The case against passwords

Discover authentication that pays for itself

In 2017, a study found that the average American wastes 12 full days of their life managing passwords online – a global total of more than 16 billion hours every year. With the inability to remember usernames and passwords cited as the biggest frustration among computer and mobile users (far greater than pop-ups, replaying videos and unresponsiveness), there’s clearly a strong business case for improvement.

More than 75% of users understand the need for passwords from a security perspective, but find it difficult to register and remember them. They’re also more likely to trust their own provider’s options for recording these details, as opposed to the cloud or social media.

As one researcher puts it, "The username/password paradigm is one of the biggest frustrations of modern-day living, and, as the research has shown, it represents an absolutely massive waste of our precious time."

Passwords: expensive and insecure

Because Employees often choose overly simple passwords, use the same one for multiple purposes, or write them down – leaving them visible to colleagues, posing greater security risks, and ultimately resulting in organizational losses.

A Gartner study shows that between 20% and 50% of all help desk calls involve password resets, which in turn cost IT departments around $30 a pop. Forrester goes one step further, stating that the average password reset can cost an organization as much as $70.

The average 15,000-person company pays $5.2 million for password resets alone, with Forrester estimating that big companies spend around a million dollars each year on desk fees for these kinds of issues.

To this effect, large companies end up spending more than a million USD on password management every year – not to mention suffering from productivity losses as a result of the ensuing frustration and down time. Passwords demand an average of 11 hours per employee each year.

These risks and expenses have paved the way for password reset applications and fueled the market for centralized password managers. Right now, there are dozens of password managers available, as well as built-in solutions offered by major system vendors.

Over 20% of companies actively use central password managers, applications that advise if a password is too simple, used twice or may have been hacked. A Microsoft survey even found that 44 million of its users were using usernames and passwords that had been leaked online following security breaches at other services.

The cost of cybersecurity

As well as shelling out for password management, companies are spending more and more money on fighting cybercrime. A 2020 Deloitte study found that organizations spend about $2,700 per year on security for each full-time employee.

For businesses with a large workforce, that quickly becomes millions, but because the authentication security offered by passwords is so weak, it’s all wasted money. Passwords are, and will remain, inherently insecure methods of security.

A blog on the Beyond Identity platform describes the huge organizational security problem presented by passwords. Verizon's 2022 Data Breach Investigation Report found that hacked and stolen passwords cause 89% of web application breaches, and recovering from these attacks can take months – and cost millions of dollars.

IBM's 2021 Cost of a Data Breach report found that the average data breach costs $4.24 million, with phishing attacks costing $4.65 million, malicious insider attacks at $4.61 million, social engineering attacks at $4.47 million and compromised credentials costing $4.37 million.

As you can see, passwords play a consistently crucial role in these attacks. Phishing usually focuses on tricking users into giving away their passwords, while social engineering uses fake authority figures to mislead people into revealing the credentials they use to verify their accounts. By contrast, insider attacks often rely on passwords that haven’t been updated after a staff turnover – but in every type of threat, passwords are the main target.

The risk of a data breach

Remote working has increased the cost of data breaches. For organizations with large remote workforces, the average cost of a breach stands at $5.54 million, in contrast to $3.56 million for those with office-based staff.

It also takes remote workforces an average of 361 days to discover breaches, and a further 90 days to contain them – longer than the 258-day average for office staff. Using passwords remains so risky because it only takes one compromised password for an attack to be successful and all the ensuing losses to occur.

If that wasn’t enough, password problems in eCommerce also incur high costs, with a survey finding that remembering passwords is tiring for around 84% of shoppers, around a quarter of whom will abandon their shopping cart if a password reset is required. With this checkout disruption in mind, it’s clear how economically disastrous password problems can be.

The way forward: passwordless authentication

Eliminating passwords is not only a positive move for security, it’s fiscally beneficial too. By avoiding centrally deployed systems – which create the single, immutable points of failure that are perfect targets for hackers – companies can prevent attackers breaking into servers and spending months scouring them before discovery.

As such, passwordless authentication brings the potential of high and immediate value for organizations. DGMV-ID is DigiCorp Labs’ revolutionary, decentralized solution designed to safeguard online identities and provide secure, private access to a vast range of digital services.

By encrypting users’ identities through their mobile devices, DGMV-ID creates a unique QR code for every application login. It all means no passwords are ever created, stored, lost or stolen.

This is the future of online security – it’s time to leave passwords behind and enter a safer, brighter future.