Let’s talk about passwords
Does anyone have anything good to say about passwords? Here at idemeum we think passwords are like digital waste. And we throw it everywhere we go. Trying new app? Making a purchase online? Opening new bank account? Getting a new job? Almost every single service on the internet today requires passwords. We can’t stop multiplying passwords presence in our lives.
Let’s look at some of the key areas and data points for why we believe using passwords is no longer acceptable for us all.
Passwords need maintenance
And unfortunately for us very few people do it properly. General security practices recommend having a strong and unique password for every service or application. But we have way too many services that we use daily, and having unique credentials for each becomes impractical. Add the requirement to rotate work related passwords periodically, and it becomes very challenging.
Up to 73% of users duplicate their passwords in both their personal and work accounts.
Even when people must change passwords they still rarely do so. Only around a third of users usually change their passwords following a data breach announcement.
Passwords cause data breaches
If we look at major cyber security breaches, we will find that majority of cases have passwords at the center stage.
Over 80% of hacking breaches involve brute force or the use of lost or stolen credentials.
Let’s say I am a determined attacker trying to compromise large organization. Why would I try to bypass all sophisticated firewalls, detection tools, and security perimeter defenses? Wouldn’t it be easier for me to phish some credentials from an uneducated user, get access, establish foothold, and then move laterally to reach the target I am after? You get the idea…
Passwords provide awful user experience
First problem is when we need to create one. Have you ever spent a ridiculous amount of time trying to think of a password you can remember, but also use the one that complies with a list of arbitrary requirements (e.g., seven uppercase letters, four special characters, etc.)?
51% of people dislike the idea of remembering another password
And it is not surprising. Login experience is becoming stressful as well. Type a password incorrectly and you risk account lockout. We can always resort to that “reset password” option, but oftentimes we are in such a hurry that we do not bother remembering the new password we typed in, reinforcing reset vicious cycle again and again. Just the fact that we have to dance around all these limitations costs us time and effort that can be spent on something else more productive.
Americans are spending on average 12 days and 1 hour of their lifetime trying to remember and reset passwords.
Passwords are expensive
Developers need to spend extra time and effort on managing and storing passwords. Hashing, salting, and encrypting is what needs to be done before any password can be stored in a database. And if the user forgets the password, the whole process of password reset needs to be introduced and maintained.
Enterprises need to be ready to deal with financial impact of passwords as well.
Up to 50% of all IT help desk calls are for password resets, and resetting an employee’s password is more complex than a quick, one-click action.
On average, IT professionals in 2019 reported spending 4 hours per week managing user’s passwords and login information. In 2020, they’re now spending 5 hours per week. That’s a 25% increase in the past year. IT professionals in the US spend even more time than their counterparts in other countries, with an average 6 hours a week (nearly a full working day) on passwords.
Password patching does not work
What we call patching is the tools around the password ecosystem that try to supposedly make it better.
Take Multi Factor Authentication (MFA) as an example. In addition to entering your password, you are required to install separate application and copy paste a code or approve a push notification. While MFA makes passwords more secure, it makes user experience ugly, as you now have to perform multiple steps every time you login, let alone the inconvenience of entering codes on mobile devices.
In consumer space social login is a popular tool, and it undoubtedly provides fast and seamless user experience. However, we have to remember that we make a big trade off – give up privacy for convenience. Big social login providers are incentivized to collect and sell you personal data and digital identity. But what is most critical in the context of this discussion is that social login is still based on passwords! Logging in with social login means using your master password that is still susceptible to all shortcomings we discussed earlier.
What do we do?
Password compromises are inevitable. They will happen sooner or later. And no one is going to enjoy it when it happens.
At idemeum we believe we are all capable to adopting a change and eliminating passwords for good. Join us on this journey to make digital identity passwordless, portable, and private.