Passwords are the weakest link in cybersecurity today

Michael Chertoff
Daniel Acker | Bloomberg | Getty Images
Michael Chertoff

Last month's news of the devastating breach at Yahoo stunned even the most seasoned security experts, given its impact on more than 500 million individuals.

Somewhat lost in the news of this attack and others including the U.S. Office of Personnel Management, Anthem, and the Democratic National Committee is that the impact of each of these breaches cannot be viewed in isolation. Rather, each is one node in a much bigger effort.

A closer examination of major breaches reveals a common theme: In every "major headline" breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today.

Indeed, passwords themselves are often the most valuable treasure for attackers, given how many people reuse passwords between accounts. An article last month in Ars Technica drove this point home, detailing how the recent breach of a White House contractor was facilitated by him reusing the same password on his Gmail account that was revealed in the Adobe breach of 2013.

Against this backdrop, it's become increasingly apparent that the guidance we give people to change their password after every breach isn't doing anything to actually thwart attackers.

Instead, we need to acknowledge the failure of passwords and make it a national priority to come up with something better – leveraging the next generation of authentication technologies to authenticate identities in a way that is both stronger than passwords and also easier for people to use.


"A closer examination of major breaches reveals a common theme: In every “major headline” breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today."

It's important that any alternative simplifies authentication. Companies and agencies don't expect their employees to configure firewalls or actively manage encryption on their laptops; security controls have become increasingly automated over the last few years. But amidst these improvements, there's one item that continues to get pushed down to customers and end-users: The burden of creating and managing dozens of different passwords to access all of their accounts.

Study after study has shown that this is not a particular enjoyable activity for most Americans, nor is it one that they are particularly good at. Passwords such as "123456" and "Password1" are commonly used across sites; one study showed that most Americans would rather perform unpleasant household chores than deal with the burden of creating and then remembering a complex password. And even when so-called "strong" passwords are required, they are still vulnerable to phishing attacks, key-loggers and other compromises.

The good news is that industry is in the midst of a wave of innovation, with dozens of entrepreneurs coming up with new approaches to deliver strong authentication. This innovation is being spurred by the near-ubiquity of mobile devices that contain biometric sensors and embedded security hardware, creating new ways to deliver strong authentication – in many ways, with models that are both more secure and easier for the end-user, relative to "first generation" authentication technologies.

The existence of new technology can't solve the problem alone, however. Technology needs to be supported by standards that can ensure interoperability of solutions and lower the cost of deployment. And when technology such as biometrics is used, it needs to be architected to protect privacy and security, rather than put it at risk.

The government can't create the solution, but it has an important role to play in incenting and catalyzing its adoption. Government can leverage its role in setting guidance for – and sometimes regulating -- critical infrastructure by placing a greater emphasis on the use of strong authentication, as well as ensuring that its use is ubiquitous across government. Part of that focus should be on upgrading citizen-facing websites and applications that make personal data available, ensuring that they support strong authentication. I'm also encouraged by the new "Lock Down Your Login" campaign that the White House launched this month in partnership with the National Cyber Security Alliance, focused on educating all Americans about the need to use strong authentication and providing them with toolkits on how to upgrade their most vulnerable accounts.

Passwords are a problem—but by making their replacement a national priority, the government can help rally both industry and agencies to adopt stronger solutions that make password-driven breaches a thing of the past.


Commentary by Michael Chertoff who served as secretary of homeland security from 2005 to 2009. He is currently co-founder and executive director of The Chertoff Group, a security- and risk-management advisory firm. Follow the company on Twitter @ChertoffGroup.