Passwords Are Weak Link in Security


Passwords hold a prominent place in the modern security landscape. Passwords guard your personal identity, private information and your financial resources. But are passwords actually working?

A new study from the Ponemon Institute, sponsored by authentication vendor NokNok Labs, sheds some light on the current state of password use -- and as it turns out, misuse. The study surveyed 1,900 people in the United States, United Kingdom and Germany.

Curse You, Passwords

Nearly half of the study's respondents were unable to execute an online transaction due to some form of password authentication failure. Most of those failures were a result of users forgetting their passwords.

Consumers also have a distrust of passwords in general. The report's author, Larry Ponemon, told eSecurity Planet that 46 percent of respondents indicated that they don't trust websites that only rely on passwords.

"We think that's a sign that users are using websites without necessarily trusting them," Ponemon said.

A common best practice that many websites attempt to enforce is the use of password complexity. As it turns out, that best practice isn't always working for consumers. Ponemon said that 69 percent of consumers admitted that they had forgotten a password because it was too long or too complex.

When passwords are forgotten, many websites have password reset features. Apparently those aren't working so well either.

"54 percent said it took so long to reset a password that they basically gave up," Ponemon said. "Think about that from a business perspective, losing customers because they don't have the patience to wait."

Authentication Alternatives

Phil Dunkelberger, CEO of Nok Nok Labs, the sponsor of the study, said that the report indicates that consumers are hungry for alternative forms of authentication.

Nok Nok Labs is part of the FIDO Alliance effort which enables the use of strong authentication devices such as biometric readers to be used for online service access.

The study also found that consumers would like to use strong authentication mechanisms. In fact, 69 percent said they'd be open to a biometric eye scan as an authentication mechanism. The challenge, according to Dunkelberger, is the inability thus far to make strong authentication easy to use from a business standpoint.

"If the consumers are asking for stronger forms of authentication, it's incumbent for businesses to provide that," Dunkelberger said.

Sean Michael Kerner is a senior editor at eSecurity Planet and Follow him on Twitter @TechJournalist.