Security Experts:

Passwords Are Not Dead; There Are 90 Billion of Them, Report Says

The Total Number of Passwords Will Likely Grow from Approximately 90 Billion Today to 300 Billion by 2020, Report Says

There are 90 billion instances of something-you-know (that is, some flavor of the password mechanism) being used around the globe as the primary form of protecting cyber secrets today. This is a huge attack landscape that is frequently broken; but despite repeated claims that the password is dead -- for example, by Bill Gates in 2004, by IBM in 2011 and by Google in 2013 -- passwords show no sign of going away.

This is the conclusion of a new research report (PDF) from Cybersecurity Ventures and Thycotic. Not only is the password here to stay for the foreseeable future, its use will increase by threefold to around 300 billion instances by 2020. "Passwords are absolutely not dead -- they are not even declining -- and there is currently no technology that is replacing them," explains Thycotic's Joseph Carson, co-author of the report. "The current rate of growth is significant and the threat landscape for passwords will, by 2020, be three times what it currently is."

That growth will be fueled by more people coming online, by more people using social media logons and generating 'hidden' passwords in the process, and perhaps above all by the internet of things.

Part of the study included examining alternative technology that could replace passwords, such as biometrics. "We could find nowhere that biometrics have ever replaced passwords," said Carson. "They have complemented passwords, but have never replaced them. And they bring their own problems: processing power, storage costs, potential data protection issues (because they identify an individual rather than the possessor of an item of knowledge), and because they cannot be changed once compromised."

Carson is not a supporter of biometric authentication. "Once my fingerprint is disclosed, I can no longer use it. For example, the DHS collects all fingerprints during immigration. If they were ever breached and the fingerprints were disclosed, you would never be able to use any of your fingers again as a method of authentication." The same problem, he added, exists with retina and facial biometrics. "Many facials can be broken by using videos or recordings. So biometrics are good; but once they're compromised you can never use them again." Some are simply unreliable. "Heart rate and pulse, voice and others, can be impacted by the environment -- such as altitude, current health etc. Or you could injure an eye or finger and you always get back to the back-up -- the password."

Carson's argument is that if passwords are here to stay and there is no technology currently capable of replacing them, they need to be better supported. "Passwords are good," he said. Provided they are done correctly, "they work and are effective." But they can always, eventually, be broken by brute force computing power, "so depending on the sensitivity of what you are protecting, you will need to consider additional protections on top of the password."

So there are two ways forward: to improve the use of passwords at the user level, and to support the operation of passwords at the system level. He advocates the use of password managers to offset user password fatigue, and he believes that where multi-factor authentication is used, it should be mandated, not simply recommended. "We found in a separate study that in 2016 less than 10% of people and companies are actually managing their passwords, so this needs to be done more effectively and more efficiently."

One increasing option that Carson rejects is the use of social media logons to simplify user effort. Counter-intuitively, it increases the number of passwords in play, increases the threat level, and can have privacy implications for the user. "When we visit an airport or hotel or anywhere else that offers wifi that asks 'would you like to login using your Facebook account?' and we say yes, then it creates an application password in the background. Whenever this happens," he warns, "all those sites and applications can continuously profile the information in our social media account. Most people don't realize or know about that. But now we're creating this continuous growth of application passwords that don't expire, that don't change, but have continuous access to our data -- and there is no easy way to revoke them. Single sign on and social media is a convenience, but from a security perspective it is a major security risk. Those application passwords can be obtained by attackers and used against us."

One of the problems is that there is little consistency in either recommendations or options. For example, in September 2015 the UK's GCHQ issued password guidance that included, "Regular password changing harms rather than improves security, so avoid placing this burden on users."

"GCHQ's recommendations are good in one sense," said Carson, "but they differ from Australia's recommendations, they differ from security researchers' recommendations, and in the end, they just add to the global inconsistency. We really need a global collective approach. Right now there is too much inconsistency regarding policies, and multi-national companies end up having to deal with multiple national password policies. Personally, I'm more of a mandate person. Recommendations are good, but unless they are mandated, nobody really takes it seriously."

At the system level, he believes that we will begin to see behavioral analytics increasingly being used to support passwords. "I'm not a big fan of things that use my physical ability as a measure of behavior," he said, "but I do like things based on predictability. Humans are by nature repetitive -- we tend to do the same things many times. For example, when we access an application or service we typically use the same browser from mostly the same location and we generally open applications in the same order -- so we tend to have a repetitive behavioral pattern. If this pattern changes, then that means there should be a challenge to verify that we really are who we say we are." Identity systems could be used for this, and Carson is a firm believer in government controlled identities.

"If the challenge comes back with a valid response then the new behavior can be added to the behavioral pattern. Behavioral analytics will become a major and important part of complementing passwords in organizations' future security posture."

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.