It’s time to stop ignoring the risks of passwords

Hackers compromised two billion passwords in 2021.

That’s the stark takeaway from the 2022 Consumer Identity Breach Report from ForgeRock. Humans struggle to put huge numbers into context, making it hard to understand the consequences of billions of compromised passwords and user accounts. However, our most essential takeaway from the ForgeRock report should be this: No password is safe from hacking.

The 2021 GoDaddy breach provides another example of the changing landscape for access and security that relies on passwords. In that case, even users and systems that followed the strongest, most unique requirements for their passwords found that they could not withstand the efforts of persistent hackers: A single hacked password provided a backdoor into more than one million user accounts.

The cybersecurity industry must come to terms with the fact that any system protected by passwords — or any other form of “secret” such as keys, tokens or even browser cookies — cannot be considered protected at all. In order to safeguard our most valuable assets and information for our connected, cloud-based future, we need to transition to a cybersecurity posture that relies on identity instead of passwords.

The vulnerability of passwords

At its most basic level, a password is a secret. A secret is something that gives the person who possesses it access rights. If I steal your password, then I can access a system as if I were you, even if I have no other right to access that system. On a daily basis, we rely on our online banks, web providers, shopping platforms and entertainment services to keep dozens of secrets for us. The risks of them not keeping that secret are dramatic, leading to the mishandling of personal information, stolen identities and even financial losses. You might assume that sophisticated development teams are not using passwords to protect mission-critical infrastructure and systems, but passwords and password-like methods are still common tools for accessing infrastructure.

Think about the problems we face with secrets in our everyday lives. When you share a secret with a friend, colleague or coworker, that other person could eventually divulge it to someone else. Your conversation could also be overheard by someone around you, increasing the risk that your sensitive information is passed on to other people. When we have an important, valuable secret, we only share it with those who we trust intimately, in a setting where we know it won’t be overheard. As Benjamin Franklin quipped, “Three can keep a secret if two of them are dead.”

This is the trouble with passwords and other secrets online: We can’t trust anyone to keep them secure. Time and again, we have seen how large enterprises have been unable to protect their systems and databases from a data breach. We’ve been given no reason to trust those responsible for sensitive information like contact details, social security numbers, and financial data.

Can you keep a secret?

Enterprises throughout the world must recognize that the problems involved in a secrets-based approach are only getting worse. The rise of cloud computing has led to an exponential increase in complexity. With organizations now able to scale their operations rapidly without having to invest in physical infrastructure, the number of machines and applications currently protected by secrets has skyrocketed. 

Every secret — from a Netflix account password to a Kubernetes cluster admin credential — represents a threat to digital security. Secrets simply cannot stand up to human nature: We write passwords on Post-It notes and index cards that we misplace or lose; we share passwords with coworkers to overcome cumbersome authentication processes; we leave our valuable data in unsecured files that can be easily discovered and stolen by bad actors. 

Imagine you work as the head of cybersecurity at a multi-billion dollar manufacturing company. On every new hire’s first day, you sit down at their desk and ask them if they can keep a secret. When they say yes, you go on to tell them every detail of the company’s intellectual property — information worth literally millions of dollars. Your organization’s financial performance and competitive positioning will depend on each entry-level employee’s ability to keep those secrets. If this were your approach, would you be able to sleep at night?

When we describe the situation this way, it sounds completely absurd. However, the secret-based access management systems that are commonplace in today’s organizations represent the digital equivalent of this imaginary exercise. 

Towards an identity-based future

To create a security solution that can scale with cloud-based complexity without relying on secrets, we need to focus instead on identity. A secret is something you have, but identity is who you are. While “identity theft” is a common term, identity itself resists theft in reality. Secrets like a social security number or bank credentials can be stolen, but these secrets aren’t your actual identity. Biometrics like a fingerprint or facial features are physical representations of your identity that are much harder to steal. My fingerprint is part of who I am — I physically can’t lose it. I can’t share my retina with someone else, nor can my face be stolen.

Like these physical attributes for human users, our devices also come with an inalienable identifying attribute. Machines also have a form of biometrics. Trusted platform modules (TPMs) are standard on the billions of devices we use on a daily basis. These encrypted components provide each device with an identity that is loss and theft-resistant, providing machines with a reliable way to prove their identity when needing to access sensitive information.

The combination of these two solutions — biometric attributes and TPMs — allows us to provide each individual person and their devices with a combined identity that is significantly more resilient against hacking than secrets. These tools can form the building blocks for the future of access management, reducing the likelihood of breaches and their associated consequences. We need to stop ignoring the risks of the secret-based status quo.

Ev Kontsevoy is CEO of Teleport.