Password fatigue

Last updated April 26, 2024

Password fatigue is the feeling experienced by many people who are required to remember an excessive number of passwords as part of their daily routine, such as to log in to a computer at work, undo a bicycle lock or conduct banking from an automated teller machine. The concept is also known as password chaos, or more broadly as identity chaos.^[1]

Causes

The increasing prominence of information technology and the Internet in employment, finance, recreation and other aspects of people's lives, and the ensuing introduction of secure transaction technology, has led to people accumulating a proliferation of accounts and passwords.

According to a survey conducted in February 2020 by password manager Nordpass, a typical user has 100 passwords.^[2]

Some factors causing password fatigue are:

unexpected demands that a user create a new password
unexpected demands that a user create a new password that uses a particular pattern of letters, digits, and special characters
demand that the user type the new password twice
frequent and unexpected demands for the user to re-enter their password throughout the day as they surf to different parts of an intranet
blind typing, both when responding to a password prompt and when setting a new password.

Responses

Some companies are well organized in this respect and have implemented alternative authentication methods,^[3] or have adopted technologies so that a user's credentials are entered automatically. However, others may not focus on ease of use, or even worsen the situation, by constantly implementing new applications with their own authentication system.

Single sign-on software (SSO) can help mitigate this problem by only requiring users to remember one password to an application that in turn will automatically give access to several other accounts, with or without the need for agent software on the user's computer. A potential disadvantage is that loss of a single password will prevent access to all services using the SSO system, and moreover theft or misuse of such a password presents a criminal or attacker with many targets.
Integrated password management software - Many operating systems provide a mechanism to store and retrieve passwords by using the user's login password to unlock an encrypted password database. Microsoft Windows provides Credential Manager to store usernames and passwords used to log on to websites or other computers on a network; iOS, iPadOS, and macOS share a Keychain feature that provides this functionality; and similar functionality is present in the GNOME and KDE open source desktops. In addition, web browser developers have added similar functionality to all the major browsers. Although, if the user's system is corrupted, stolen or compromised, they can also lose access to sites where they rely on the password store or recovery features to remember their login data.
Third-party (add-on) password management software such as KeePass and Password Safe can help mitigate the problem of password fatigue by storing passwords in a database encrypted with a single password. However, this presents problems similar to that of single sign-on in that losing the single password prevents access to all the other passwords while someone else gaining it will have access to them.
Password recovery - The majority of password-protected web services provide a password recovery feature that will allow users to recover their passwords via the email address (or other information) tied to that account. However, this system has itself become a target of social engineering attacks by criminals. These criminals obtain enough information about the target to impersonate them and request a reset email, which is then redirected through other means to an account under the attacker's control, enabling the attacker to hijack the account.
Passwordless authentication - One solution to eliminate password fatigue is to get rid of passwords entirely. Passwordless authentication services such as Okta, Transmit Security and Secret Double Octopus replace passwords with alternative verification methods such as biometric authentication or security tokens.^[4] Unlike SSO or password management software, passwordless authentication does not require a user to create or remember a password at any point.^[5]

Innovative approaches

As password fatigue continues to challenge users, notable advances in password management techniques have emerged to alleviate this burden. These innovative approaches provide alternatives to traditional password-based authentication systems. Here are some notable strategies:

Biometric Authentication

Biometric authentication methods offer a seamless and secure alternative to traditional passwords, including fingerprint recognition, facial recognition, and iris scanning. Users can authenticate their identities without remembering complex passwords by leveraging unique biological characteristics. Companies like Okta and Transmit Security have developed robust biometric authentication solutions, reducing reliance on traditional passwords.^[6]

Security Tokens

Security tokens, also referred to as hardware tokens or authentication tokens, add an extra layer of security beyond passwords. These physical devices generate a one-time passcode or cryptographic key that users input alongside their passwords for authentication. This two-factor authentication (2FA) method enhances security while reducing the cognitive load of managing multiple passwords. Secret Double Octopus is a notable provider of security token solutions.^[6]

Passwordless Authentication

Passwordless authentication services represent a significant shift in authentication methods by entirely eliminating the need for passwords. Instead, these services utilize alternative verification methods, such as biometric authentication, security keys, or magic email links. By removing passwords from the equation, passwordless authentication significantly simplifies the user experience and reduces the risk of password-related security breaches. Okta, Transmit Security, and Secret Double Octopus are pioneering providers of passwordless authentication solutions.^[6]

Behavioral Biometrics

Emerging technologies in behavioral biometrics analyze unique behavioral patterns, such as typing speed, mouse movements, and touchscreen interactions, for user authentication. By continuously monitoring these behavioral signals, the system can accurately verify a user's identity without requiring an explicit authentication action. Behavioral biometrics provide a seamless authentication experience while minimizing the cognitive load associated with traditional password-based systems.^[6]

These innovative approaches offer promising alternatives to traditional password management techniques, delivering enhancements in security, usability, and user convenience. As technology advances, further progress in authentication methods will effectively address the ongoing challenge of password fatigue.^[6]

Notes

↑ "Password chaos" at TheFreeDictionary
↑ Williams, Shannon. "Average person has 100 passwords - study". securitybrief.co.nz. Retrieved 2021-04-26.
↑ Such as digital certificates, OTP tokens, fingerprint authentication or password hints.
↑ Murphy, Hannah (3 September 2021). "The start-ups trying to kill the password". Financial Times. Retrieved 2 November 2021.
↑ "What is Password Fatigue and How You Can Overcome It". Transmit Security. 13 October 2021. Retrieved 4 November 2021.
1 2 3 4 5 Al-Slais, Yaqoob; El-Medany, Wael (January 1, 2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology.

