Password managers are just a band-aid solution to a deeply-rooted problem with authentication
23 April 2020

Password managers are just a band-aid solution to a deeply-rooted problem with authentication

23 April 2020

Password managers do more harm than good when it comes to securing your organization's most critical systems and data.

From storing master passwords in plain text, to leaving users susceptible to keylogging and phishing attacks, to users still choosing sharing weak passwords — password managers are ineffective solutions that fail to address the inherent security risks associated with passwords.

Instead they provide a cover-up solution that only masks the real problem: passwords are a weak and ineffective method for authenticating users in the digital world, and reliance on them to authenticate users puts everyone at risk.

The broader issue with passwords

Memorized secrets shared between user and platform, better known as passwords, are the biggest design flaw of the internet. Hackers have been figuring out ways to crack passwords since the sixties.

Today, cyber threats are growing increasingly sophisticated, yet the way we authenticate has not evolved. Instead of rethinking how to authenticate and identify users, cybersecurity has centered around bolstering the password so that it is less susceptible to security threats. Unfortunately, none of these solutions addresses the fundamental problem: so long as there is a “password”, there is something for hackers to guess or steal.

“Password fatigue” describes the overwhelming burden users experience when it comes to managing their accounts. With the average user having an estimated ninety separate accounts — mandatory password changes, and complex password requirements backfire — forcing users to choose weak passwords that they can easily remember.

Password managers aim to solve the issues caused by password fatigue. They take memorizing passwords out of the hands of users, so that they can choose more complex passwords that meet password guidelines and policies.

How come password managers do more harm than good?

While password managers may solve issues with password fatigue, by allowing users to choose more complicated passwords, they fall short of protecting users against an onslaught of password-related attacks — like password phishing, keylogging attacks and Man-In-the-Middle attacks.

Password managers actually collate all of a user’s private credentials and store them in a single, centralized place. Just like other centralized platforms, password managers are vulnerable to being hacked. If a malicious actor manages to successfully break into the password manager, then all the stored credentials will be breached.

Password managers have known security flaws. What are they?

If a hacker gets access to the password management system, they gain unlimited access to the credentials stored within it. Independent research of some of the most popular password managers highlights clear security vulnerabilities.

“The ISE evaluated 1Password, Dashlane, KeePass and LastPass, which are used by a total of 60 Million users and 93,000 Businesses globally. It found that all the products failed to provide the security to safeguard a user’s passwords ‘as advertised’.” — Kate O’Flaherty, cybersecurity journalist.

In one case, the master password was stored in plaintext on the user’s device; for a savvy hacker, backdoors like this become easy hits. In fact, hackers are actually more inclined to attack password managers: For users, a breach would be a huge inconvenience that could lead to fraud and identity theft and loss of access to accounts. For an organization, this could be catastrophic.

Password managers are also vulnerable to attacks launched by “rogue” apps — fake apps designed to look like the real deal. Researches at the University of York fooled 40% of password managers into giving away passwords to malicious apps.

1. Password managers provide a false sense of security

Unfortunately, employees still choose their passwords, and ultimately decide how they manage them. For example, an employee could put corporate systems at risk by sharing their password around, or choosing a common password. Password managers can also be added by employees without the organization’s consent.

2. Password managers fail to solve resource and budget issues associated with passwords

Password managers also fail to eliminate costs associated with maintaining passwords. These costs can be a heavy burden on businesses. The average cost of password reset is US $70, and in the midst of the pandemic, these costs have put massive financial strain on businesses. According to Security Brief, online retailers lost millions maintaining passwords in the first half of 2020.

The future of security is passwordless

It’s not just password managers that pose a risk to security — all security solutions aimed at bolstering passwords adds further complexity to the issue, disrupting the user-journey and creating new entry points for attacks.

In order to properly safeguard systems and private data, we need to completely overhaul the way we authenticate.

“At Keyless, we believe the only way to improve security is to challenge the way we think about authentication. We need to move away from authentication that is based upon usernames and passwords, and move towards passwordless solutions.”

At Keyless, we use a combination of advanced cryptographic techniques to eliminate fraud, phishing and credential reuse — all while enhancing customer and employee experiences and protecting their privacy. Our biometric authentication solution offers multi-factor security across devices and platforms with just a look.

Interested in trialing Keyless to secure your remote workforce?

If you’re interested in how Keyless™ authentication can help deliver secure and seamless digital experiences, whether for your end-users or for an ever more important and dynamic digital workplace, or if you’d simply like to learn more about our platform, then please feel free to get in touch with our team. You can email us at info@keyless.io

We’re always keen to have a chat about how we can help businesses on their journeys towards a complete zero-trust security model.

Get In Touch

Find out how our private-by-design MFA can help your organization prevent ATOs, improve UX, and protect your bottom line.