Password Madness - Are complex Passwords actually less secure?

In the last few days before I was admitted to hospital, I ran into one of those minor inconveniences that go along with being an office worker in the 21st century. My login password at work was about to expire and I had to reset it. Ah well, what can you do? These regular password changes are part and parcel of work life these days and let’s be honest, they don’t really take that long.

Well, that’s what I thought at least. However, due to some unknown error, what should have been a quick and easy chore of less than a minute turned into a multi-hour affair that left me completely logged out of all my work tools on my phone and completely locked out of my work laptop. In the end, it required an intervention from my employer’s IT support team to sort everything and get me productive again. The fact that I stumbled across an undocumented time-out in the process didn’t help either, I suppose, 

Now, I obviously won’t go into details here as it effects company security, something that my employer is rightfully keen to protect, however the whole thing got me thinking, which is rarely ever a good thing. Is the ongoing insistence on regular password changes and the use of complex passwords actually doing more harm than good? Is the insistence of corporate IT teams across the board on utilising these, even with the help of single-sign-on solutions, ultimately producing more security issues than it fixes?  Would an increased use of multi-factor authentication, biometrics and/or password managers be able to alleviate these issues?

Just to set the tone here, I’m not alone in my frustration at the way logins are handled these days. In a study published in spring of this year, US Login & Security solutions provider Beyond Identity conducted a study into the topic of “password fatigue” and its effects on companies and employees, and even though the study was limited on US companies and employers, the results were eye-opening to say the least.

  • A total of 87% of participants reported experiencing medium to high levels of password fatigue & stress
  • 39% of all participants reported high levels of stress in this matter.
  • What’s more, out of those participants who stated that they had experienced high levels of password fatigue, 62% also reported that they had had at least one of their accounts breached in some manner in the past. 

There’s a cost to employers in all of this as well. The same Beyond Identity study found out that the average cost incurred per year as a consequence of their employees’ password fatigue is 480 US Dollars per employee. Depending on the size of the company, this can easily add up to hundreds of thousands, if not millions, of dollars. Interestingly, the study also showed that the generation least affected by password fatigue are the Baby Boomers, only 29% of which responded that they had experienced high levels of password fatigue. Now, whether that is due to increased cognitive abilities and resilience in that generation or whether they just have fewer online accounts in general is probably a topic that merits a study all of its own, which would completely blow out the limits of this blog post.

Okay, there’s definitely an issue here, that much should be obvious to anyone who takes even a cursory glance at all this data. What’s more, this issue presents a real threat to not just companies and employees, but to our private online presence as well. I’ll look at the corporate aspect first, since this whole post was triggered by my experiences at work.

For companies, the protection of their own data obviously comes first. Whether it’s financial information, employee data, proprietary information about current products, let alone future product road maps or prototype schematics from R&D, there’s a lot of information in a company’s network that bad actors would absolutely love to get their hands on. At the same time, employees will still need to access those bits of information that are relevant to their particular jobs, so completely walling in the data centre, both physically and metaphorically, is out of the question, and some sort of access will need to be granted. Last but by no means least, the costs of any such solution need to be kept as low as possible to make both the CFO and Wall Street happy. As a consequence, companies will tend to gravitate towards solutions that prioritise the price tag and data security, whilst usability and user experience come in a very distant third. This often takes the shape of highly complex password criteria, coupled with frequent prompts to change said password, in some cases every ninety days. I need to give a special shout out to my very first corporate employer back in Frankfurt, who not only insisted on these passwords, but also on completely randomised User IDs. Way to go on the whole “security through complete and utter confusion” angle, guys! 

Two-Factor Authentication, as modelled here by Microsoft Authenticator on, can certainly help with account security, but it is no panacea.

Anyway, back to the main narrative here. In addition to these requirements, companies will often also require Two-Factor Authentication (2FA) for certain apps or services, often going for authentication apps or even old-fashioned text messages. Taken on its own, this does not seem like such a major issue, especially when a single-sign-on  solution is also in use, which means that staff will only have to remember one password, instead of several dozen. However, with the proliferation of biometric login solutions such as Apple’s FaceID/TouchID or Windows Hello, employees might end up going weeks or months without having to enter even that one password, a time frame that makes it highly likely that an employee will have forgotten that password by the time they’re asked to enter it. It stands to reason that a large number of people will therefore write down their passwords somewhere in order to not be logged out, creating a whole new slew of potential vulnerabilities and attack vectors.

