If you've ever sat in front of a computer screen trying to think of a new, unique and secure password, you are not alone.
Once prompted, users have to quickly come up with a new key word or phrase to regain system access. Frustrated over the process, many are quick to settle on an easy-to-remember password, prioritizing convenience over security.
Password management in the enterprise is doubly difficult because it demands honoring best practices from business IT departments and employees on a corporate network. And individual password management and security behaviors are, more often than not, insufficient and lagging.
Despite improving technology, password management has continued to plague businesses and individual users, but understanding what's going on in the space can make counteracting malicious account compromise a little easier.
Here are five trends shaping password management today:
1. Passwords are not disappearing
While the shift to alternatives in authentication is increasing, passwords themselves are here to stay. For at least the near future, finding a way to "co-exist" with passwords is a necessary evil.
Supplementing existing passwords with newer standards, including biometrics and multi-factor authentication, is what will protect critical data before advanced solutions can be easily implemented.
Just because passwords are not strong enough to stand on their own does not negate their relevance in security.
So while passwords are on a slow crawl toward extinction, organizations should not ignore enterprise policy and ensure employees continue practicing password hygiene.
The moral of the story? Make sure a password's creativity extends beyond '123456.'
2. Change is coming
Passwords underlie technology access, but some experts are pushing to eradicate all passwords within five years.
The passwordless movement stems from a technology inflection point: Tech is advancing and users have been primed for biometric authentication because of systems like Apple's Touch ID.
Passwordless frameworks extend beyond physical form factors. Sure, a user can employ face, touch or voice identification, but systems can now introduce geographic identifiers. Behavioral analysis is harder to compromise and is less disruptive to a user.
Depending on the number on anomalies in a what a system learns is a routine transaction, a system could prompt step-up authentication and request a one-time pin or password that is sent directly to a user's device, for example.
3. Multi-factor authentication is all the rage … still
Rolling out a new security scheme will always lead to some friction as users react to unfamiliarity or perceived additional burdens. But two-factor and multi-factor authentication are becoming more common and paying off for implementers.
The additional security afforded by MFA is too important and easy for most organizations to pass up on, and pilot programs suffering from complication shouldn't push IT decision makers away from implementation. For example, the Social Security Administration had to roll back a two-factor authentication effort in 2016 after users complained, but the agency tried again in 2017 and found more success.
Vendors have made it easier to turn on MFA through admin controls and roll out authentication policies companywide. Advancements in such technology have allowed factors after initial authentication to be enacted only if behavior or geographic regions change.
For example, if a user logs in every day at the office in California but has to travel to New York for work, a system would prompt the user to enter an additional factor of authentication to prove identity beyond an initial password.
4. Growing authentication in an ecosystem
Password management is a sore spot industrywide, and many vendors are working to create solutions that do not limit user functionality. The FIDO Alliance in particular wants to create an ecosystem of authentication, which extends across hardware, mobile and biometrics to access applications and websites.
The alliance wants to cut corporate reliance on passwords on any application, platform or authenticator, according to Phil Dunkelberger, CEO of Nok Nok Labs, a founding member of the FIDO Alliance.
FIDO is not only a gateway to stronger cybersecurity but a solution for individual users that want ease of use and access, said Dunkelberger. By eliminating the headache surrounded by passwords, users can more easily connect and perform their tasks with trusted authentication.
FIDO2 is the next chapter and includes W3C's advancement of WebAuthn, which is "a collaborative effort based on Web API specifications," which would allow FIDO to become a "built-in feature" for all platforms on the web, according to Dunkelberger.
5. Companies are learning from a past filled with identity and access management mistakes
So many databases and businesses are hacked because people make the same mistakes time and again. Thankfully, there's no shortage of worst case scenarios, offering business leaders examples of what not to do.
Using stale passwords and recycling credentials across accounts — especially work and personal accounts — is perhaps the most obvious, common mistake. But while many individuals and businesses experience a cybersecurity incident because of insufficient security practices, actually changing behaviors and doing something about it is far less common.
Some of the most obvious, easily corrected mistakes include:
Businesses leaving sensitive or credential-related data unencrypted on a database
Organizations failing to install routine or patch updates
Individuals logging into sensitive accounts on public networks
Failing to regularly update passwords
Complacency is not enough, and keeping up with competitors by making sure your business is ahead (or at least keeping pace with) the curve may boil down to basic endpoint security practices.