Security & Fraud

World Password Day Highlights (The Annoying) Endurance Of A Weak Security Tool

Passwords: Endurance Of A Weak Security Tool

As far as marketing and education pushes disguised as pseudo-holiday type things, you could do worse than World Password Day, which is Thursday (May 2).

For example, it sure beats International Talk Like a Pirate Day on September 19, when our patience is tested by those joyful souls among us who really take such things seriously. After all, bad password habits can bring severe financial, security and reputational penalties (whereas failing to talk like a pirate merely confirms your status as a relatively normal adult, for better and/or worse).

As far as we can tell at PYMNTS, the goal of World Password Day – here’s hoping you received a fine gift – is to increase awareness of the limitations of passwords as gatekeepers of digital commerce and payments, to remind consumers to change their passwords and to market services designed to boost online security. PYMNTS readers certainly know much about passwords – specifically, how those relatively primitive tools continue to endure despite data breach after data breach after data breach, and how a host of companies, organizations, entrepreneurs and technology experts are working hard to come up with mainstream replacements for them.

Password Denunciations

It’s not hard to find someone to denounce passwords, and for good reason. Among the most recent examples comes from Microsoft's Chief Information Security Officer (CISO) Bret Arsenault.

As PYMNTS covered, Arsenault said he believes that when it comes to protecting companies and individuals from cyberattacks, passwords are essentially useless. His dim view of the password is informed by experience. Microsoft handles 6.5 trillion cybersecurity incidents each year, with spam email, scams and phishing schemes making up most of those attacks. In fact, Arsenault explained that email-based and password-based hacking is responsible for everything from simple to highly complex fraud attacks.

While Microsoft aims to eliminate passwords entirely, other tech companies simply want their customers to rely on them less. Google has been looking into using USB key fobs to provide a second factor of authentication for logging in. And Cisco acquired dual-factor authentication startup Duo last year to move toward two-factor authentication for its customers.

But if everyone who’s anyone seems to know passwords are hardly ideal, why does that security method still have life? First, they are easy to deploy and use, and people are simply used to using them — in history, science and most other things, inertia is a very forceful factor, as ironic as that might seem. Look around and you’ll find quotes and writings from top people in the worlds of payments and commerce who say they’ve known for years — six to 10 seems to be the common range — that passwords are obsolete. And while password technology is pretty cheap and simple, the costs of data breaches are changing that calculation.

Human Nature

That’s not all that works in favor of the password.

Human nature being human nature, it can take some time for the mainstream – or, if you prefer, a critical mass – to start to feel comfortable with newer, better technologies. That certainly applies to biometrics. While there are mounting indications that consumers have started to view fingerprints as more than something related to police and crime (think about all those fingerprint scanners on smartphones and laptops), when it comes to facial recognition and other biometrics, there is a backlash brewing, one centered around concerns about privacy and misuse by authorities. As well, these newer technologies have yet to be perfected, at least to the point that they can be reliably used by the mainstream for multiple and vital tasks.

One writer about online security and post-password technologies put it like this: “Despite its many flaws, the one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone.”

Price of Passwords

Yes, but the price of the password is increasing, a trend that seems pretty much certain to continue.

Cyberattacks are a massive problem for organizations today, and the threat is only growing larger. IBM data said the average cost of a data breach is $3.86 million, with U.S. companies experiencing an even higher average of $7.91 million.

It can’t all be blamed on passwords – but then, there are recent instances of how easily those tools can be compromised. For instance, in March, news broke that the passwords of between 200 million and 600 million Facebook users were stored in plain text and were searchable by thousands of Facebook employees for years. One unnamed source at Facebook said the company is still trying to figure out what was exposed and for how long, but that the problem could go back to 2012.

An analysis via found “that if you have just a handful of online accounts – six to 10 – you have a 9 percent chance of a data breach. That doesn’t sound too bad. However, if you have 100 or more online accounts, the probability jumps to 30 percent.” It’s not unreasonable to assume that a consumer with that many accounts secures many (or most) of them via passwords – and uses the same password for multiple accounts. Human nature, after all, is human nature.

So, as you prepare your pirate lingo, eyepatches and parrots for September, take a moment today to think about the enduring password, and what you can do to at least make your own passwords stronger. That’s the whole spirit of this artificial but useful day of commemoration.



About: Accelerating The Real-Time Payments Demand Curve:What Banks Need To Know About What Consumers Want And Need, PYMNTS  examines consumers’ understanding of real-time payments and the methods they use for different types of payments. The report explores consumers’ interest in real-time payments and their willingness to switch to financial institutions that offer such capabilities.