At the end of February, Hold Security announced that it discovered over 300 million stolen or compromised login credentials.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=iDuring that same week, Fortinet revealed the results of a survey of Generation X and Millennial adults in which they were asked their attitudes toward passwords.
The two events have nothing to do with each other, but I thought the timing was a little serendipitous. To me, the two show that maybe we really have come to the end of the password’s usefulness as a security measure.
The Fortinet report found that many Gen Xers (ages 33-48) and millennials (ages 18-32) don’t change their passwords at all unless prompted. And if they do change their passwords, they do it as infrequently as possible. Interestingly but perhaps not too surprisingly, millennials are protective of their phones, with 57 percent saying they do password protect their device (less than half of Gen Xers do so). I say that this doesn’t surprise me because the millennials I am related to depend on their phones for their survival. I think they are more apt to protect their phone than lock their house or car doors. Still, they use the easiest form of password possible to protect their phones, opting for a four-digit pin over more difficult-to-crack password options.
It’s easy to think that, other than with smartphones, millennials and Gen Xers appear to be lazy with passwords and that presents a risk to the corporate network. I would argue that older generations are pretty darn lazy about passwords, too. And as this recent Hold Security finding reveals, maybe our passwords aren’t all that safe anyway. As a Reuters article stated:
hackers can do far more harm with stolen credentials than with stolen payment cards, particularly when people use the same login and password for multiple accounts.
So maybe what this survey and this reveal of stolen credentials show is that it is time to rethink the password as security. At the very least, it shouldn’t be the single measure used. Younger generations are likely to have even less consideration for security (and that next generation is getting ready to age into the workplace). The question is, what is going to be the right security process going forward. Will it be biometrics? Multi-factor authentication? Or maybe it will be social verification, where you are asked to identify social contacts.
I can’t imagine the password will be our primary method of security for devices and data for much longer.