The problem with passwords

Sticky notes on a monitor displaying assorted passwords
(Image credit: Shutterstock)

Authentication is the act of confirming the veracity or credentials of an entity, and it is a critical component of eBusiness. In an online world where privacy and security are paramount, the authentication technology has to be complex, individual and virtually flawless.

Online security and authentication is growing as an industry and is no longer just product focused. According to research companies such as Gartner, SaaS (Security as a Service) is expected to grow exponentially with many companies emerging. IDG News reports that cloud services have a bright future with Gartner valuing the industry in 2013 at $2.1bn and expecting to grow to $3.1bn by 2015.

However, this billion-dollar industry is still being based upon a humble idea: only the right user should be able to access that user’s information. Still, as with most things in life, the most simple ideas are made complex by humans. Internet security and authentication is no different, and on top of being complex, it’s old.

The World Wide Web turned 25 on 12 March 2014, and password security is just as old online (and much older in real life). Passwords do offer a minor level of security, and 20 years ago it was a good alternative. Times may have changed, but with only one update worth mentioning to solve the problem (the launch of hardware tokens in 1995), the main way of authenticating and securing a user is still a password.

So why are not more online services using the tokens? Probably several reasons: cost (no one would invest $100m to mitigate a security flaw with on-going costs of only $20m); logistics (if you don’t know who the user is, you can’t send them a token); administration (you need to teach users how to use the new technology) and user experience (non flexible and initiative).

So why can’t we just use passwords? First of all they have limitations in dealing with technology threats such as man-in-the-middle etc, but the largest problem is human behaviour. People don’t do as they are taught, and when people reuse usernames and passwords it is an open door to their online identity. Using the same password on several sites could result in problems – sites may hold different levels of security and if passwords are leaked can be used on sites with a higher security level.

Seven out of ten online users are careless with their passwords reports PC for all. According to a study in January 2014, 60 percent of respondents said they change their passwords less than once a year and alarmingly 68.7 percent reuse passwords on several online services. Adobe, twitter, Ubisoft and a Chinese mega bank’s mobile banking service were hacked because of this behaviour.

We can’t place the entire responsibility on users. Companies whose services are effective as the above mentioned bank, which lost approximately $8 million from victim’s accounts, need to address the issue. This is more urgent now when technology and authentication has evolved along with human behaviour to span over more platforms than ever before. This is especially true of mobile platforms, which due to quick development and focus on intuitive user experience, has left security lagging behind.

“Mobile fraud is very much like internet banking fraud 10 years ago” - SecurityWeek, 24 July 2013.

This statement describes the problem very well. The technology has rushed ahead but securing this platform is dated and has known flaws. We need to find a way to secure BYOD (Bring Your Own Device) since mobile platforms are now more popular than desktop platforms.

One attempt is the FIDO Alliance, which is trying to find a secure way to reuse passwords, but the focus is still on holding the user responsible, possessing knowledge of the problem and actively seeking a way to handle it. Most users will probably never give this the time and energy needed, and therefore the problem of reusing will continue to be an issue.

The problems with established security solutions such as passwords and tokens, along with the complexity of new technology has, however, been a great foundation for innovation and creativity, offering a totally new playground for IT security vendors. From 2FA token products with cryptology to today's intuitive multi-factor solutions, biometrics with fingerprint-based biological cryptography technology to image recognition, geological fencing and device identification are examples of how far the idea has taken us.

Two years ago hardware tokens had a greater grip of the market; this year, software, flexibility and cost effectiveness are the main focus. One observation is the need for the industry to grow – as new platforms and eBusiness gain momentum, so too will fraud.

In 2013, 1,400 financial institutes were targeted, and millions of computers were compromised and used in fraudulent behaviour according to Hacker News (5 Dec 2013). The main targets were US banks with 71.5 percent of all analysed Trojans.

Financial institutes have been fighting the fight against malware for more than 10 years so they know very well the hurt that fraud brings. During these 10 years, the threats have evolved along with the attempts to mitigate them, but they are unfortunately often a step ahead of the good guys. JP Morgan Chase, for example, had the data of 465 000 users stolen when it was hacked according to Hacker News.

The conclusion is that we need something more than passwords to handle technology needs, but that will be a smaller investment than tokens, while still intuitive enough to satisfy human behaviour.

Anna Zetterholm is marketing associate at Keypasco


ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.