Saturday, December 25, 2021

Why The Password Will Never Die

 


Merry Christmas everybody!!!! From my household of me and my two kitties, enjoy the day with family and friends!!!  But here is one caveat fo to this:  Please also stay safe.  This is the time that the Cyberattacker likes to come out in all forms, primarily to steal your login information. 

So as you continue to shop next up until New Year’s Day for those special deals online, remember to protect your password!!!  Even if it means changing it, please change it!!!

Here is why:  According to a recent by a Cyber company known as Beyond Identity, almost half (to be exact, 48%) of the respondents claimed that they would never visit a website again that would not allow, or permit them to use the same password that they have had before. 

In other words, once you reset your old password to a new one, you cannot use the old one under any circumstances.

There were 1,000 people polled in this survey, also discovered these startling stats:

*1 out of 4 shoppers would abandon their online shopping cart if they had to reset their password upon checkout (depending upon the dollar amount, the max any of these respondents would abandon was pegged at $162.00);

*50% of all of the respondents had to reset their passwords at least once a year;

*The age generation that experienced the most password resets were the Baby Boomers;

*Through another study from Garner, it was discovered that it was discovered that close to 50% of all help desk calls were related to password resets.  The average cost of this is now deemed to be at $70.00 per password reset.  This is actually much lower than a few years ago, when password resets cost a company of $300/employee.

More details on the study conducted by Beyond Identity can be seen here at this link:

https://www.beyondidentity.com/blog/password-resets-and-the-consumer-journey

More details on the study conducted by Gartner can be seen here at this link:

https://www.onelogin.com/blog/is-password-reset-the-pebble-in-your-businesses-shoe

These findings can be seen in the illustration below:

(SOURCE:  https://www.darkreading.com/risk/nearly-50-of-people-will-abandon-sites-prohibiting-password-reuse)

So as a result of this, many online merchants, and even the brick-and-mortar ones are having a hard time retaining customers, and bringing on new prospects for the simple reason is that they do not want to reset their password. 

This creates a source of “friction” between the two, and that is the main culprit why people will leave the website in which they are about to make a purchase in search for the competitor.

So what is a vendor to do?  Well, there has been research currently under way in which a passwordless from of authentication can be used.  In this particular instance, the customer, when they visit the online store, will be given a choice if they want to go this route.  If he or she does, they will then be sent a link in which they can register for this service by simply using their Email address.

From here, an Encryption is issued and tied to this Email address, all they have to enter is simply their Email address once they decide to log back on again.

So far, the reaction from the Cyber industry has been mixed on this one, which really surprises me, even though online vendors want to use it so that they do not lose customers and/or prospects all because of a mere password reset. 

But in the end, the results of these studies (as mentioned in this blog) point to the direction that whatever transpires, the customer is king, and if they want this kind of authentication, then that is what the industry has to develop and implement.

The more hard-core Cyber skeptics feel that this sort of passwordless authentication really offers no protection at all.  For example, what if the Encryption key gets hacked into (and which is quite possible, actually), then what? 

What other forms of authentication are available then to protect the customer?  Really, there is none, and this is the biggest fear, unless of course passwords were used once again as a secondary layer of authentication which then defeats the whole purpose entirely.

My Thoughts On This

In the end, as I have written before, the password will never leave us.  It has been a part of our society for decades, and in the end, people are creatures of habit.  They do not want to change their existing ways until something happens. 

Unfortunately, that is the way it is going to be for a long time to come.  Instead, the Cyber industry needs to come up with a better way not to create a brand-new authentication mechanism, but simply build a better mousetrap.

What do I mean by this?  First, mandate the use of a Password Manager.  That is what these software applications have been created for, to create long and complex ones, and even reset them automatically on a prescribed time basis. 

Then with this, use some other sort of authentication mechanism, such as that of Biometric, like Fingerprint Recognition or Iris Recognition.

It’s probably easier to mandate this kind of approach to employees in a business, but I fully admit that what I propose may simply not work for the online merchants.  For example, how are you going to mandate a customer or prospect to use a Password Manager before they can proceed in the checkout process? 

This could be yet another reason for them to leave.

The other part that is driving this is that the American consumer has now a lot of choices when it comes to online shopping.  As stated earlier before, if they are not happy with one merchant because of the password issue, they Google another, similar site.  It’s like shopping for a lawyer.  If you are not happy with your existing one, you can simply fire them and get a new one.

But in the end, the customer and/or prospect is going to have be flexible and understanding as well.  They should take comfort in the fact that if an online merchant is making them to reset their password, it means that they are trying to adopt good security policies. 

I have been at websites where I have to reset my password.  In my most recent experience, I had to reset my password three different time.

Did that detract from being a customer?  No, it did not.  Yes, it was a pain to do it and have to come up with a new one each time, but I know at least that this particular vendor is trying to protect my account. 

The bottom line is that the Cyber industry can create all of the latest authentication mechanisms, but the American public has to come to some middle ground with it in order to adopt it.

IMHO, that is where the key answer lies at in this whole mess of Password Security.


No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...