It seems that not a day goes by without the publication of a new survey revealing that people are using so-called weak passwords. As the CEO of a company that develops password security management, passwordless and other authentication solutions aimed at protecting organisations from being compromised, I read these reports with mixed feelings.
On the one hand it is important to hammer home the message that password security needs to be taken seriously. Yet with every new statistic being similar to the last, I wonder whether we are making any progress. Like any story that hits the headlines, we initially sit up and take notice, but the longer it goes on, the more desensitised we become to it.
Let’s be honest, everyone knows that 12345 is a bad password. So, if you are using it to access one, or likely more accounts, you are doing so knowingly. That means you are either unaware of or ambivalent to the repercussions that can befall you as an individual or your organisation. Similarly, those of us working in the IT and security profession have known for many years about the pitfalls of poor password security, yet still it is the cause of the vast majority of data breaches.
So, if the awareness is not being accompanied by action we are at an impasse.
However, recently while watching the world go by in the sunshine outside in a pub garden, I was given a sense of optimism from an unexpected place. I suddenly noticed how no one was smoking cigarettes. As a non-smoker I would rather have sat inside than inhale the smoke of people who had been banished to the garden, but apart from a few people vaping, the air was fresh.
My point is that everyone who smoked knew it was bad for them (and those around them), but they did it anyway. The price of tobacco was steadily increased, bans on where they could light up were introduced, even horrific images of the damage it does to your body were added to packets, but still people chose to smoke. It was the introduction of vaping and e-cigarettes that changed the game completely. Smokers could continue to behave in a very similar way, but the risks to them and those around them were reduced. Vape shops quickly appeared and the price of maintaining their habit was competitive, making the swap easy.
This is where we need to get to with passwords. We need to clear the smoke (pardon the pun) and create a clear and simple path for people to follow. Technology vendors (Authlogics included) have brought to market a plethora of different products and solutions all trying to solve the same problem in a different way – use a password manager, ditch passwords, use multifactor authentication, introduce biometrics – the list goes on. These solutions will solve the problem but the message to the world is unclear and confusing, with every vendor arguing about the best approach.
Passwordless may be the next big leap, but just like those addicted to nicotine, very few will leap from 20 a day to quitting. Having tried to convince the market to jump to passwordless (albeit with some success, but not quite global domination), I am convinced that the right approach for the mass corporate market is password security management. This approach enables people to continue to behave in a similar way, continuing to use passwords, but within an ecosystem that ensures they are being used in accordance with best practice. For some organisations this may be enough, for others it may provide them with the roadmap they need to take the next step to improve how information and systems are accessed in a secure and compliant way.
The password problem is the result of bad habits, and they can be hard to break. But ask anyone that has done it and they will not tire of telling you the benefits. We can make progress and the survey results will improve, but it is going to take time, effort, and education.
© Technews Publishing (Pty) Ltd | All Rights Reserved