Beyond Identity, a leading provider of passwordless, phishing-resistant MFA, has released the findings of new industry research which found that most cloud professionals remain overly attached to the use of passwords despite their inherent security vulnerabilities, value as a target for threat actors and widespread frustrations around password hygiene requirements.
The survey of more than 150 cloud industry professionals was conducted at the recent Cloud Expo Europe event and revealed over four-fifths (83%) of cloud professionals are confident about passwords’ security effectiveness, over a third (34%) saying they are very confident. This is despite the fact that insecure password practices are regularly exploited in cyberattacks worldwide, with 80% of all breaches using compromised identities.
Asked about their experiences of using passwords, the study revealed a range of frustrations cloud professionals face with hygiene requirements for password-based systems. Over half of respondents (60%) find it frustrating to remember multiple passwords, 52% by having to regularly change their passwords, while another 52% are frustrated by the requirement to choose long passwords containing numbers and symbols.
The number of passwords used daily by cloud professionals further underlines these challenges: a quarter of respondents (26%) use four-to-five passwords, with 10% using 10 or more passwords on a daily basis. Adding to the difficulties password users face, many organisations require frequent password changes, with 38% suggesting quarterly updates, 27% monthly changes and 6% recommending daily or weekly changes. This can be an arduous task, while amounting to minimal security benefits.
The survey also confirms the value of passwords as a target for threat actors, with phishing attacks remaining prevalent. When asked if they’ve ever received a phishing email which they’ve flagged to their security team, over a third of cloud professionals claimed they’d flagged one-to-three, 18% flagged four-to-six and nearly a quarter (23%) flagged seven or more. More worryingly, 11% have received but not flagged a phishing email and one-fifth (20%) of respondents simply aren’t sure if they’ve ever accidentally clicked on a phishing link. Nearly one-fifth (19%) said colleagues have clicked on a phishing email and over a quarter admit to doing it themselves – 11% say they’ve done it more than once and 5% said they do it regularly.
“Widespread user frustration represents a dangerous situation for organisations using password-based systems to protect their data in the face of continued phishing attacks,” said Patrick McBride, Co-founder of Beyond Identity. “This survey shows an alarming displaced confidence from cloud professionals – the bottom line is you can’t have effective security and advance to meet the promise of Zero Trust security if you are still using passwords.”
Tal Zamir, CTO of Perception Point
Despite the growing risks and frustrations associated with password-based security, many professionals and organisations continue to use this method of authentication. There are many reasons for this:
1. Firstly, passwords are a familiar and easy-to-use form of authentication that requires little training or support. People have been using passwords for decades, meaning this habit can be hard to break.
2. Another reason is that many legacy systems still rely on password-based authentication and cannot easily be updated. Replacing these systems can be a daunting task that many organisations are not willing to undertake, continuing to use password-based authentication instead.
3. Passwords also offer a sense of control and ownership over one’s account security. The concept of passwords is relatively simple to understand for both technical and non-technical users. This sense of control is important for many people to have the feeling they are safe and can be difficult to give up.
4. On the other hand, alternative methods of authentication, such as biometrics, can be seen as invasive or uncomfortable. Users may have concerns about how biometric data is stored and about the dangers of that data getting into the wrong hands, making them reluctant to use these methods of authentication.
5. Despite the risks associated with password sharing, many organisations still share passwords among team members to allow for easier collaboration and access to shared resources. This practice is a major security risk, but it remains common in many workplaces.
6. Some organisations prioritise cost savings over security and password-based authentication is often cheaper to implement than other forms of authentication. Other modern authentication methods, such as hardware keys or biometric scanners, may require expensive migration projects, costly equipment and higher ongoing costs to maintain. As a result, many organisations opt for the cheaper and less secure option of password-based authentication.
However, things are changing for the better and the upcoming universal support for ‘passkeys’ can make it simpler for consumers and businesses to switch to a passwordless world, which is both safer and more convenient. Google, Microsoft and Apple are already on board with this plan and we can expect more companies to follow suit in the coming years.
While there are many reasons why people and organisations still rely on password-based security, it is important to recognise the growing risks and frustrations associated with this method of authentication. Until a true passwordless future arrives, organisations must adopt advanced security controls that can protect them from phishing and credential theft attacks, which are now easier than ever to execute and can endanger every organisation.
Muhammad Yahya Patel, Lead Security Engineer, Check Point Software
There are a couple of reasons why we’re still heavily reliant on passwords, despite the frequent conversation about upping our cybersecurity efforts. If we look at enterprise applications for example, the platforms we rely on to do our jobs every day, they all require passwords and often don’t allow other types of protection. This is either because they are legacy technologies that can’t be updated or simply haven’t been built with authentication protection methods in mind. We also cannot dismiss the cost element that would be required to switch to other systems or add in additional security measures, which is not small.
