Passwords are Passé

If access to your software system still needs a password, you should reconsider it.  Because, a password-free world is safer – both, for individual privacy as well as for content safety. Moreover, there are better solutions such as two-factor authentication and time-limited one-time verification codes.  These keep you more secure and are often less administratively cumbersome.

The origin and rise of passwords

The use of passwords to login to a system is an established idea.  However, as much as it seems to “protect”, in today’s day and age, it also compromises your security.  This is partially because of human nature and partially because the technology to crack passwords is easily available and pervasively known.  Hacking simple and commonly used passwords is the easiest way into someone’s bank account, impersonation of identities and a potentially dangerous compromise of identity and financial safety.  The key idea here is that People are careless with passwords.  Hackers are sophisticated with compromising passwords.  This is a double whammy and can expose content, people, intellectual property, financial information and other personal information vulnerable to being misused for nefarious purposes.

Human reasons for passwords to be generally weak

Our human tendency to keep “memorable” passwords and use sentimental hinges like one’s partner’s name, pet’s name etc. has been proven again and again to be rampant.  All the education in the world isn’t able to shift the needle on getting people to use rigorous passwords.  There is “laziness” to overcome.  While sites insist on using a mix of capital and small letters, numerals and punctuation in a single password, people then resort to the lazy approach of using exactly one such password across all sensitive (or “fussy”!) sites.  So much for ensuring strong passwords!  Now, all that a hacker needs to do is get hold of one such password – and it is Open Sesame into all the financial and legal portals of that person’s life!  It doesn’t help that most people’s “strong passwords” have strings like abc, 123, 2000 etc. in them to aid memory.

Here are some telling statistics about people’s password security measures:

• 59% of organizations rely on human memory to manage passwords. (Ponemon Institute)
• 66% of Americans use the same password across multiple online accounts. 
• 24% of Americans have used the word “password,” “Qwerty” or “123456” as their password. 
• 75% of Americans say they feel frustrated trying to maintain and keep track of their passwords. 

[These statistics are courtesy of Panda Security.]

In countries where the education on these matters is lesser, or where English is secondary, these problems are further exacerbated.

What is the impact of weak passwords and strong hackers?

Password breaches and the impact of those breaches are more pervasive and deep than we might think.  Here are some statistics on this:

• In 2020, data breach costs took up 39% of an organization’s budget more than a year after the breach. (IBM)
• 80% of hacking-related breaches are caused by stolen and reused credentials. (Verizon)
• Brute-force hacking tools are sold on criminal marketplaces for just $4 on average. (Digital Shadows)
• 47% of hacked Americans have lost money as a result of hacking. (Google)
• 52% of data breaches were caused by malicious attacks, and each breach costs an average of $4.27 million. (IBM)

It is therefore important to note that individuals as well as organizations have much to lose if password privacy measures are not implemented in a strict manner. It also bears to be noted that even secure systems can get hacked and the damage to security of one system can have an impact on several others (e.g. password to a SaaS website might be stolen and reused in a bank account!).  SaaS platforms need to be especially careful about this since their users are not validated by backend operations by humans.  Not only is individual privacy compromised, on content platforms, valuable content IP too is put to risk due to irresponsible password management.  It is best to just avoid passwords overall in any platform you choose for your content distribution.

The better alternative to passwords

Two-factor authentication and one-time-passwords (OTPs) are better mechanisms to ensure online authentication security.  Two-factor authentication is appropriate for high-security systems.  For simpler SaaS systems, an OTP is the ideal middle path for balancing security and ease of use.  WIth OTPs, only properly authenticated users will be able to access the application, as the password is generated real-time and sent to a validated email address.  Only valid users of that email can then login to their SaaS applications, such as Kytes. 

OTPs have some hidden advantages over traditional password-based authentication.

1. No storing of passwords – either by the application system or on the users’ system
2. No need for password administration loops – no question of forgotten passwords, no reset delays, no getting locked out after ‘x’ number of attempts
3. Easier for users – they never need to remember or manage passwords for this app
4. No housekeeping of accounts of people who have left the organisation – they get auto-locked out of the application, since they no longer have access to the organisation’s email account.  No access to org email implies, no access to associated SaaS applications which use that email address to send OTPs!
5. Personal data, as well as content, are safe
6. OTPs themselves do not risk being compromised, as they are time-limited in validity

 
In Kytes, you login with any email address of your choice (with the OTP provided), or just use Google for convenient one-click login.