Every year, World Password Day presents organisations a reminder and challenge to edge further away from using – or completely abandon – what’s often the weakest link in an organisation’s cybersecurity
But does more need to be done to accelerate the shift?
Amidst a cyber insurgency, IT leaders are facing the dual task of ensuring employees uphold watertight cyber hygiene while fighting off an increase in organisational data theft. More permanent hybrid working structures are seeing employees (literally) left to their own devices who urgently require the right tools, processes, and cybersecurity awareness to securely log in and out from any location.
With their finger on the pulse of the global cybersecurity landscape, some of the industry’s top experts below expose the risks of using passwords and explore the emerging authentication methods that will help organisations overcome their inherent vulnerabilities.
Passwords require management at the minimum
Firstly, David Warburton, Lead, Threat Research at F5 Labs considers passwords as outdated. He says,
“passwords are still today the single biggest weakness of modern-day computing and the internet as we know it. They are the root cause of the majority of data breaches and widely considered no longer fit for purpose. To keep things simple for us, we often re-use the same password from site to site. Attackers, therefore, don’t even need to use powerful computers to guess billions of passwords a second. They can just download a list of the most commonly used passwords and use those to try and access your account. These ‘credential stuffing’ attacks typically only have a 1-3% success ratio, but to an attacker who has time and patience on their side, that could still result in malicious access to thousands of bank accounts, corporate networks, or personal emails.” He also adds, “World Password Day is a reminder that internet users should create unique passwords for every site. This is by far the most effective thing you can do to stay safe on the internet. Additionally, password managers are also useful to store unique and complex passwords and can prevent our accounts from being taken over by attackers. Many of them can automatically create truly random passwords of varying complexity and length. They can also warn you if a password has been used multiple times across different sites.”
DNA or heartbeat and brainwave biometrics could be the next big thing
This sentiment is echoed by Rick McElroy, Principal Cybersecurity Strategist at VMware, who also believes that passwords have been firmly established as the weakest link in an organisation’s cybersecurity strategy. He understands that,
“exploiting them is as easy as picking a lock for hackers. I hope that passwords will become a thing of the past very soon. We are already seeing other methods of authentication, such as fingerprint biomarkers and one-time passcodes, being used alongside traditional passwords to ensure robust security measures. I believe we will begin to see other factors, such as DNA or heartbeat and brainwave biometrics, considered for authentication as well. While these authentication factors are being tested on the battlefield, they may soon be leveraged in the civilian world to verify identity in healthcare or ensure secure access to critical data and infrastructure. Additionally, we’re seeing the emergence of skill-based authentication with devices that scan for specific body movements. This is something like the ‘draw on the grid’ tools that Android phones use to unlock phones – but in 3D space with entire arm or hand and finger movements. Until we live in a world without passwords, moving away from a central store of identities and leveraging multi-factor authentication will go a long way in bolstering an organisation’s security.”
Rotating passwords often does more harm than good
Graeme Cantu-Park, Chief Information Security Officer at Matillion, disagrees with the use of many passwords. He adds,
“I would love for World Password Day to be World Password-less Day in the not too distant future, but right now that seems unlikely. There’s far too much legacy IT out there that can’t support password-less access and magic links (one-time-use codes that allow users to access their accounts in place of a traditional password), for example.”
He believes that “realistically, the best way to improve password security in the short term is to rethink the established password management conventions. Many companies require employees to change their passwords every 90 days or so, but this often does more harm than good; most users rotate through a series of weak passwords, that can be easily brute forced by attackers. A much more user-friendly policy is to encourage users to adopt a single strong password per system, based on three memorable random words, for example. This reduces the need for regular password cycling and makes them harder to crack.”
Multi factor authentication is non-negotiable
Paulo Henriques, Head of Cyber Security Operations at Exponential-e argues that passwords always have to be followed by multi-factor authentication. In fact, he highlights,
“the average person has approximately 100 different passwords according to NordPass research, begging the question: how can one individual remember that many passwords? Quite simply, we can’t. Hence, many of us are guilty of using the same combination of numbers, letters, and characters over and over again, even though the risks from doing so are high.”
What’s more, he understands, “it’s easy to forget passwords remain the gatekeepers to an unthinkable amount of private, personal, and work information. It’s why they’re so valuable to cyber criminals. Password managers have proven very useful in combatting certain threats because they protect automatically generated, difficult to crack passwords in a secure vault. But ultimately these vaults themselves are commonly accessed via passwords, meaning the same problem persists.”
Fundamentally, Henriques stresses that, “where passwords are involved, multi-factor authentication simply has to follow. The additional security information it requires users to present above passwords, including “something you know”, “something you have”, and “somewhere you are” – i.e., biometric information – makes it far more difficult for attackers to profit from credential abuse.”
Digital identities now consist of a mix of human and robot identities
Bryan Murphy, Senior Director, Consulting Services & Incident Response at CyberArk, highlights the changing threat landscape as attackers also begin targeting bots. He notes,
“humans aren’t the only target for attackers who seek to compromise credentials as their easiest pathway to an organisation’s critical data and assets. Humans remain a lucrative and relatively easy target; the average staff member has more than 30 digital identities, and over half have some kind of sensitive access. But software bots – little pieces of code that do repetitive tasks – exist in huge numbers across the average global organisation – and have become an enticing target. Attackers specifically go after bots because they know that in many cases that their passwords are not being rotated. They know also that bots are generally over-permissioned, with more access than they need and not monitored as human identities are for anomalies. A compromised bot allows an attacker to maintain access and stay there undetected. Even today, we still see bots that backup all servers or domain admin accounts. In some cases, these bots are still using default passwords. A compromise here becomes a ‘game over’ situation for the targeted organisation.” In addition, “robotic process automation bots are a major component of digital business – especially with the rise in investments in automation. They need information – and access – so they can do what they do. In fact, 68% of non-humans or bots have access to sensitive data and assets, according to the CyberArk 2022 Identity Security Threat Landscape report. The report showed that machine identities now outweigh human identities by a factor of 45x on average, and that their credentials are mostly not being properly protected – further driving up security concerns.”
Improved strong cybersecurity education will account for human error
Dave Spillane, Systems Engineering Director at Fortinet, thinks that strong passwords need to be backed up by strong cybersecurity awareness amongst employees. He adds,
“World Password Day serves as a reminder for users to update weak or old passwords to ensure the security of personal and corporate information. As cyber threats continue to evolve and bad actors develop new attack techniques, a good cybersecurity posture requires more than just a strong password to avoid compromise. And in the new world of hybrid work, it’s undoubtedly more critical than ever to have a strong password for all platforms as employees no longer have the same level of onsite IT and security support to help. So, when it comes to passwords, the advice for employees must be kept straightforward.
“Our recent 2022 Cybersecurity Skills Gap report showed that while business leaders are viewing security breaches as an ever-increasing concern, there is a problematic gap when it comes to employee cybersecurity knowledge and understanding. It found that 87 per cent of organisations have implemented a training programme to increase cyber awareness. However, 52 per cent of leaders believe their employees still lack necessary knowledge, which raises question around how effective their current security awareness programmes are.”
Are organisations ready for a password-less future?
While it’s unrealistic to suggest a complete boycott of passwords in the immediate future, an acceleration is needed if organisations are to outthink attackers. Maintaining the highest grades of security requires an overhaul of legacy authentication, with password managers in place at the minimum. But to effectively address the misuse of passwords, IT leaders must be willing to phase them out using emerging authentication technologies – capable of overcoming human error – combined with regular cyber awareness training.
About the Author/s
Senior executives at F5, VMware, Matillion, Exponential-e, CyberArk and Fortinet.