Contact Us
July 21, 2019

Are Passwords Becoming Passe? How your organization can improve your password posture

Mark Arnold

Passwords are (probably) the most insecure aspect of any corporate network. Insecure passphrase choices, unauthorized sharing of credentials, or an unfathomable urge to divulge login details to third parties – all are directly related to passwords.

Pew Research discovered that 39% of users rely on the same password for multiple services for instance – and 18% admit to physically writing them down. By 2022 it is estimated that we will each have around 300 passwords to remember – so these problems are only likely to worsen.

This won’t be a new or unexpected revelation for IT managers however. 69% of British businesses already issue guidance aboutacceptable password complexity for instance – and in the US the National Institute of Standards and Technology (NIST) provides password guidelines for companies. But no matter how long and complicated the user’s password, we still can’t seem to stop them being written down or shared.

But we’ve tried to kill the password before…

Obviously there are very effective alternatives to passwords. Smart cards and physical tokens are (conceptually) very effective. If a user needs their smart card to open office doors, it makes sense that the same card unlocks their workstation.

But these systems have never gained mass adoption –- possibly because employees keep forgetting to bring their smart cards to work. The time wasted granting temporary access to a hardware-controlled access system is unacceptable – which means that an extremely effective security solution can be strategically undermined through basic human negligence.

Taking a lead from consumer electronics

Biometric security has long been touted as a potential solution to the problem of passwords, and it seems as though technology has finally matured to the point that corporate deployments make sense. Users are also increasingly familiar with the concept and operation of these authentication methods.

In fact, smartphones have helped revolutionize authentication techniques. Back in 2011, more than half of users did not use a PIN code or password on their tablet or phone because it was considered too inconvenient. Subsequent software and hardware updates have helped resolve that situation, first by enforcing PIN codes as part of the setup process, and later with reliable and effective biometrics (particularly TouchID and FaceID).

As a result, users are now familiar with biometric authentication mechanisms. And because their fingerprint / face is the authentication token, they can’t arrive at the office without it.

Just like token-based systems, biometric authentication requires additional hardware. Any organization considering a deployment must account for the increased costs of purchasing, deploying, maintaining and supporting the authentication systems.

Other authentication mechanisms now – and into the future

In the short-term, two-factor authentication mechanisms offer a useful way to strengthen password-protected systems without significant investment in new hardware. SMS or push notifications sent to your employees’ phones offer a cheap and effective way to strengthen password protections – and your workers will already be familiar with the process too.

Using a tool like RoboForm, LastPass, or even the password manager built into your web browser, provides a way to secure your many logins. You can configure some of these systems to create a long, complex, unmemorable, unique password for every service which will then take care of the details automatically. You just have to remember the master password that unlocks the digital ‘vault’.

Looking further into the future, authentication methods are set to become a lot smarter. One developing technique that claims passwords will soon become redundant is known as behavioral authentication. These systems use machine learning principles to analyze micro activities to build a detailed understanding of the user’s behaviors.

On a desktop PC, a behavioral authentication service may monitor mouse movements and typing actions. Or a mobile app may collect data about the way the phone owners moves as they walk. The fine details of these actions are as unique as a fingerprint, so they provide a reliable alternative (or complement) to biometrics. If activities deviate from what the system knows to be “normal”, the user is denied access to network resources.

In order to boost baseline levels of security, your business needs to be seriously considering how to complement or replace passwords in the near future. To learn how Navisite can help your organization secure its environment please get in touch. For more information on cloud security in general, click here or call (888) 298-8222.

About Mark Arnold

Mark (CISM, CISSP, GWAPT, GXPN, Ph.D.) brings 20+ years of security leadership experience to Navisite. Previously, Arnold served in various security roles at Optiv, PTC, Thermo-Fisher Scientific, Computershare, TJX, and boutique security firm @stake. Mark oversees managed security services, the security and compliance product roadmap, and security strategy development. Mark is also active in the security community. He currently serves on the advisory boards for the SOURCE Conference (as content and speaker management), OWASP Boston, and InfoSecWorld ( Besides holding industry certifications, Mark has degrees from Stanford University (B.S.EE, Princeton Theological Seminary (MDiv), and Harvard University (Ph.D.).