April 2020: Are Passwords a Thing of the Past?

Authors:: Cara Bonnett
Published:: Friday, April 10, 2020
Columns:: Cybersecurity and Privacy

min read

Campus privacy and security professionals can adapt these materials to promote a better understanding of new developments in passwordless technology and to help students, faculty, and staff better protect their digital identities.

closeup of computer password field — *Credit: kpatyhka / Shutterstock.com © 2020*

Campus Security Awareness Campaign 2020

This post is part of a larger campaign designed to support privacy, security, and IT professionals as they develop or enhance their security awareness plans. The campaign is brought to you by the Awareness and Training Community Group sponsored by the EDUCAUSE Higher Education Information Security Council (HEISC). View the other monthly blog posts with ready-made content on the awareness campaigns resource page.

Get the Word Out

Newsletter or Website Content

There are plenty of reasons to hate passwords. A recent Ponemon Institute study provides some insights into why many people have developed what has become known as password fatigue:

Respondents reported having to spend an average of 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords. Most respondents also reported being unable to complete personal transactions because they had forgotten their passwords.
About two-thirds (69 percent) admitted to sharing passwords with coworkers to access accounts, and more than half (51 percent) said they reuse an average of five passwords across work and personal accounts.
Most respondents do not use a password manager and rely on human memory, spreadsheets, and sticky notes to manage passwords. Fewer than half (45 percent) use multifactor (or two-step) authentication in the workplace.¹

It is increasingly clear that new security approaches are needed to help individuals manage and protect their passwords, and passwordless login technology could provide an option. A majority of IT security professionals and individual users believe that the use of biometrics or hardware tokens could offer better—and more user-friendly—security protections.

Several colleges and universities—including Duke² and Stanford³—are working to develop and deploy passwordless solutions. In the meantime, multifactor authentication and good password practices can help as we move toward a passwordless future.

Tips on protecting your digital identity:

Use a fingerprint or biometric requirement to sign in when available. This provides an extra layer of protection for devices and apps.
Whenever possible, take advantage of whatever two-factor authentication (2FA) methods are available for your service. View a list of websites that support two-factor authentication (2FA).
Create a unique username and password or passphrase for each website or application.
Use a password manager to help avoid password reuse, and protect it with a long passphrase. Some password managers are free, but you can also check with your IT department to find out which tool it recommends.
Update to the latest security software, web browser, and operating system. Turn on automatic updates to help protect your personal information against new threats.
Stay protected when connecting to any public wireless hotspot. Use a virtual private network (VPN) client, which provides secure remote access to resources.

Social Posts

The following social media posts are Twitter-ready, meeting the 280-character length restriction:

Multifactor doesn't have to mean multistep! #GoPasswordless #CyberAware
Access your account as easily as you unlock your phone. #GoPasswordless #CyberAware
Log in to more convenience and better security. #GoPasswordless #CyberAware

Email Signature

Ask staff to add a tip to their email signature block and link to your institution's information security page.

Example:

Jane or John Doe
Chief Information Security Officer
XYZ College or University

Could passwords be a thing of the past? Learn more. [Link "Learn more" to your institution's information security page.]

Embed or Share Videos

Passwords (StaySafeOnline.org)

Fast ID Online (FIDO Alliance)

What Is Passwordless? (Okta)

Resources

World Economic Forum in collaboration with the FIDO Alliance: Passwordless Authentication: The next breakthrough in secure digital transformation
National Cyber Security Alliance (NSCA): Passphrases and Securing Your Accounts and Devices
National Institute of Standards and Technology Trusted Identities Group: Back to Basics: Multi-factor Authentication (MFA)
NCSA: Credential Theft Isn't Going Away. Here's How You Can Fight It [https://staysafeonline.org/blog/credential-theft-isnt-going-away-heres-how-you-can-fight-it/]

For more information and resources, you can also reference previous EDUCAUSE Review Security Matters Campus Security Awareness Campaign blog posts about passwords.

For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional security and privacy awareness resources through the Awareness Campaigns page.

Notes

Ponemon Institute, The 2019 State of Password and Authentication Security Behaviors Report, January 2019. ↩
Mary McKee and Shilen Patel, "Duke Unlock: One-step Multi-factor. Passwordless Authentication with Shibboleth and WebAuthn," InCommon (blog), InCommon/Internet2, December 2019. ↩
"Cardinal Key: Simplicity and Security," Stanford University IT (website), March 13, 2020. ↩

Cara Bonnett is a Senior Security Analyst and Team Lead for Security Education and Consulting at Duke University.

ParentTopics:: Data Privacy Data Security Intrusion Detection and Prevention Password Policies Security Awareness