Winning the War on Cybercrime: The Passwordless Solution

Posted on by Ori Eisen

“I read the news today, oh boy...”

The Beatles may have famously penned the lyrics to “A Day in the Life” in 1967—the same decade passwords were invented—but the message may seem to ring even more true in today’s digital climate.

The already rapidly growing global economic dependency on the Internet has now intertwined with the COVID-19 pandemic, adding an unprecedented reliance on digital avenues as companies and their employees have quickly sought to implement and manage remote work environments. As a result, the need for secure access to sensitive assets has only become more critical.

As cybersecurity professionals are well aware, times of turbulence often lead to exploitation by cybercriminals. The FBI has already seen cybercrime reports quadruple, based on their Internet Crime Complaint Center (IC3) volumes.

Additionally, the Washington Post recently reported nearly 25,000 email addresses and passwords were posted, allegedly used by the World Health Organization (WHO), National Institutes of Health, the Gates Foundation and other groups fighting the epidemic. Australian cybersecurity expert Robert Potter, who claimed to successfully verify the authenticity of the exposed WHO credentials, said that 48 people had “password” as their password, while others simply used their own first names.

So how do executives and security practitioners secure remote workers and strengthen their defenses against cybercriminals? Which threat vector exposes the greatest vulnerabilities and, therefore, requires priority in taking additional security measures?

The answer may appear deceivingly simple: the password.

The password—and all static credentials—pose the greatest threat to modern digital security as we know it. The ongoing prevalence of breaches over the past decade has clearly shown that usernames and passwords are no longer secure enough, as compromised credentials have been revealed responsible for over 80% of all breaches, according to the 2019 Verizon Breach Investigations Report.

The age of passwords has come to an end.

Why Remove Passwords?

Passwords were never invented to safeguard our most private data. However—some 60 years later—that outdated technology has somehow survived and caused a laundry list of headaches in the modern age. In fact, the late inventor of the computer password, Fernando Corbato, famously described the password as having “become kind of a nightmare with the World Wide Web.”

Recent years have held new efforts to strengthen credentials with additional measures like two-factor authentication (2FA), hardware tokens and one-time passwords (OTPs), but the core issue of passwords remains. Password vaults are much the same, protecting databases that purport to safely store many passwords with, ironically, a password.

Unfortunately, that means organizations are still open to a host of threats, including keylogging, phishing attacks, credential stuffing and more. Only by fully removing passwords from our systems can we truly—and significantly—eliminate the risk of cyberattacks.

When those legacy practices are no longer a common cornerstone of everyday habit, security practitioners can better protect sensitive data without raising user friction to a fever pitch—from frustrating password resets to perpetually changing complex strings of letter and number variations.

Spread the Word

Once you understand how crucial it is to go passwordless—and that such technology is readily available—the last step is to take action together.

By going passwordless, we change the game. By not acting, we are making it easier for fraudsters to gain access to bank accounts. That cybercrime funds their nefarious, unspeakable activities. It’s that simple.

As Edmund Burke said, “The only thing necessary for the triumph of evil is for good men to do nothing.”

Ori Eisen

Founder, Trusona


application security identity theft

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community