Today, around the world we are looking at passwords and how to better protect our identities both personal and corporate. It’s time to stop looking for improved password hygiene and start looking for non-password solutions. Until both vendors and customers make radical changes, this constant attempt to clean something that is fundamentally uncleanable is futile (and we will continue to “celebrate” World Password Day).
Humans tend to be risk adverse and let’s admit it, a little lazy so we constantly go the ‘known’ versus the ‘better’, just look at email. We have much better communications solutions but we constantly fall back to email as it’s the known, it’s easy, no one ever got fired for using email (well almost no one). It’s the same with passwords. Make them longer, more complex, but when will it be enough? There are rainbow tables out there with hashed passwords up to 10 characters already. In the immortal words of Susan Power “Stop the insanity!!!”.
Good Bye to Password Day
It’s time for organizations to adopt biometric-based MFA and passwordless logins. A truly layered approach to logins needs to be implemented. Think back to when we built defense in depth to our strategies, access requires defense in depth, passwords at most should be tiny part of that. We have so much telemetry from the users today that we should be making decisions on whether or not to PRESENT a login to them and if it will be 2FA, MFA or no password needed, not give me a giant password, and I’ll texted you a number for your second factor. Think about that for a minute, we know it’s almost trivial to reroute SMS messages and we’re supposed to trust that AFTER a password is entered even though we admit that passwords are insecure. Is there any wonder why we continue to see breach after breach?
A passwordless experience will take a combination of a pre-login assessment in combination with a risk assessment of the destination to apply to that user at that point in time. This must be dynamic, the outcome may change based on the user’s risk score going up or the data source value going down.
It also means that we need to stop painting every user in the org with the same brush. Every user is different, every dataset is different and combined with the incredible number of possible scenarios for access a single password policy cannot address the issue.
World Password Day 2021 and beyond
For many of you out there your users will not be coming back to an office full-time if at all. We are fully in the world of digital identities. Your Zero Trust architecture cannot start with trusting a SAML token you need to vet the user each and every time. So for World Password Day 2021 here is my advice: Kill the password. Make it your mission to eliminate passwords this year.