The Static Password Dinosaur – And Why It Should Be Extinct

Millions of companies around the world have been caught up in the online business explosion. The breakneck speed with which the internet has changed the face of customer...

Millions of companies around the world have been caught up in the online business explosion. The breakneck speed with which the internet has changed the face of customer interaction has resulted in an absolute shift in how businesses operate – there’s a massive, brand-new emphasis on social sharing, a scramble for data capture, and an absolute reliance on flawless user experience.

The backbone to all of these developments has always been security. Without a safe way to share data and conduct financial transactions, online business (both in terms of individual firms and in a wider, more general sense) would crumble rapidly. A rising tide of cybercrime has swelled lately, commensurate with the number of businesses clamouring to trade over the internet – and quite often, it’s this rapid, unthinking, sometimes complacent expansion that enables the criminals to exploit organisations and their consumers.

From the first ever password, to now

An example of this complacency is passwords. Passwords have been in use since computing was in its embryonic stage (ignoring the passwords used by the Roman military) when MIT’s Compatible Time-Sharing System would request a login and refrain from printing the sensitive access code. This code would have been known by an individual or group of individual.

This was perhaps secure enough for the time, but staggeringly little has been done to advance the state of password security since 1961. We’re essentially relying on a foundation laid over half a century ago, and entrusting this primitive system with huge chunks of our very personal data.

How many passwords is too many passwords?

One of the things that has changed is the number of passwords people use. Estimates put that figure at anywhere between ten and 30 passwords, while it is not uncommon for a modern worker to use a dozen in a working day. These passwords are theoretically secure, but by increasing the strain on the human in control of them, the system becomes fundamentally weaker.

Many people re-use passwords across the enormous number of services they rely on for modern life. Often these passwords will be easily memorable – which can mean easily guessable. And when passwords are used across services, data is gradually connected making an individual’s login details a much more lucrative catch for cyber criminals.

Your duty, both to your business and its customers

But the other, and arguably more important, change that has taken place is the absolute reliance on security. A data breach now represents a shocking and incredibly damaging blow to your business, and usually an unwitting boost to your competitors.

Consumers seek reassurance that their data is secure in your hands, and even the slightest whiff of impropriety or complacency could send them scattering. Security is definitely a competitive differentiator, especially in crowded marketplaces where loyalty must be earned.

Is there a solution to the static password problem?

So we’ve identified that data breaches can crush a business, and that static passwords are outdated and put your customers at risk. But what can be done about it, when this primitive technology is so entrenched in online business? The simple answer is called “strong authentication”.

This is a general term, which has only recently been codified in Europe but which can refer to a variety of technologies that allow customers to interact with online businesses at much lower risk from cyber criminals. Dynamic passwords, also referred to as one-time passwords (OTPs) are disposable logins that are generated each time the user wishes to be authenticated. This generation happens either using software or even by a dedicated piece of hardware that calculates a strong, single-use code.

An emerging solution to a decades-old problem

One thing that is particularly interesting about the state of password security is the growing gulf between industry leaders and the bulk of online services. Each year, the high-end security methods become more and more sophisticated – people who bank with Barclays will be used to using a Pin Sentry, and employees of large organisations might have similar password fobs that strengthen security at their place of work. And the fact that people have become accustomed to this level of security makes static passwords, sometimes transmitted in clear text, even more ridiculous in today’s cybercrime landscape. But most importantly it suggests that consumers are prepared for change that makes their data more secure – and it’s up to providers to meet their expectations.

Again, complacency

The industry is facing widespread apathy when it comes to replacing ageing authentication systems with anything more modern. One of the key reasons cited for not updating is money – budgetary restraints are slashing IT budgets across the world, and it may be hard to explain the return-on-investment to more short-term planners. Most website owners don’t comprehend the importance of this level of security until they and their customers are attacked by cyber criminals, and by that point the damage is done.

Lack of expertise is another reason commonly offered by companies whose leaders resist the rise of dynamic passwords and strong authentication. But with growing understanding, widespread information campaigns and – perhaps most importantly – high-profile and damaging cases of fraud against online business, this knowledge gap is closing in.

Look to the cloud

Cloud authentication is one of the easiest ways to apply modern OPT security to existing or new online businesses. Commonly used cybercriminal tactics such as phishing and pharming are thwarted overnight, and weak static passwords thought up by your users are swiftly replaced by a more robust system.

Even against the pressures outlined above, cloud authentication is an effective and attractive proposition for most organisations. It requires no dedicated resource and all stages of the authentication process is taken care of by the hosted system. It takes the sting out of the up-front cost and instead replaces it with a pay-as-you go system – much better in terms of return-on-investment, and an inherently marketable asset that can be used to cultivate customer loyalty in the long term.

Your users are lazy. Don’t copy them

One of the essential factors in authentication systems that we often overlook is the fundamental fallibility of human beings. Namely in this case, our tendency to find the path of least resistance rather than the safest, the most secure or the most effective. Customers are resistant to measures that they perceive to be a hassle, or a waste of time.

It’s a lot like walking through town – the local authority spends millions each year installing pedestrian crossings, but still people take the chance and run across busy roads to shave seconds off their journeys.

And from your business’s point of view, it’s essential that your authentication system meets the expectations of your consumers in terms of security and convenience. Cloud authentication does precisely this, with the added benefit of a strong financial argument.

For more information on VASCO and their products, click here.

For further reading:

In this article

Join the Conversation