The problem with passwords

Why are passwords so problematic? Isabel Botha, Head of Government and Healthcare at ForgeRock, discusses why they pose such a serious security risk to organisations. She also imagines a safer world of passwordless authentication using biometrics.


Why are passwords so problematic in today’s modern world?

Well, both of us are users, so we are very aware how painful usernames and passwords can be. I personally hate them. They’re just not user-friendly and they’re not secure. What’s really interesting is that Bill Gates actually predicted the demise of the password back in 2004.

Apparently, the average person has more than 90 online accounts. Since we’re all human, we use simple usernames and passwords that are recycled, which makes all our systems only as secure as the weakest one.

Sadly, because of this, usernames and passwords are the leading attack vector in data breaches, account hijacking and identity theft. And the pandemic just exacerbated the vulnerabilities that have been created by years of cybersecurity complacency. 

ForgeRock recently released its annual Consumer Identity Breach Report, which shows that username and password hacks increased around 450% across 2019 to 2020. So this threat is clearly not going away is it?

The threat is becoming more sophisticated, actually. So the 450% increase is a US statistic, but we also have an Australian section within the report where we took data from the Office of the Australian Information Commissioner. They indicated there has been a 30% increase in data breaches from 2018 to 2020, with a year-over-year increase of 49.8% of identity-specific information.

Like 2019 and 2020, we saw that health services, finance and education were the top three sectors most affected by data breaches. And it’s not just us reporting this. According to Verizon’s 2021 Data Breach Investigations Report, the breaches continue to be mostly due to external, financially motivated actors – and 61% of breaches involved credential data.

So digital identity was once again the weakest security link in 2020.

Who do you think is ultimately responsible for cybersecurity within an organisation?

I think we all know by now that it’s everyone’s responsibility. As individuals, we can take the greatest care with our own credentials, but once we interact over the internet – like most of us do in our day-to-day work and also our private lives – we become immediately vulnerable.

We did a study not that long ago where we found that 60% of IT budgets are spent on maintaining legacy systems rather than on innovation and other high priorities. IT people want to do the right thing, but there are lots of conflicting priorities that take resources and budgets away from cybersecurity. There are also operational inefficiencies, such as certification and rubber-stamping and loads of manual provisioning that results in lost productivity, wasted time and money, and overpaying for unused accounts.

When it comes to regulatory compliance, organisations still rely heavily on manual processes. Sadly, this is because of weak compliance controls and failed compliance ordinance and financial penalties. We really need to help our IT security and compliance teams by automating as much of the identity and management lifecycle as we possibly can, so they can focus their efforts on high-value events..

What sort of outcomes are we looking at when we go passwordless?

Regardless of the industry, fewer passwords really do result in four key benefits. First of all, it’s a better user experience, simply because password authentication is seamless – you rely on the same device that many people use every day, so users are less likely to try to circumvent security measures.

Secondly, it substantially decreases the cost associated with password management and data breaches, and it increases productivity at the same time. Cybersecurity has been traditionally perceived as a cost centre, so the financial consideration is perhaps the most notable reason why companies should consider transitioning to passwordless authentication.

Thirdly, because passwordless technology leverages open standards, it drives interoperability quite significantly, which then allows us to scale. So service and technology providers can develop solutions to a common standard, including a public API that web developers can easily leverage, which eliminates dependencies on passwords alone.

Last but not least, passwordless authentication is just so much more secure. There are no passwords for cybercriminals to steal out of a platform server. There is no information stored by companies that could be leveraged by hackers. So users are just better protected. 

What can organisations do to reduce the threat of breaches and improve their cybersecurity posture? What are your top tips?

These aren’t actually my top tips, they’re from our wonderful Chief Technology Officer, Eve Maler. She’s summarised it in this very catchy phrase: the stop, drop and role. So it’s three things that all enterprises should be doing to reduce breach threats.

Firstly, stop. So stop using static passwords. This essentially means that systems and applications that are protected with a simple user-generated password, we should stop using those because they are the ultimate attack vector for ransomware, phishing and a host of other attacks.

Number two, drop. So drop into your users’ experiences. Check out how your workforce and consumers are accessing applications. Consider options like password lists. Consider options like risk base and even contextual authentication – this can improve security while also delighting your users with a great login experience.

Lastly, role. This is really more of an internal focus. So that’s looking at user roles within your organisation, because if you give people too much access, that access is a major contributor to breaches. You need to really know what your user roles are and remove any access that is not needed.

Stop, drop and role.


Want more insight into the world of security, identity access management, biometrics and more? Get your fix with the IDentity Today podcast, hosted by Daltrey MD Blair Crawford. You can start on Episode 1 here or listen via Apple Podcasts, Spotify or your favourite podcast app.