Biometric login solutions. such as Windows Hello, as demonstrated here by my old Surface Go 2, are a brilliant way to avoid password fatigue, as long as you're not asked to change your password on a regular basis,

Which leads me straight to the thorny issue of password reset systems and their associated issues. For starters, their very existence presents a security risk, as such a system will need to be accessible even when the user is otherwise locked out of the system. At the same time, the rules for said password reset must on one hand be clear enough that an employee knows exactly what is asked of him, while at the same time not so obvious as to be taken advantage of by a potential attacker. Naturally, having two requirements that are that contradictory is a recipe for confusion and risks leaving an employee locked out of their system with no real way of remedying that.

On the private front, things are similar but different. For starters, the challenges are the same. Companies still want to keep their information secure in order to protect their customers and ultimately stay in business. And yes, whilst there are regulatory requirements around this, many companies, at least the good ones, will not need this motivation as they know that a loss of trust will result in a loss of business. However, unlike their employees, who are more often than not a captive audience for any IT security measures, companies can’t just force any and all security requirements on their customers, especially paying customers, as that will more often than not simply drive said customers away. At the same time, private customers of course are not constrained by long-life enterprise software contracts or regulatory requirements, leaving them free to take their business elsewhere if the user experience is not to their liking. There’s a reason I didn’t set up my current account at Bank of Ireland when I moved here ten years ago. Of course, this also means that private users can also choose a solution that works for them, be that password managers, 2FA apps like Authy, or even physical 2FA solutions such as Yubikey. Many choose… poorly, with even the infamous sticky note full of passwords still seeing a frightening amount of use. 

At the same time, the stress factors for private users are mostly the same as they are for corporate drones.

  • Recommendation to use complex passwords
  • Recommendation to frequently change said passwords
  • Use of Two-Factor Authentication where available

Given that many websites have wildly differing password criteria, not all websites used by private individuals even support 2FA and some of those that do use proprietary delivery systems or text messages, where does that leave users?

Between a rock and a hard place if I’m honest, both in the corporate sector and as private individuals. We’ve long since reached a point where secure passwords are a necessity, given the amount of spam and phishing attempts that are going on every single day. At the same time, the number of online accounts a single person uses is growing all the time. Even if you pare it down to the bare essentials these days, the most basic “profile” for someone will encompass at least an email address, online banking and a profile at your mobile phone and/or internet provider of choice. The vast majority meanwhile will have accounts with multiple online stores, streaming services, gaming services such as Steam, social networks, utility and insurance providers and so on. As mentioned above, many of these services will have their own password requirements, may or may not offer 2FA options, and not every website will be built in such a way that password managers will even be able to recognise the login fields for user ID or password. Some will even have blocked copy & paste functions in the name of security, leaving users to laboriously type off passwords or stick to easy to remember ones, even though the latter will obviously be less secure. 

Now to be fair, there are several lights at the end of the tunnel and no, they aren’t freight trains heading our way… I hope…. There are several new login solutions in the works that forego the use of passwords altogether. FIDO 2 is already pretty far advanced and just at this year’s WWDC, Apple announced a passwordless authentication solution that is supposed to plug in right into their Safari browser, although I’m not sure whether that’s actually an independent development or just an Apple-badged FIDO 2 implementation. However, none of these solutions appear to be ready for a large-scale rollout yet. In fact, even if they were ready to go right now, my experience with implementation timelines in corporate environments tells me that it would be years before users would be able to make use of these solutions. In the meantime, we’re left with subpar login solutions both at our workplace and for our own solutions. 

Comments

Popular posts from this blog

Drowning out the world? - Sony MDR ZX110NA Review

Logitech K780 Wireless Keyboard & M720 Triathlon Wireless Mouse

Ballincollig - From Boom to Bust and Back again