The Antipathy Problem: Why Passwords Will Always Fail
We’ve been hearing about data breaches for so long, and in such dire terms, that we’re all pretty immune to hearing about them. Much like hearing that you’ll get cancer from basically everything, we’ve heard so much about data breaches that no one really bats an eye these days when news of another one comes up - even when it’s a breach that exposes biometric information.
I mean, did you change all your passwords after the Equifax breach?
According to Privacy Rights Clearing House, there’s been an average of just over 600 data breaches a year since 2005. That means while the general public hasn’t necessarily heard about every single breach, there’s been almost 2 per day, every day, for fifteen years.
There’s plenty of outrage in the moment, and plenty of Strong Words To Be Said about companies not protecting their data, but the end user is still not driven to take basic security actions themselves.
While stolen identities and data breaches are problems that have happened to thousands of people, it’s important to remember that there’s over 372 million people in the US. In 2017, only 6.64% of people were the victims of identity fraud. Overall, “33% of US adults have experienced identity theft,” which, while high, still may not be due to something like a compromised password - it’s more often due to information gleaned from a data breach.
When you don’t feel like the problem is anything you’ve personally done, and you haven’t been personally affected by it (yet), you’re less likely to take action - even when not taking action makes you a massive security risk. 66% of people in the US haven’t experienced the effects of a data breach in the form of identity theft. The result of this is that 66% of people probably view it as something that happens To Other People. They don’t change their passwords, or enable 2FA, or do anything that’s generally a good idea for security, and as a result, they’re their own biggest security risk.
It’s bad enough that the average person is simply not going to take the level of security precautions they really should to protect their data, but this problem becomes exponential when you look at it in an enterprise environment, where there may be hundreds, thousands, or even tens of thousands of enterprise employees or end users with varying levels of access to data (often, with more access than they should really have).
Compound the problem with the level of antipathy users have about password security, access security, and data breach protection in general. Passwords have been around forever; you always use a password, and the solution for data breaches is, of course, to simply use a better password. The whole Equifax problem was just a terrible, terrible password, right?
The solution isn’t to just keep coming up with better passwords. It’s to get rid of them altogether.