improve the security of your personal information. Two-factor authentication (2FA) should be considered the minimum acceptable level of access control. It requires an extra step when logging into a website to prove you are who you say you are.
Two-factor authentication is much more secure than using passwords on their own and provides a considerable amount of protection against both brute force attacks and poor password hygiene. There is a small cost in convenience, but compared to the potential losses of trust, data, and business continuity that a security breach can incur, the inconvenience is trivial.

Alternatives to using passwords

It is time to give up on old-style password protection and use the mobile phone to provide a simple and effective extra layer of security. It is time to embrace alternative solutions for strong customer authentication, such as ConsentID. ConsentID operates from any device: mobile, tablet or desktop. AET brings more than 15 years of experience to ConsentID authentication and signing service. A flexible, easily adaptable and integrated solution for any business application. Read more on ConsentID >