Thought Leadership

Are passwords dead?

Article by
Author: Stephen Gantz
Stephen GantzChief Security & Privacy Officer

March 13, 2017

Stronger methods of authentication will continue to gain ground as businesses, government agencies, and healthcare organizations look to tighten cybersecurity.

Cybersecurity is very much on people’s minds these days. Hackers have made their way into nearly all types of databases, from major retailers and government agencies to healthcare facilities. The Ponemon Institute estimates that cyber attacks against hospitals, clinics, and doctors cost the healthcare industry more than $6 billion per year.

Many times, the only thing between a hacker and sensitive information is a simple password. Is your organization considering changing the way it handles password-protected information, such as medical records? Here, Dr. Stephen Gantz, Chief Security and Privacy Officer at Cognosante, discusses the continued role of passwords and the challenges in implementing better authentication methods in healthcare and beyond.

Q: There’s a lot of talk about how passwords are going away because they are a security risk. But are passwords really dead?

Gantz: No, I don’t think so. The password has been the default authentication measure for a long time, and we are not suddenly going to replace it with thumbprint IDs or iris scans. Those advanced measures are all relatively expensive and subject to their own sets of issues. One major problem with passwords is that people do not select strong choices. They use the word “password” or their kid’s birthday or their dog’s name. In a Facebook world, those are very easy things for an attacker to guess.

So if using passwords alone is such a security risk, why are they not being replaced faster?

I don’t think anyone will argue that passwords alone are sufficient. But you can’t just say, “Let’s do away with passwords entirely and try something brand new.” In the healthcare industry, for example, even if you manage to do that inside a company with 2,000 people, you still have to do it with all the consumers you touch and all the other people you work with. Many times, that’s not workable. Passwords are going to be the least common denominator authentication method for some time to come. But when you have sensitive information that you really have to protect, you don’t want to go with the least common denominator.

Many companies and government agencies have moved to what is known as “two-factor authentication.” Can you explain what that is, and why it is an improvement over passwords?  

When it comes to establishing your identity online, you can authenticate with something you know, something you have, or something you are. Passwords alone are “one-factor authentication”—you use a password you choose, which is something you know. Two-factor authentication, by contrast, requires you to add something you have (for example a card, badge, or token) or something intrinsic to you (typically a biometric, such as a fingerprint).

The classic example of two-factor authentication is your ATM card. You can’t just put your ATM card (something you have) in the slot and receive money without a PIN (something you know), and you can’t use your PIN without the ATM card. You have to have both. That’s two-factor authentication. Many companies are now having your smartphone be the second factor in addition to a password. Online service providers such as Dropbox, Apple, Gmail, and financial institutions send a one-time code to your cell phone that you use in addition to a password to achieve two-factor authorization.

What’s holding back companies from adopting better authentication measures?

Trying to figure out how to augment passwords is a hard problem. There is not a one-size-fits-all solution. For smaller companies or publicly funded entities, some of the solutions are cost prohibitive. If you can find a way to have people use stronger authentication and make it easy for them, then you won’t see a lot of user objections or the usual friction between better security and getting your work done. But sometimes, that is difficult.

So rumors of the password’s death are premature?

Yes, I think so. There are a lot of people in the healthcare industry who would love to move on to something stronger and more reliable than passwords. But sometimes, it is not workable. People have been predicting the demise of email for a long time, but even though it is a 1990s technology, many companies are still heavily dependent on it, it still works, and it will be hard to get rid of it. And I think the same is true of passwords. All of us in the health IT business can agree that they are a source of vulnerability, but it is very difficult to make them go away.

Author: Stephen Gantz
Stephen Gantz Chief Security & Privacy Officer

Stephen Gantz, DM, is Cognosante’s senior official overseeing corporate information security and privacy programs, and leading delivery of security-related services to customers across business units. Steve is responsible for building an accountable, security-conscious culture, and for protecting company and customer information assets and infrastructure with effective administrative, operational, and technical controls.