Actually, There is a Simple Solution for Password Reuse
Earlier this month in a blog on Kaspersky Lab’s Threat Post, well-known security writer, Tom Spring, shared his thoughts on the problems that our collective bad habit of password re-use will surely bring. Tom’s right, in that our habit of relying on a few passwords to manage the complexities of our online lives sets the stage for massive breaches, data loss, and what he calls a “virtual crime wave.”
As he outlines in the article, “[t]he average number of accounts registered to one email account for 25-34 year olds is more than 40…And on average, users had only five different passwords for those accounts.” And therein lies the problem – once a cyber attacker has breached one account, they have, in fact, breached many, increasing their haul of financial information, personally identifiable information, and the possibility of creating a complete profile which creates a more valuable record for sale on the black market and introducing more people to the miseries of reclaiming their identity both online and in the real world.
But where I disagree with Spring is with his assertion that there’s no simple fix for not only poor password configuration but also the issue of password reuse. In the article he looks to the traditional alternatives – hashing, salting, and 2 Factor Authentication (2FA), all of which simply slow the cyber attackers down and don’t remediate the overall issue of password insecurity. Even password managers, which might seem to be a solution, he rightly points out aren’t immune from beach either. In the end all they do is create a storehouse of prime information that is propagated across all of their devices and allow that data to be compromised with little effort. Case in point, last year’s LastPass breach.
The problem with all these alternatives is that they are not based on next generation authentication technologies. If you take a strong look at solutions that embrace adaptive, context-aware and dynamic parameters as pat of their architecture, and ones that are built around out of band, multi-channel and bi-directional authentication flows, this is where you will find the solution. Then, if you can add features that allow companies to obfuscate credentials from the users and place location, date, and time constraints on their credential use… then you have a comprehensive solution.
And, we have to be honest and admit that we’re not going to change human behavior. No matter what companies advise or how much education an employer requires, when it comes to the balance of convenience and security, we always choose convenience no matter the consequences. So, what we need to do is put in place solutions that take this reality into account.
Before you throw your hands up in exasperation and frustration that there’s no so such solution that balances security and convenience, watch this short video and I think you’ll find there is a simple solution for the password reuse problem.