Why passwords are here to stay

The death of passwords has been in discussion for over a decade now. In 2004, former Microsoft Chairman Bill Gates predicted the death of passwords; in 2006, he said that the end to passwords was at sight. Not just Bill Gates, but many other luminaries and industry analysts have been predicting the disappearance of passwords.

Key arguments for password alternatives relate to better security and convenience – with the proliferation of online applications, passwords now occupy so many aspects of our lives. Remembering a dozen passwords is impossible, storing passwords invites trouble, and managing them manually is a pain. But with high profile security breaches involving stolen identities; attacks on financial institutions, among others, it’s no wonder talk of password replacement captures interest.

Biometric authentication, iris authentication, facial authentication, various forms of multi-factor authentications, and even authentication through items like watches, jewellery, and electronic tattoos are all being discussed, and active research continues to formulate better alternatives. Touch ID became reality to consumer devices when unveiled as a key feature on the iPhone 5s.

Some of these alternative authentication methods however, have been cracked even before they could be adopted widely.  A few years ago, a group of researchers hacked faces in biometric facial authentication systems by using phony photos of legitimate users.

So while we still may get a viable replacement for traditional passwords in the future, in reality, the predictions largely haven’t yet materialised. Passwords are still the most prominent method of authentication to date, and this is largely due to the viability of alternate approaches, which are mostly expensive, require additional hardware components, are difficult to integrate within the existing environment, or are not easy to use.

Passwords however, are very easy to create and are absolutely free. Traditional passwords are not going to die any time soon.

Passwords are not the problem; their management is

While raising our voices against passwords, we overlook the actual problem, which is poor password management. Due to the inability to remember passwords, users tend to use and reuse simple passwords everywhere.

They store passwords in text files and post-it notes; share credentials among the team members; and pass them over emails or by word of mouth. Passwords of enterprise IT resources are often stored in spreadsheets, text files, home grown tools, or even in physical vaults. Passwords are further compromised in IT divisions that deal with thousands of privileged passwords, which are used in a ‘shared’ environment. Real access controls do not exist and passwords of sensitive resources and applications remain unchanged for long periods of time. Poor password management practices like these invite security issues and other problems.

To draw a case-in-point example, banking and financial institutions are a top target for hackers. During the past few years, renowned banking organisations across the globe have fallen prey to criminal hacks. Beyond huge financial losses, the victims suffer irreparable damage to their trust and credibility, the hallmarks of financial institutions.

Cybercriminals use a raft of techniques, and their attack patterns continue to evolve, one of which is siphoning off login credentials of employees and administrative passwords of IT resources, using techniques that include spam and phishing emails, keystroke loggers and Remote Access Trojans (RAT). 

Once the login credential of an employee or an administrative password of a sensitive IT resource is compromised, the institution is vulnerable. The criminal can initiate unauthorised wire transfers, view the transactions of customers, download customer information and/or carry out sabotage.

A word of caution - hackers don’t always come from the outside. Of important consideration is the emerging threat of insider sabotage - caused by disgruntled staff, sacked employees, or entrepreneurial ‘opportunists’. Anyone who has access to privileged passwords – the ‘keys to the kingdom’ – is in a position to misuse them, whether intentionally or unintentionally. 

So what’s the answer?

Bolstering internal controls holds special significance in light of the recent attack trends. Access to IT resources should be strictly based on job roles and responsibilities, supplemented with clear-cut trails that reveal ‘who’ accessed ‘what’ and ‘when.’ Likewise, password sharing should be regulated, and a well-established workflow should be in place for release of passwords of sensitive resources. Standard password management policies, including usage of strong passwords and frequent rotation should be enforced.

One of the most effective ways to bolster internal controls is by automating the entire lifecycle of privileged access management by using enterprise-class password managers.  Password managers can provide complete visibility on privileged access, and systematically enforce best practice. A good password manager can replace manual practices and automatically assist with securely storing privileged identities in a central vault; it can selectively share passwords, enforce policies and above all, restrict access to and establishing total control over privileged identities.

Most important is staying vigilant. Too many security incidents occur as a result of lax internal controls — and while passwords often get the blame, it’s really poor password management that’s the culprit.

Raj Sabhlok is the president of ManageEngine