External links

Noguchi, Yuki. Access Denied, Washington Post, 23 September 2006.
Catone, Josh. Bad Form: 61% Use Same Password for Everything, 17 January 2008.

Related Research Articles

A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services that a typical individual accesses can make memorization of unique passwords for each service impractical. Using the terminology of the NIST Digital Identity Guidelines, the secret is held by a party called the claimant while the party verifying the identity of the claimant is called the verifier. When the claimant successfully demonstrates knowledge of the password to the verifier through an established authentication protocol, the verifier is able to infer the claimant's identity.

In physical security and information security, access control (AC) is the selective restriction of access to a place or other resource, while access management describes the process. The act of accessing may mean consuming, entering, or using. Permission to access a resource is called authorization.

An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. In the simplest case, the authenticator is a common password.

<span class="mw-page-title-main">Authentication</span> Act of proving an assertion

Authentication is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicating a person or thing's identity, authentication is the process of verifying that identity. It might involve validating personal identity documents, verifying the authenticity of a website with a digital certificate, determining the age of an artifact by carbon dating, or ensuring that a product or document is not counterfeit.

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems.

Identity management (IdM), also known as identity and access management, is a framework of policies and technologies to ensure that the right users have the appropriate access to technology resources. IdM systems fall under the overarching umbrellas of IT security and data management. Identity and access management systems not only identify, authenticate, and control access for individuals who will be utilizing IT resources but also the hardware and applications employees need to access.

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless keycards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.

Logical security consists of software safeguards for an organization's systems, including user identification and password access, authenticating, access rights and authority levels. These measures are to ensure that only authorized users are able to perform actions or access information in a network or a workstation. It is a subset of computer security.

Self-service password reset (SSPR) is defined as any process or technology that allows users who have either forgotten their password or triggered an intruder lockout to authenticate with an alternate factor, and repair their own problem, without calling the help desk. It is a common feature in identity management software and often bundled in the same software package as a password synchronization capability.

Living in the intersection of cryptography and psychology, password psychology is the study of what makes passwords or cryptographic keys easy to remember or guess.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

SAP Logon Tickets represent user credentials in SAP systems. When enabled, users can access multiple SAP applications and services through SAP GUI and web browsers without further username and password inputs from the user. SAP Logon Tickets can also be a vehicle for enabling single sign-on across SAP boundaries; in some cases, logon tickets can be used to authenticate into 3rd party applications such as Microsoft-based web applications.

A whole new range of techniques has been developed to identify people since the 1960s from the measurement and analysis of parts of their bodies to DNA profiles. Forms of identification are used to ensure that citizens are eligible for rights to benefits and to vote without fear of impersonation while private individuals have used seals and signatures for centuries to lay claim to real and personal estate. Generally, the amount of proof of identity that is required to gain access to something is proportionate to the value of what is being sought. It is estimated that only 4% of online transactions use methods other than simple passwords. Security of systems resources generally follows a three-step process of identification, authentication and authorization. Today, a high level of trust is as critical to eCommerce transactions as it is to traditional face-to-face transactions.

The FIDOAlliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords". FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in smart cards. It is succeeded by the FIDO2 Project, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance's Client to Authenticator Protocol 2 (CTAP2).

Biometric tokenization is the process of substituting a stored biometric template with a non-sensitive equivalent, called a token, that lacks extrinsic or exploitable meaning or value. The process combines the biometrics with public-key cryptography to enable the use of a stored biometric template for secure or strong authentication to applications or other systems without presenting the template in its original, replicable form.

Customeridentity and access management (CIAM) is a subset of the larger concept of identity access management (IAM) that focuses on managing and controlling external parties' access to a business' applications, web portals and digital services.

Passwordless authentication is an authentication method in which a user can log in to a computer system without the entering a password or any other knowledge-based secret. In most common implementations users are asked to enter their public identifier and then complete the authentication process by providing a secure proof of identity through a registered device or token.

Secret Double Octopus (SDO) is an Israeli software company specializing in passwordless authentication for enterprise environments.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Password chaos" at TheFreeDictionary

[2] Williams, Shannon. "Average person has 100 passwords - study". securitybrief.co.nz. Retrieved 2021-04-26.

[3] Such as digital certificates, OTP tokens, fingerprint authentication or password hints.

[4] Murphy, Hannah (3 September 2021). "The start-ups trying to kill the password". Financial Times. Retrieved 2 November 2021.

[5] "What is Password Fatigue and How You Can Overcome It". Transmit Security. 13 October 2021. Retrieved 4 November 2021.

[yas-6] 1 2 3 4 5 Al-Slais, Yaqoob; El-Medany, Wael (January 1, 2022). "User-Centric Adaptive Password Policies to Combat Password Fatigue". The International Arab Journal of Information Technology.

[1]

[2]

[3]

[4]

[5]

[6]