World Password Day is a Reminder that Passwords are Dying
Happy World Password Day! I guess? Since 2013, the second Thursday of May is a day the world celebrates the password. Articles and social media posts surface, encouraging us all to practice good password hygiene.
I love a holiday where my fellow cyber nerds get to shine. But, why are we celebrating an authentication method that no longer protects us?
World Password Day should be a remembrance holiday, a day to remember simpler times when we had one password in honor of our favorite pet’s name.
User behavior won’t change.
Despite our efforts to train users, 123456 remains the most commonly re-occurring password in data breaches. 83% of Americans use weak passwords, and over half reuse passwords across accounts. We train our users to start using a password manager to fix their poor password habits. But do they?
What if that password manager is just a place for them to store all their weak passwords?
The evidence is undeniable. Users will not use a unique, strong password for every account. It’s time that we stop focusing on changing user behavior.
Companies keep failing us.
Technologists know storing clear-text passwords in a database is a no-no. It’s like placing a spare key under your doormat. You might as well leave the door unlocked. Yet, companies continue this practice, a lovely surprise when hackers find the database. I’m not referencing the small businesses lacking technical expertise — quite the opposite.
While never(knowingly) compromised, in 2019, Facebook notified upwards of 600 million users the company stored their passwords in clear-text. The issue dates back to 2012, but Facebook found it in 2019 during a routine security review. (How routine is your review if you find the vulnerability seven years later?)
Facebook isn’t the only 2019 example.
An attacker accessed the clear-text passwords of 10 million Evite users when the company failed to secure an inactive data storage file. (Where else are these stored in clear-text across their systems?). Orvibo, a smart home company, misconfigured a server leaving a passwordless Elasticsearch database externally accessible. The database stored saltless MD5 passwords of at least 2 billion users, which are easy to crack. The examples continue.
A strong password is useless if the company neglects using adequate encryption and hashing techniques.
The bait is too good to resist.
Even when the user utilizes strong passwords, and the company acts responsibility, users continue to fall for phishing emails. The FBI’s 2019 Internet Crime Report highlighted the impact of phishing. Phishing attacks were the most common attack, resulting in over $57 million lost. Not all of these attacks resulted in password compromise, but the data illustrates that one compelling email places our passwords at risk.
It’s time to start celebrating new authentication methods.
The standalone password is dying, and there is no way to save it. Multifactor authentication (MFA) resuscitated passwords for now (sort of). MFA is not flawless. It requires user buy-in and remains vulnerable to attackers.
I don’t foresee a single mechanism replacing the password. Exciting investors and winning contracts will prove difficult if the product resembles the password. Future authentication will be sophisticated while simple for the user. We will see the rise of Zero Login technologies and innovations that use multiple data points, such as our digital patters and biometrics, to perform multifactor authentication seamlessly.
Technologists and users alike need to enthusiastically demand better methods. Our data, money, and time will remain at risk while we continue to celebrate obsolete authentication methods.
For now, we celebrate World Password Day.
We might as well celebrate while we remain reliant on passwords. Here are my top three suggestions for making this year’s World Password Day one you might remember.
1. Get a Password Manager.
2. Impress cybercriminals with your strong passwords.
3. Enable multifactor authentication everywhere available.
What will we celebrate in the future?
My vote is for a World Password Remembrance Day, but I’m open to suggestions.