There’s no more room in password hell. Compromised passwords found in data breaches should be dead in the dirt, yet they are still being used. These zombie passwords offer zero security and should be put down immediately.
Unsurprisingly, the average person only uses six passwords to cover 24 accounts and about 50% of all passwords are at least five years old. That leaves plenty of time for a password that protects about six of your accounts to be compromised. It’s honestly more of a surprise that there are passwords out there that haven’t been compromised.
According to Troy Hunt, the man behind Pwned Passwords, a database containing over 500 million compromised passwords, the majority of passwords in use are ‘terrible.” To come to this realization, Hunt would look at new breaches to see how many passwords in the breach were already in his list of compromised passwords. Through this experiment, Hunt found 86% of breached plain text passwords were already on his list. That means we are already living in a zombie password apocalyptic world, as living passwords are in the minority.
Statistics like this are why companies like LastPass exist. LastPass and its competitors allow a single login to access all of your accounts. This gives users the ability to use a memorable password to log in, and LastPass can enter secure hash-based passwords for your other accounts. However, even a product that manages your passwords still needs to depend on the user’s ability to create secure passwords. According to a study by LastPass, the average security score for passwords across 43,000 organizations using their product is only a 52 out of 100. This means the average end user’s passwords don’t even have a passing grade, which also means the password is still the issue.
One solution is to eliminate the password; a dream IBM has been working towards since the 1980s. In the same vein, Microsoft is also looking to lose the password. At their Ignite conference in September of this year, Microsoft announced that users of Azure are now able to log in to the app without passwords. Instead, users will rely on the Microsoft Authenticator app that uses a combination of the user’s smartphone biometrics login or a PIN. This effectively provides a multi-factor authentication sans password. As of now, Microsoft has yet to extend this service to their other products.
So what can companies do to improve their password security? Implementing password management policies that require regular password changes is a step in the right direction. Requiring passwords to meet a standard complexity also helps, especially if it disallows known compromised passwords. But, as any IT professional will tell you, users are not to be trusted. The best solution out there is to deploy multi-factor authentication, and entirely do away with zombie passwords.
