Password managers are just a band-aid solution to a deeply-rooted problem with authentication
From storing master passwords in plain text, to leaving users susceptible to keylogging and phishing attacks, to users still choosing weak passwords and sharing them — password managers are ineffective solutions that fail to adequately protect corporate systems, remote-workers and users.
Password managers fail to address the inherent security risks associated with passwords.
Instead they provide a cover-up solution that only masks the real problem: passwords are a weak and ineffective method for authenticating users in the digital world, and reliance on them to authenticate users puts everyone at risk.
The issues with passwords
Memorized secrets shared between user and platform, better known as passwords, are the biggest design flaw of the internet. Hackers have been figuring out ways to crack passwords since the sixties.
Today, cyber threats are growing increasingly sophisticated, yet the way we authenticate has not evolved. Instead of rethinking how to authenticate and identify users, cybersecurity has centered around bolstering the password so that it is less susceptible to security threats. Unfortunately, none of these solutions addresses the fundamental problem: so long as there is a “password”, there is something for hackers to guess or steal.
“Password fatigue” describes the overwhelming burden users experience when it comes to managing their accounts. With the average user having an estimated ninety separate accounts — mandatory password changes, and complex password requirements backfire — forcing users to choose weak passwords that they can easily remember.
Password managers aim to solve the issues caused by password fatigue. They take memorizing passwords out of the hands of users, so that they can choose more complex passwords that meet password guidelines and policies.
For the enterprise, password managers could do more harm than good
While password managers may solve issues with password fatigue, by allowing users to choose more complicated passwords, they fall short of protecting users against an onslaught of password-related attacks — like password phishing, keylogging attacks and Man-In-the-Middle attacks.
Password managers actually collate all of a user’s private credentials and store them in a single, centralized place. Just like other centralized platforms, password managers are vulnerable to being hacked. If a malicious actor manages to successfully break into the password manager, then all the stored credentials will be breached.
Password managers have known security flaws
If a hacker gets access to the password management system, they gain unlimited access to the credentials stored within it. Independent research of some of the most popular password managers highlights clear security vulnerabilities.
“The ISE evaluated 1Password, Dashlane, KeePass and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords ‘as advertised’.” — Kate O’Flaherty, cybersecurity journalist.
In one case, the master password was stored in plaintext on the user’s device; for a savvy hacker, backdoors like this become easy hits. In fact, hackers are actually more inclined to attack password managers: For users, a breach would be a huge inconvenience that could lead to fraud and identity theft and loss of access to accounts. For an organization, this could be catastrophic.
Password managers are also vulnerable to attacks launched by “rogue” apps — fake apps designed to look like the real deal. Researches at the University of York fooled 40% of password managers into giving away passwords to malicious apps.
Password managers provide a false sense of security
Unfortunately, employees still choose their passwords, and ultimately decide how they manage them. For example, an employee could put corporate systems at risk by sharing their password around, or choosing a common password. Password managers can also be added by employees without the organization’s consent.
Passwords cost time and money
Password managers also fail to eliminate costs associated with maintaining passwords. These costs can be a heavy burden on businesses. The average cost of password reset is US $70, in the midst of a pandemic, this can put massive financial strain on businesses. According to Security Brief, online retailers have already lost millions maintaining passwords this year.
Zero-knowledge biometric authentication
It’s not just password managers that pose a risk to security — all security solutions aimed at bolstering passwords adds further complexity to the issue, disrupting the user-journey and creating new entry points for attacks.
In order to properly safeguard systems and private data, we need to completely overhaul the way we authenticate.
“At Keyless, we believe the only way to improve security is to challenge the way we think about authentication. We need to move away from authentication that is based upon usernames and passwords, and move towards passwordless solutions.”
At Keyless, we use a combination of advanced cryptographic techniques to eliminate fraud, phishing and credential reuse — all while enhancing customer and employee experiences and protecting their privacy. Our biometric authentication solution offers multi-factor security across devices and platforms with just a look.
Interested in trialing Keyless to enable secure work from home?
If you’re interested in how Keyless™ authentication can help deliver secure and seamless digital experiences, whether for your end-users or for an ever more important and dynamic digital workplace, or if you’d simply like to learn more about our platform, then please feel free to get in touch with our team. You can email us at email@example.com
We’re always keen to have a chat about how we can help businesses on their journeys towards a complete zero-trust security model.