Passwords are generally viewed as a necessary evil; nobody wants to deal with them, but they get you where you need to go. Even after years of every website and application stressing the importance of setting up secure passwords, people still worry more about forgetting their password than the ramifications of getting hacked. Case in point: an analysis of 15 billion passwords determined the most common password is 123456. Even worse, the fourth most popular password is the word “password itself.

The average user has around 100 passwords, and two out of three people use some form of the same password across multiple accounts. When people repurpose passwords, hackers can jump from one service to the next.

Don’t use the same passwords, right? Or just throw in some numbers and special characters to make it trickier? That thinking made sense when we were all working from full keyboards. Asking people to peck out long strings of letters from their mobile phone or smartwatch is inconvenient at best. Instead, people revert to simple, short passwords like “123456.”

Even the National Institute of Standards and Technology (NIST) is aware passwords are cumbersome. In its Digital Identity Guidelines, they note undue “length and complexity requirements” can “significantly increase the difficulty of memorized secrets and increase user frustration … users often work around these restrictions in a way that is counterproductive.”

Passwords are expensive

The use of passwords comes with real costs, both in terms of security and economics. Passwords aren’t secure. In fact, the attack that took down the largest fuel pipeline in the US was the result of a compromised password. Hackers breached the Colonial Pipeline using a VPN which wasn’t in use and wasn’t protected by multi-factor authentication (MFA).

That’s just one of billions of examples. In 2021,  8.4 billion passwords were leaked in the “largest password collection of all time.” Given all the leaks and hacks it’s no great surprise, in 2022, Verizon reported more than 80% of web breaches involved stolen passwords and there’s been an almost 30% increase in stolen credentials since 2017. IBM reports stolen credentials account for 19% of all breaches. Passwords are so vulnerable, relying on single-factor authentication has made its way on to the Cybersecurity & Infrastructure Security Agency’s (CISA) list of “Bad Practices.”

Passwords aren’t just insecure, they’re also expensive. The World Economic Forum found, for larger business, “nearly 50% of IT help desks costs are allocated to password resets.” The amount of lost productivity and IT time devoted to dealing with password problems is almost invariably underestimated.

Of course, data breaches are expensive too. In the latest “Cost of a Data Breach Report” from IBM and the Ponemon Institute, the average cost of a data breach has hit an all-time high of $4.25 million, a 12.7% increase since 2020.

Move to Zero Trust

Let’s accept passwords are fundamentally flawed. Users hate passwords because they’re inconvenient and prevent them from accessing what they want to – and should be able to – access. Security teams hate passwords because they represent a major security vulnerability.

Then how can an organization finally rid itself of passwords altogether?

First, security leaders should take a step back and look at where and why they use passwords or other credentials. Rather than use passwords to gate your entire IT estate, think about moving closer to zero trust, a new cybersecurity paradigm built on one maxim: never trust, always verify.

In moving toward zero trust, security teams eliminate any implicit or assumed trust across their users and devices. No one and nothing get a free pass.

If zero trust is your goal, then your entire security architecture changes—as does your reliance on passwords. Remember, zero trust asks users to always verify, not to always authenticate. If you’re always verifying access requests, then you reduce the instances when users must authenticate.

Verifying every access request may sound daunting, but it doesn’t need to be. One commonsense way to move toward zero trust is embrace least privilege, the bare minimum of access entitlements which someone or something needs to do their job. If every user on your network only has access to essential resources, then constantly verifying and re-verifying requests becomes far more targeted and effective.

Smart identity and access management can also help your organization build toward zero trust by learning from and baselining each user’s typical behavior. A contextual or risk-based system can learn if a user always logs in from 9 a.m. from a recognized device in New York and makes the same dozen access requests, then any behavior falling within those norms should be permitted. The system is still verifying those requests as they happen in real time, but if a user is repeating the same behaviors, then there isn’t a need to challenge them with step-up authentication.

Conversely, if a user logs in at 3 a.m. from a new device in Russia, then it merits investigation. Likewise, if a user makes an access request from New York at 9 a.m., logs out, and subsequently logs in again from California at 10 a.m., a contextually aware system should recognize it’s physically impossible to travel that far in an hour and flag the access request.

Get Smart and then Go Passwordless

Developing a smart, contextually aware security system is a great way to move toward zero trust.

It’s also an opportunity for organizations to recreate authentication: let’s say a typical user is logging in from 9 a.m. from a recognized device, but they’re requesting something they usually don’t use.

That’s a situation when users – even legitimate users – shouldauthenticate with passwordless options, including QR codes, biometrics, and push notifications.

Organizations moving to zero trust, integrating contextual analysis, and going passwordless can net major benefits: zero trust and contextual analysis can create a smarter, more responsive, and more secure system, continuously verifying access requests in ways passwords just can’t.

When users do have to authenticate, then going passwordless has its own benefits: it eliminates a critical security issue, saves money, reduces IT busywork, and simplifies access for users. Fortunately, it’s now easier and more affordable than ever for companies to adopt passwordless standards like FIDO.

As more companies commit to supporting common standards for password-free sign ins, the easier and more affordable it becomes. The FIDO Alliance’s authentication standards are based on public key cryptography is more secure than passwords. FIDO also leverages device-based authentication and biometric technology such as a fingerprint or facial recognition so logging in is easy, secure, and consistent across devices and websites.

By moving to zero trust and by integrating improvements in standards and technology, we can finally say goodbye to passwords. Doing so will lead to improved user experiences, better security, and lower costs for businesses. That’s a win-win-win.


Jim Taylor

Jim Taylor is the chief product officer of RSA.

Public & Private Sector Collaboration is Critical for an Organization’s Preparedness
It’s now more critical than ever in history that public-private sector collaboration is needed to improve the effectiveness of an...
Awareness is Key: Educating Executives on Cybersecurity Risks in Healthcare
As the chief information officer of Palomar Health, the largest healthcare district in California, I believe it is crucial to...
6 Ways to Leverage LinkedIn and Why It’s Important
Subscribe to the Business Resilience DECODED podcast – from DRJ and Asfalis Advisors – on your favorite podcast app. New...
Preparing for Global Conflicts, Insider Threats, and Other Things You Can’t Predict Episode 145:  Preparing for Global Conflicts, Insider Threats, and Other Things You Can’t Predict If there’s one thing we...