Decades ago, just having an alphanumeric password with a reasonable length was adequate. Now, you can’t use the same password in multiple locations, must change your password several times without using ones from recent months, and they must contain special characters and uppercase letters. Passwords are an annoyance that frustrates users and administrators alike. You’re not supposed to write down your password, but how are you supposed to keep 20, 30, or 40 passwords to various locations without forgetting them? It’s time to get rid of passwords, and some companies are finding innovative ways to ensure protection without traditional authentication methods.
Passwords and Complexity
As an administrator, you probably require your users to change their passwords frequently. They need a password to log in, passwords to access certain resources, and passwords to access external vendor sites. Users have an average of 7 passwords, and most administrators ask them to change their password without the ability to use the same one within 5-6 changes. This means that the user must remember 7 new passwords each month.
We even tell users that they can’t use common passwords that are too easily guessed. Popular names, birthdates or locations shouldn’t be used, so we leave users with the option to create complex, hard-to-remember passwords that they can easily forget. Users turn to password variants such as “f00tball”, “f00t4ll” and “F00tball.”
In addition to password complexity, we also tell them that they can’t write them down or keep record of them where a hacker can access the system. This means that users are forced to remember, reset, and possibly forget recovery security questions where they can’t access the system without an administrator’s help.
The whole process leaves frustrated users and administrators with too much overhead. If you have hundreds of users to support, the overhead is overwhelming and takes too much time from helpdesk personnel. Finally, administrators must force account lockouts on password attempts to protect from brute force attacks. The user gets 3-4 attempts and gets locked out if all fails.
Finding Ways to Authorize Users without Passwords
Technology leaders have already come up with some ways to use smartphones in place of passwords. The technique looks insecure, but using a smartphone for authorization ensures that the user has a device in-hand. This, of course, does not ensure the phone isn’t stolen, but biometrics can be combined with smartphones.
Google and Yahoo have already incorporated smartphone logins for their systems. Windows 10 has facial recognition software, so a system can scan facial features for authorization. Some researchers have created a system that recognizes keystroke behavior habits. The cadence of your typing habits is used to identify you.
These new methods have traditionally been used in addition to regular passwords, which does incorporate more security. Two-factor authentication offers the ability to filter out hacker attempts by requiring the user to enter a PIN sent to their own device.
With new authorization technology, administrators could incorporate better security with fewer hassles in the future. Although passwords probably won’t be retired soon, let’s hope that they are soon replaced with better, more convenient methods of authorization.
Leave a Comment