A Future Full of Password Fatigue

by Larry Conroy 1 Comment


Here's a simple question: What is Password Fatigue? Well, that's simple - Password Fatigue means that people are just worn out (to the point of actual exhaustion and frustration) from having to manage so many different passwords these days.  The passwords themselves aren’t wearing out or getting tired (how could they, they’re just a bunch of characters). It’s the patience of the user that is wearing thin, increasing stress levels all the while.

"But...they’re just passwords," you might be thinking, "what’s the big deal… people have been using passwords since the ‘60s without 'password fatigue being a thing."

That is exactly my point! 

The use of passwords - and the vulnerability associated with them - has had 5+ decades to mature and ferment.  The longevity of any one password is diminishing at an exponential rate, and people are being forced to memorize a new password every few months, if not sooner.  If you have created a great password with a strong complexity score that is still easy for you to remember, you won’t be able to use it forever. Eventually, you'll be forced to start the password creation process again.

Passwords can no longer be as simple as your pet's name and your favorite ice cream flavor.  Passwords shouldn’t even be recognizable words at all. It's no wonder that password complexity is a major contributing factor of most password fatigue!

Password Complexity and Password Fatigue

Your password complexity is defined by various aspects of the password, such as how long the password must be, whether the characters are upper case, lower case, digits, special characters, etc.  Using a password is difficult enough, but having to arrive at a password that meets a strong security pattern could possibly push some people over the edge.

Then you have to go through the same process for every website, at regular intervals - intervals that may be different for each service you need to authenticate to.

Password fatigue is maddening.

On top of all that, the same passwords that you come up with will be entered multiple times during the day for the same resource – depending on how sensitive the protected data is, which is being accessed through that particular service.  Every time you want to check your balance, or perform a transaction at your favorite bank’s website, you have to provide the appropriate password.  Another thing compounding this password fatigue is the possibility of having to input the password multiple times during the same login attempt. It can be an added difficulty if the password is not shown while you are typing, and you’re just not that good at typing blind.

Let’s face it; passwords today are annoying at best - it's a wonder that we didn't start complaining about password fatigue sooner!

Imagine, if you will...

“In the wired 21st century, passwords are proliferating at an alarming rate. According to a recent survey, the average person now has 19 passwords to remember.” (link)

When will it stop?  Where will it end? Can you imagine the password fatigue that would arise if we needed passwords for everything?

You wake up in the morning and you have to enter a 4 digit code on your electric toothbrush, simply to get it to turn on.  After that, you'll need to input yet another code to get the toothpaste open.

Now, how about flushing the toilet, turning on the shower or even opening the fridge to get a snack - can you imagine needing a password for those activities?

Given the recent trend in passwords; in addition to taking the time to enter each of these passwords, you’d certainly want to make sure each one is unique - if someone gets to your toothbrush, you don’t want them gaining access to the paste.  A free teeth cleaning at your expense?  Never!

So, What Can We Do About It?

The future of password fatigue looks to be deteriorating into more than just having to remember too many passwords.  Users have so many passwords now - and they all have to be so complicated - that common practice has become the practice of storing passwords in a password vault which (you guessed it) is also protected by a password.  That’s either very interesting or exceedingly annoying, depending on your viewpoint… passwords protected by a password.

If the first point of authentication was strong enough that it couldn’t be compromised, and there was a mechanism in place that only allowed access to a resource if you can get into its domicile (with the first authentication) we could confidently do away with all the other passwords.

For example, instead of locking down all of the “stuff” in your home, put a killer lock or two or more on the front door.  It will take you longer to get into your house,sure, but once in, everything is easily accessible.  Placing more emphasis on preventing initial access might just be the way to go.  After all, if a would-be-intruder took the time and effort to open all five locks and deadbolts, someone would surely have seen him and reported the suspicious behavior.

If Password Fatigue for each protected resource that we access on a daily basis is the ailment, and a quality cure is required, how about we look to an existing answer? An excellent solution to weaker authentication and password fatigue is Single Sign-on(SSO) with Two-factor Authentication(2FA).

SSO allows the first login to a computer or portal to be leveraged to authenticate the user again when they access an additional resource - while the initial session is still active.  Physically speaking, it’s just similar to the front door and bathroom example I used above.  The user has to prove his or her identity in order to get into the home (or your company’s web site), but once inside, they won’t be prompted to authenticate again for anything else.

“Fine,” you say, “but isn’t that less secure? If the bad person gets into the system, everything is at their disposal."  Under normal circumstances, I would agree.  That’s where the 2FA comes into play.

2FA is loosely defined as verifying identity with something that you know (like a password) and something that you have (such as your cell phone).  After verifying that your password is correct, the security system will send an OTP (one-time password) to the 'what you have'.  Entering the OTP at the second prompt during the authentication process grants you access to the web site or portal and all the glorious applications that you can’t live without.

In terms of reducing or taking steps to eradicating Password Fatigue altogether - that's a great start.

Similar to how the icebergs appear to be on a course for global meltdown, Password Fatigue - if not addressed - could also flood the world with too many passwords. Let's do what we can, a few simple things here and there, to keep that from happening.  After all - password fatigue or not - I don't really want to deal with that when I'm brushing my teeth!

So tell me, what steps have you taken to eliminate password fatigue? Please share your thoughts in the comments below.



Tags: Authentication Methods, Authentication Security, password fatigue, Password Management, Password Security, Single Sign-On, Two-Factor Authentication

Larry Conroy

Author: Larry Conroy