Passwords: An Outdated Security Measure in Modern Times

Mar 22, 2024 10:33:03 AM

In an era rampant with cyber threats, the security of passwords and identity remains a critical concern. According to HaveIBeenPwned.com, over 12 billion credentials were compromised online as of March 6, 2024. This staggering figure underscores the vulnerability of password-based authentication systems. Most (if not all) of these involve compromised passwords, and often expose not only a compromise to the originally affected domain or web application, but also multiple accounts utilizing the same email address and password.

Despite efforts to bolster password security, including updated PCI 4.0 requirements mandating longer, alphanumeric passwords changed every 90 days, the effectiveness of these measures is dubious. Analyzing example passwords like "baseball1984," compliant with PCI standards, reveals shocking vulnerabilities. Even with special characters and capitalization, cracking times remain alarmingly short.

Cybersecurity Awesomeness Podcast - Episode 53: PCI DSS Standards - Listen Now

Utilizing the PCI 4.0 requirements, we entered several example passwords that users would likely be able to remember into Passwordmonster.com to see how long it would take to crack. The result? The first password we tried, baseball1984, is estimated to take approximately 0.05 seconds to crack utilizing today's processing power, despite being PCI-compliant. An alternative version of this password, still following the minimum PCI requirements, b4s3b4ll1984, would take approximately 0.11 seconds. But what if we add special characters to the password – surely that will help! b4s3b4ll1984$$ will take approximately five minutes to crack, and B4s3b4ll1984$ with a capital B will take approximately 20.35 seconds. It's important to note that B4s3b4ll1984$ not only exceeds PCI DSS requirements, but also meets the password requirements of most organizations today.

Now, we can overcome this issue with current password requirements by requiring passwords that aren't based on dictionary words, such as b$aB55!3abcd. But who's going to remember a password like that? You're going to spend more time with users resetting their passwords.

Proposals for complex, non-dictionary passwords pose their own challenges because they are difficult for users to remember, leading to frequent resets. Additionally, reliance on password managers introduces another potential point of failure. Sure, password managers might be a good solution…except that if your password manager is compromised, then someone now has the logins for everything. That's not a good option either.

When it comes to passwords, there is a significant disconnect between what the human mind can remember and what is secure. The solution to this conundrum lies in transitioning away from passwords altogether. While alternative authentication methods, such as biometrics and one-time password generators, have existed for years, perceived complexity for the users has hindered widespread adoption.

To effect change, the industry must prioritize user-friendly, secure authentication solutions. This entails not only technological advancements, but also a shift in mindset toward embracing innovative authentication methods.

Ultimately, the goal is to streamline the user login experience while enhancing security measures. Achieving this requires collaboration among stakeholders to overcome barriers and pave the way for a passwordless future, and more importantly, the ability to convince users that going passwordless will mean an easier, frictionless user experience.

If you’d like to learn more about moving beyond passwords and adopting advanced authentication techniques, watch the EMA webinar "Transcending Passwords: Emerging Trends in Authentication." 

Ken Buckler

Written by Ken Buckler

Kenneth Buckler, CASP, is a research director of information security/risk and compliance management for Enterprise Management Associates, a leading industry analyst and consulting firm that provides deep insight across the full spectrum of IT and data management technologies. Before EMA, he supported a Federal agency’s Enterprise Visibility program, providing security insights and compliance trending for the agency’s national network of computers and devices. He has also served in technical hands-on roles across multiple agencies in the Federal cyber security space and has published three Cyber Security books. Ken holds multiple technical certifications, including CompTIA’s Advanced Security Practitioner (CASP) certification.

  • There are no suggestions because the search field is empty.

Lists by Topic

see all

Posts by Topic

see all

Recent Posts