Moving away from passwords isn’t a simple journey. It will require a lot of groundwork to migrate away from them as the main mechanism. If we take a step back and think of all the applications that we would need to update – the configurations required by IT departments, the work to make all of these new platforms integrated with one another – we start to see why this is a journey, not a simple switch.
There is also a human element to this. For IT professionals, there is the fear of the unknown. With passwords we feel very much in control, whereas with anything new there is a higher margin for error. Very much like the mass move to cloud services, there was an initial reluctance before the pandemic which forced many to adopt this new technology. With passwords, there is still hesitation about moving towards a passwordless environment and there isn’t a specific motive to challenge this.
Then, from an end-user perspective, breaking human habits is not easy. We know passwords, we all rely on the same combinations even though we know we shouldn’t, we understand them. To adopt something new is going to need a big campaign. This would include educating people on the impact this would have on businesses, informing them on how the rollout is going to happen and if there will be any disruptions to everyday operations. These are all things IT professionals will be considering before recommending any changes.
Despite these obstacles, having this conversation is so important to raise awareness. Only recently IBM published a report that found that the use of stolen or compromised credentials remains the most common cause of a data breach, with it being the primary attack vector in 19% of breaches, so it’s clear there’s a need for an alternative approach. There is a lot of work to be done but it’s pivotal we keep pushing for better cybersecurity hygiene practices.
Eduardo Azanza, CEO at Veridas
Ultimately, many professionals continue to use password-based security because there is a lack of apathy towards other solutions such as biometrics. Many users have raised worries regarding where their biometric data will be stored.
Whenever biometrics are introduced, there are rightful concerns over how customer data is being stored, who has access to their data, how it is being used and what happens if biometric data is stolen.
For example, if we look at the reaction towards the UK Government’s use of digital identity, some professionals have been slightly hesitant or there has been apathy towards it, because there are still some areas shrouded in mystery, especially regarding who is going to own the data and pay for the scheme.
Historically, biometric advancement has been a slow burner, with most initiatives being squandered by a lack of trust from the public. However, thanks to the pandemic and recent developments, attitudes are changing towards biometrics. In recent years, organisations increasingly began switching from password-based security to technologies which utilise facial and voice recognition. As the speed of Digital Transformation has increased, so has the public’s acceptance of biometrics.
In order to assure this trend continues, there must be a serious level of education around the benefits of biometrics. Not only is it more secure than passwords but it also provides a better user experience. As an entire industry, we need to continuously educate people about the convenience of biometrics and a single digital identity.
One of the prominent factors compelling organisations’ and professionals’ switch to biometrics is the level of convenience. In the age of Digital Transformation, organisations are looking for the most cost-effective and streamlined approach. With biometric security, within seconds users are more accurately and securely authorised instead of having to remember a seven or eight long character password or go through multiple authentication steps.
Furthermore, when it comes to biometrics, there must be standards and deliverables established to ensure that biometric data is used correctly and is safe. There should be consistent evaluations to discern whether biometric companies are following highly regarded data protection requirements and standards such as GDPR, which sets the standard for where user data is being stored and who has access to it.
Biometrics solutions, like any other form of AI, must be based on transparency and compliance within the legal, technical and ethical standards. By having standards in place, questions around storing data can start to be answered. With that, the level of support from professionals towards biometric security will continue to flourish.
Darren James, Senior Product Manager at Specops Software
The password in one form or another has been with the human race for a very long time. Whether you’re using this shared secret code to enter through the gatehouse of a medieval castle or logging into your favourite web application, it’s usually a simple process that everyone understands from a toddler to an OAP. However, these days we are faced with many threats that make passwords more vulnerable and a valuable target, including:
- We have too many to remember – so we keep reusing the same one
- They have been made too complex – so we have to write them down
- They expire too soon – so we increment them or write them down again
- There’s a whole underworld or nation states and criminals trying to steal them and gain access to our data
So, what about the alternatives that we read about – passkeys, 2FA/MFA etc.? These are great, however, the programmers creating the web apps have to develop, update and support them – they aren’t as cheap and simple to implement as a password. They also require enrolment or may have a dependency on a phone/network/possession of a token etc. adding further hassle for end-users to use. Also, MFA can be hacked/bypassed as well, which we’ve seen a lot recently. So, the end-user has put thought into it too.
Whether we love or hate passwords they are still going to be with us for a long while yet and are likely to be part of the authentication process for the foreseeable future. What we can do though is make them stronger and safer to use.
- Try to use passphrases e.g. three or more random words rather than Pa$$word1 – the longer a password is the stronger it is, even if it doesn’t have a mix of characters.
- Check that your passwords aren’t already breached.
- Only expire/change passwords if they have been detected as breached.
- Use 2FA/MFA whenever you can, it is worth the effort, but be careful which ones you choose. If you can use biometrics e.g. face/touch is great, but they are still fallible – you still need a good password. SMS code is NOT secure!
- Use a password manager.
