Does Setting Stronger Passwords Make a Difference?
Passwords are part of our everyday lives. From unlocking phones to accessing bank accounts, passwords are virtually a prerequisite to any private activity. However, this security system is highly flawed and even the strongest passwords have many drawbacks, which are thoroughly exploited by attackers.
Take, for instance, the Equifax breach in 2017, which exposed the personal information of 148 million customers. Through a vulnerability in their servers, hackers obtained an unencrypted file of passwords, giving them access to the company’s systems. By exploiting the permissions granted by those passwords, the hackers had full access to millions of records - a breach that could cost Equifax up to $3.5 billion.
Issues with Passwords
Theoretically, passwords work. You just need to create a unique and random 12-digit combination of numbers, characters, and symbols for each account you own and record all those passwords in your mind. The problem is that nobody does that. People use the same passwords for multiple accounts, write them down, use their personal information as passwords (e.g. birthdays), and so on. Passwords are just not meant to be used by humans!
According to the CyLab Usable Privacy and Security Laboratory of Carnegie Mellon University, the effectiveness of a password policy is hard to judge because humans tend to be predictable. The research shows that users unknowingly create a pattern when changing their passwords.
Another human element is not being able to remember all the passwords. Complex passwords, which require at least a mix of lower- and upper-case letters, numbers, characters, and an eight-digit minimum length, make remembering multiple passwords nearly impossible. To solve that, people end up writing passwords down, visible to any bypasser.
“Memorizing complex, unique passwords for every online account isn’t natural and can result in users cutting corners at the expense of their own security,” says Steve Schult, Senior Director of Product Management at LastPass.
Research supports the notion that humans compromise their own security in terms of passwords. A survey conducted by Panda Security that examined over 28 million users and their 61 million passwords found that:
- 85% of users have reused a password
- 52% of respondents use the same password for different services
- 21% only slightly modify their old passwords when registering for a new service
A notorious example of re-using passwords is Facebook’s CEO, Mark Zuckerberg. Hackers obtained Zuckerberg’s password from the 2012 LinkedIn breach and tried it on other websites, successfully accessing his LinkedIn and Pinterest. The password Zuckerberg used was “dadada.”
All in all, the inherent risk of passwords does not significantly decrease by a stronger password. A 2014 Microsoft study supports the argument that making your password stronger is a wasted effort.
An Extra Layer of Protection
Setting up two-factor authentication (2FA) may be helpful, though not infallible. Since 2016 the National Institute of Standards and Technology (NIST) started discouraging SMS-based authentication, such as 2FA, since it can be easily breached.
That is why many IT professionals and cybersecurity companies recommend using multi-factor authentication (MFA) instead. MFA is a security mechanism that uses more than one security and validation procedure to grant access or permissions.
MFA combines knowledge, physical, and biometric validation techniques. Knowledge-based authentication consists of using something you know, such as passwords, PINs, and answers to pre-determined questions. Physical authentication can be achieved through the use of a smartphone, token, or ID card. Biometric authentication uses human physical characteristics that are specific to an individual, such as face images, fingerprints, or retina. As biometrics are unique and impossible to be duplicated, authentication systems that incorporate biometrics are the most secure form of identity authentication.
Additionally, advanced biometric solutions can authenticate the user without adding friction to the system. Biometric solutions must be easy to use; otherwise, low adoption rates and high abandonment rates will hinder the success of the system. Solutions that require special movements (e.g. turning your head, smiling, blinking) or subject the user to flashing lights will not be as successful as those that do not require additional steps.
Since passwords are insecure and 2FA is obsolete, MFA with biometrics is the standalone choice for truly secure identity authentication.
Contact the biometric security experts at ImageWare Systems today to learn more!