Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/5/2021
10:00 AM
Jake Madders
Jake Madders
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Will 2021 Mark the End of World Password Day?

We might be leaving the world of mandatory asterisks and interrobangs behind for good.

More than a quarter of us have used the words "password" or "qwerty" as our primary password at some point in our lives, according to Google. Even more alarming, six in 10 of us admit to using the same password across multiple online accounts, from email to online banking, and only a third of us bother to change passwords more than once a year. That's why World Password Day was created. In 2005, security expert Mark Burnett wrote a book called Perfect Passwords, in which he floated the idea of dedicating one day in the calendar each year when everybody should change their passwords.  

Related Content:

6 Ways Passwords Fail Basic Security Tests

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

By 2013, the idea had really caught on and Intel ran with it, making the first Thursday in May the official World Password Day. In 2021, World Password Day falls on May 6, but is it still relevant in its current form?

From phishing scams to distributed denial-of-service attacks, malware to spyware, the security landscape is a lot more complex than it was back in 2005, or even 2013. Most individuals today have so many different online accounts that to devise and remember a unique and complex password for each one is near impossible. It's why so many of us now rely on authenticator apps and digital "vaults" in which to store our passwords, allowing us to simply remember one to unlock them all. This kind of innovation is good; however, it also leads to a creeping realization that the humble password may no longer be fit for purpose. So, what's next?

Has the Password Outlived Its Usefulness?
Bill Gates famously quipped that the password was dead back in 2004. His forecast might have been a little premature, but he was right when he said the traditional password cannot "meet the challenge" of keeping critical information secure. That's as true for businesses as it is for each and every one of you reading this article. As recently as 2018, more than 80% of all data breaches could be attributed to poor passwords. Businesses know this, which is why they're constantly encouraging employees to create ever more complex passwords, layering up password security with things like two-step and certificate-based authentication. But while these technologies might help to mitigate password vulnerability, they can't eradicate it. 

Password-Strengthening Technologies
Technology hasn't yet evolved to a point where we can do away with passwords altogether. Instead, we keep inventing ways of making passwords more secure, propping them up as a viable way in which to secure our data. Two-step authentication does exactly what it sounds like, requiring an additional step in the login process beyond simply entering a password. Once a user has entered the password, that person will be sent a text message with a unique code or be asked to generate one via an authenticator app, which is needed to gain access to their account.

This kind of multifactor authentication certainly offers an additional layer of security. It means that even if hackers crack your password, they aren't going to get very far without your mobile phone or access to your code generator. However, it's not entirely without flaws. For one, it makes the login process extremely tedious for the user, requiring additional hoops to jump through. It also creates an unwanted dependency on third parties, such as mobile service providers. What happens when a user is unable to receive their authenticator code via SMS because they're out of signal range or their operator's network goes down?

Risk-based authentication (RBA), which involves asking users to jump through additional hoops if they exhibit unusual login patterns, such as logging in from a foreign country or via a new IP address, has similar issues. They frustrate users and increase login times.

Certificate-based authentication recognizes humans as fallible guardians of their passwords and does away with them entirely, instead shifting the onus onto the network itself. A user or device can be granted network access for a set period until that access expires, and it's as simple as that. However, this is only useful in very specific circumstances and limits how and where employees can work.

What's Next?
As a society, we've invested a lot of resources into coming up with ways to patch over the password problem. Two-step authentication and RBA ease the symptoms of password vulnerability but don't fix the underlying issue. We've come to depend on these stopgap solutions because there's never been a viable alternative to passwords. That is, until now. We're beginning to see the start of biometric technologies like fingerprint and facial recognition become mainstream that might eventually replace passwords entirely.

Right now, I can pull my smartphone out from my pocket, unlock it by merely looking at it, and then access my banking app via my thumbprint to pay a bill or transfer someone some money. A decade ago, this user journey would have involved entering several passwords, and World Password Day would recommend I update those passwords frequently.

The thing is, no matter how convenient our technology becomes, passwords will always drag down the user experience to a degree, and it's for that reason we might soon be leaving the world of mandatory asterisks and interrobangs behind for good. 

Jake Madders, along with his business partner Jon Lucas, founded Hyve Managed Hosting in 2001. Since then, in his role as Director, Jake has facilitated the growth of Hyve from a small start-up to a hugely successful managed cloud hosting company with a global customer base. ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20027
PUBLISHED: 2021-06-14
A buffer overflow vulnerability in SonicOS allows a remote attacker to cause a Denial of Service (DoS) by sending a specially crafted request. This vulnerability affects SonicOS Gen5, Gen6, Gen7 platforms, and SonicOSv virtual firewalls.
CVE-2021-32684
PUBLISHED: 2021-06-14
magento-scripts contains scripts and configuration used by Create Magento App, a zero-configuration tool-chain which allows one to deploy Magento 2. In versions 1.5.1 and 1.5.2, after changing the function from synchronous to asynchronous there wasn't implemented handler in the start, stop, exec, an...
CVE-2021-34693
PUBLISHED: 2021-06-14
net/can/bcm.c in the Linux kernel through 5.12.10 allows local users to obtain sensitive information from kernel stack memory because parts of a data structure are uninitialized.
CVE-2021-27887
PUBLISHED: 2021-06-14
Cross-site Scripting (XSS) vulnerability in the main dashboard of Ellipse APM versions allows an authenticated user or integrated application to inject malicious data into the application that can then be executed in a victim’s browser. This issue affects: Hitachi ABB Power Grids ...
CVE-2021-27196
PUBLISHED: 2021-06-14
Improper Input Validation vulnerability in Hitachi ABB Power Grids Relion 670 Series, Relion 670/650 Series, Relion 670/650/SAM600-IO, Relion 650, REB500, RTU500 Series, FOX615 (TEGO1), MSM, GMS600, PWC600 allows an attacker with access to the IEC 61850 network with knowledge of how to reproduce the...