Request demo
November 17, 2023

4 Reasons Why Passwords Are NOT Reliable Anymore

This article was originally published 17th of November 2023 and since been updated with new content.

Are passwords as secure as we once thought? In today's ever-evolving digital world, relying solely on passwords to safeguard our information may no longer be enough. From cyberattacks to data breaches, there are three key reasons why passwords are no longer as reliable as they used to be. Stay informed to protect yourself in this increasingly complex online world.

Contents

1. The fundamental flaw of passwords
2. The password lengths issue
3. (Not just) Passwords are a common cause of data breaches
4. Both passwords and traditional PAM tools are things of the past
The way forward is Zero Trust, passwordless, and keyless
Conclusion
FAQ

1. The fundamental flaw of passwords

All passwords share a single element that makes them ultimately susceptible to being stolen and abused.

What is this mystery element, you ask?

It’s us – human users.

But how come?

Over 75% of targeted cyberattacks don't start with finding a weakness in the security architecture.

They start with an email address.

Attackers find ways to phish key users login credentials and gain control from the inside. All it takes in one human error in the midst of someone's hectic work day.

You have to regularly change your passwords and you cannot use the same or similar password as before. You also shouldn’t use the same password for various accounts.

It’s a password mayhem.

And let’s be honest, do you really use a unique username and password for all your work-related as well as personal accounts?


2. The Password Lengths Issue

Think about the history of password lengths. First, the standard was 6-character passwords. Then it moved up, and you also had to add capitalized letters and numbers.

Now, it’s all the way to 13 characters, capitalized letters, numbers, and special characters.

Attackers constantly develop more sophisticated tools and techniques for cracking passwords. This includes the use of more powerful hardware, like GPUs and specialized hardware, which can perform billions of password guesses per second.

And it just gets worse.

Though still in its early stages, the potential future use of quantum computers could drastically reduce the time needed to crack even the most complex passwords.

Spoiler: longer passwords is not the solution.

3. (Not just) Passwords are a common cause of data breaches

Now, think about passwords from an organization’s perspective. They are a standard security control used to protect access to an organization’s IT environment.

To keep passwords from being stolen and abused in a data breach scenario, organizations go to many lengths to protect them.

Typically, they use privileged access management (PAM) tools to do this job. And these tools use various processes to secure passwords, mainly vaulting and rotating them regularly.

But imagine vaulting and rotating thousands and thousands of passwords every day – that's a lot of work.

On top of that, passwords are not the only credential that can provide access to an IT environment.

There’s another commonly used credential. Actually, it’s used more often than passwords, and its numbers can go to millions. The typical ratio is 1 password to 10 of these. Now imagine, vaulting and rotating millions of credentials every day – that's a proper load.

No more mysteries. We're talking about SSH keys here.

If you think that managing passwords using traditional PAM tools is complicated and requires a lot of effort, make room for the madness that SSH keys bring into the mix.

Traditional PAM tools claim to manage SSH keys - no problem. But in reality, they manage only around 10-20% of them. (Where’s the other 80-90%? Let’s not go into detail, but if you’re curious about the topic, check out this white paper.)

So, if you’re not managing your passwords AND keys in a holistic and modern way, your organization is at an increased risk of data breaches. In fact, stolen or mismanaged passwords are consistently among the top three reasons for data breaches.

4. Both passwords and traditional PAM tools are things of the past

Traditional PAM tools struggle to comprehensively manage access and related credentials.

As mentioned above, they are inefficient from an operational perspective. They manage only a limited section of passwords and keys. And they do a decent job only when it comes to static credentials. On top of that, traditional PAMs are costly.

Those are just a few reasons.

Now, think about the security needs of a modern business: They want to be efficient, fast, and super secure.

They also want to utilize the cloud infrastructure, which is very dynamic in nature. And traditional PAM tools notoriously struggle to scale with the cloud.

And it’s not just the cloud, organizations are moving away from using static, permanent, long-standing credentials towards temporary authentication credentials. They’re migrating away from keys and passwords to short-lived certificates.


 

The way forward is Zero Trust, passwordless, and keyless

The age of passwords is over. If your company hasn’t caught up to this fact yet, this is your wake-up call.

So, what's the way forward?

Passwordless authentication is the future. Your next step shouldn’t even be looking for a modern PAM solution – it's too late for that. You should look for a comprehensive, holistic, and centralized access and communications solution that covers your access management as well as secure communications.

Key features to look out for include:

  • Just-in-Time and Just-Enough access
  • Passwordless and keyless access
  • Zero Trust architecture
  • Zero standing privileges
  • Full SSH key lifecycle management
  • Session monitoring, recording, auditing, and termination
  • Compliance with industry standards and regulations, like the NIS2 directive
  • Automation features
  • Post-quantum encryption algorithms

Our SSH Zero Trust Suite can do all that and more. Check it out here >>>

Conclusion

Traditional password combinations and password-only authentication are no longer secure in today's digital age. Passwords are not as reliable due to cyber criminals, hackers, and malware becoming more sophisticated. This puts user security and online accounts at risk.

To address these risks, organizations should consider using more secure authentication methods like biometric authentication, FIDO2 passwordless solutions, and two-factor authentication (2FA). These advanced methods enhance security, improve user experience, and ensure compliance with privacy regulations.

Transitioning to these solutions reduces the chances of data breaches and unauthorized access. Strong passwords, password managers, and single sign-on (SSO) solutions can also boost online security for both individuals and businesses.

FAQ

How can I make my passwords more secure against advanced attackers?

To bolster your password security against advanced attackers, aim for lengthy and intricate passwords that blend letters, numbers, and symbols. Steer clear of predictable words and phrases, choosing instead random combinations or nonsensical strings. Employing a trusted password manager can aid in creating and safely keeping these complex passwords. Incorporating multi-factor authentication (MFA) adds an extra security layer, and it's wise to frequently change your passwords, ensuring you don't recycle them across various accounts.

Or, as stated in this article, simply go passwordless!

What are the mathematical limitations that make passwords not secure?

The mathematical limitations that compromise password security stem from the predictability and finite complexity of passwords. Passwords, especially shorter or simpler ones, can be vulnerable to brute-force attacks, where attackers systematically try every possible combination. Additionally, the use of common patterns or words makes passwords susceptible to dictionary attacks. Advances in computing power, including the use of GPUs and specialized hardware, have significantly reduced the time required to crack even complex passwords.

Furthermore, mathematical algorithms used for hashing and storing passwords can have vulnerabilities, making them less secure against sophisticated attacks.

This is again a good reason adopt passwordless authentication strategies, especially in privileged access management.

What steps can I take today to fix the insecure nature of my current passwords?

To address the insecure nature of your current passwords, start by updating them to longer, more complex combinations that include a mix of letters, numbers, and symbols. Avoid using easily guessable information like birthdates or common words. Consider employing a password manager to generate and store strong, unique passwords for each of your accounts. Enabling multi-factor authentication (MFA) wherever possible can also significantly enhance your security. Regularly review and update your passwords, especially for sensitive accounts, to keep them robust against potential threats.

You probably guessed it: passwordless privileged access management takes care of this problem too.

 

Juuso Jahnukainen

Technical Product Manager

Other posts you might be interested in