Is there anyone out there anymore who thinks passwords are a good security option?
After the newest survey from LaunchKey, I’m going to say the answer is a very firm, “No!”
The survey of 589 people of the “general population” found that 84 percent of participants want to see passwords eliminated, and 76 percent said they believe data and networks would be more secure under a different type of authentication method. (e.g., The majority, 59 percent, think fingerprints are the way to go, but based on how easy it has been to hack the fingerprint authentication on mobile devices, I’m not sure I agree with that assessment.)
The responses to the survey echo similar thoughts I’ve been hearing throughout this year. People are tired of the weaknesses found in the password authentication method, particularly when it comes to retail. Slightly more than half don’t trust retail outlets to keep information secure with passwords.
As consumers become more vocal about their distrust and dislike of passwords, something eventually has to give, right? Why aren’t companies making the switch? One reason is that for as much as people complain, we’re used to the password set up and we don’t want to change. Another issue is the expense of moving from passwords to another form of authentication. Companies with already tight security budgets would have to convince executives that they need the equipment necessary to add a second authentication level.
At the same time, the survey revealed something about consumers that they might not like to hear. Authentication methods fail because we don’t do enough to make them succeed—and women are especially bad at good password management, it seems, as eWeek reported:
Nearly 8 percent more women than men surveyed said they share their passwords with others, while nearly 14 percent more women than men stated that they use the same passwords for multiple accounts.
And while we say we want something better, you have to wonder if that’s just lip service. According to InfoSecurity, it’s difficult to meet the security demands:
Respondents also took a dim view of the traditional methods of authentication, regarding two-factor authentication (2FA) as insufficient. Nearly two-thirds did not even know what 2FA was, while only a fifth said it was easy to use.
We’ve also seen repeatedly that when 2FA is offered as an option, users aren’t accessing it. Obviously, too many don’t understand what it is, but I’ve listened to people gripe about situations when it is required. Too many steps! Takes too long! I’m always misplacing the token! If people are complaining when they have to use it, why on earth do we think they’ll want to do it voluntarily?
One thing the survey doesn’t touch on—not surprisingly since this is is a survey of the general population and not of IT or security folks—is how little is done to secure passwords on the business side. Almost routinely, vulnerable passwords are stored in unencrypted formats that are easy to steal and sell on the black market.
I’m not a big fan of passwords, personally, and I’d love to see something better come along. But I’m also starting to think that we are our own worst enemy when it comes to password security.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.