In response to news this afternoon that Twitter is telling all 336 Million users to reset their passwords due to a software glitch, four security experts point out the irony that, May 3, 2018 is actually World Password Day! They offer perspective on passwords as an increasingly ineffective and obsolete security mechanism.
Ryan Wilk, Vice President of Customer Success at NuData Security, a Mastercard Company:
“It’s World Password Day – a time to help organizations move beyond the vulnerabilities of the least-reliable of all the security measures they can take, and adopt a layered defense approach incorporating highly trusted forms of authentication. Passwords are static information that can be easily reused by would-be thieves, and experts advise it’s no longer a question of “if” but of “when” an organization’s or individual’s passwords are going to be stolen… especially now that we’ve entered the age of mega-breaches.”
“Unfortunately, too many people still don’t understand just how unreliable static passwords are as an effective security mechanism. In fact, many continue to reuse their usernames and passwords across many sites, even going so far as to re-use their employee usernames with accounts opened for personal use. As a result, when one account gets hacked, all of their accounts are left vulnerable, along with their employer’s valuable information.”
“The use of passwords to control account access is more a quaint artifact of a simpler era than an effective security measure. Static passwords are easily stolen and re-used, leaving the user and organization vulnerable to account takeovers (ATO) and theft. Fortunately, there’s an effective alternative for validating identities. Users are unique in the ways they interact with their devices and online across web sessions, and passive biometrics and behavioral analytics use that uniqueness to build a digital identity profile that lets organizations ensure the user is who they say – and not a fraudster using a stolen password.”
Michael Magrath, Director, Global Regulations & Standards at VASCO Data Security:
“The computer password should not be celebrated, it should be eulogized. In fact, Bill Gates predicted the death of the password back in 2004.
“In today’s world, it is laughable that someone actually came up with World Password Day, given how many people around the globe have been victimized by credentials stolen in data breaches. Verizon’s 2017 Data Breach Investigations Report notes that 81% of hacking-related breaches leveraged either stolen and/or weak passwords
“Organizations relying on a single shared secret to protect sensitive personal identifiable information (PII) has been very lucrative – for hackers. While no security solution is 100% secure, in 2018 organizations not deploying risked based authentication solutions are hoping they can dance between the raindrops, yet most consumer-facing websites today do not offer any alternatives to “User Name, Password” and a narrow set of challenge questions that can often be answered with Facebook searches.
“That may be changing. The FIDO Alliance and the World Wide Web Consortium (W3C) recently announced that FIDO’s Web Authentication (WebAuthn) protocol to the Candidate Recommendation (CR) stage – a precursor to final approval of a web standard. The W3C has invited online services and web app developers to implement WebAuthn, and Google, Microsoft and Mozilla have all pledged support.”
“WebAuthn can also support various biometric log-ins, including face and voice recognition, fingerprints, and iris scanning. It enables users to register non-password biometric or second-device authentication methods with the service, thus replacing the password.
“Passwords will likely be used for eternity in some shape or form, but the computer password as we know it may be on life-support… it’s time has clearly come and gone. #LayerUp ”
John Gunn, CMO at VASCO Data Security:
“Passwords are decades old technology and the enemy of security. They give people a false sense of safety and are almost meaningless in today’s hacking environment. Headlines are filled with the latest data-breach-du-jour but it’s likely that the real rate of data breaches is significantly higher than reported, simply because many companies still lack the forensic capabilities to detect that they have been compromised and that data has been stolen. All of this points to the urgent need for businesses to implement multifactor authentication and a risk-based approach to access management.
“FIDO’s new WebAuthn standard makes it easy to implement risk-based multifactor authentication with biometrics that dial down user friction and greatly increase security. We expect that passwords really will be gone from security-centric organizations and transaction types in the next 2-3 years.”
David Vergara, Director of Security Product Marketing at VASCO Data Security:
“If the last year’s mega breaches have taught us anything, it’s that a trusted identity framework for online transactions and interactions is urgently needed, yet totally lacking. W3C’s WebAuthn protocol provides a unified approach that the entire industry can – and should – come together on. #LayerUp!”
