What is the value of passwords?
(Last updated on February 7, 2020)
You probably already know that passwords have not been considered the most secure authentication mechanism for the last 20 years or so. So why are they still around? If you think about it, they don’t even show any sign of going away.
The answer is mostly a question of value – the value of security.
While most people understand the need for a mechanism which allows humans to prove their identity to computers they don’t consider the security behind that mechanism to be very important.
And why should they? Most businesses don’t feel that they have big security problems. In fact, most businesses are too busy doing business to even care about it, and the only time they think about security is when it gets in their way and stops them from doing their business.
This is also the reason why the password is still the most common way of authenticating users. The alternatives, while perhaps offering more security, are simply too complicated and expensive to implement without getting in the way of the business.
Passwords are common, people know how they work and even though they tend to forget them, they provide the best value for the security needs of most businesses. In short, passwords are easy and work fine.
So, shouldn’t we all care a little more?
Well, there are organizations that care about security, typically because they have to due to legal reasons or because they deal with sensitive or even classified information. But even if they do care, there will still be systems in their business where they use passwords.
The good news is that there are a couple of smart things you can do to increase security without having to make any big investments or changing the way you work. Below are two examples of simple solutions which benefit all types of organizations.
Enforce the use of passphrases instead of passwords
Increasing the minimum length of the password is the best way of making it harder to crack the password hash if somebody manages to get access to it. The problem with doing that is that most people start having problems remembering their passwords as the minimum length increases, especially if you also require a complex mix of letters, numbers and special characters.
The best solution to this problem is to switch to passphrases, meaning you use a whole sentence rather than a single word as your password. Sentences are typically much easier to remember, they are naturally longer and still offer decent options for mixing in character complexity. The most difficult part is to get people to make the switch, which may require investing in a third-party solution to make it possible to enforce passphrases in your environment.
Invest in a self-service solution for password issues
Even though passwords are far easier to work with than many other authentication mechanisms they still tend to be forgotten by the users. This causes a lot of frustration, but also costs a lot of money if the only way the user can solve the problem is by calling the helpdesk.
Investing in a self-service password reset solution that allows the users to securely authenticate with an alternative mechanism and reset their own passwords is a very simple way of making sure that your users remain productive no matter where they are or what time it is when they get stuck.
Having a self-service solution in place also reduces the anxiety users might feel about forgetting their really long passwords as they can solve the problem themselves. This increases security by reducing the risk that users resort to bad behavior such as writing down their passwords.