With countless cyber breaches originating from the exploitation of password-only authentication systems, is the world ready to take the next leap?
By now, anyone who has ever read about cyberattacks and data breaches around the world will have figured out that login and access passwords are the Achilles heel facilitating hackers’ strategies to break into corporate networks.
Strong password hygiene is so critical in every facet of the digital world that it should now be ‘muscle memory’ whether we are at work or at play. Do we really need a Word Password Day every year to keep us on our toes? If something is so critical that it has to be remembered with every tap of a mouse button or smartphone screen, then the time has come to have a day where we make everyone remember something even more important that has not happened globally yet: getting rid of the inadequate password! Should we have a No Password Day instead?
The jury is still out, but here are seven perspectives from people in the cybersecurity and identity management industries …
-
A lose-lose situation as long as passwords are in use
“Our industry has been talking about the vulnerability of weak passwords for years, yet data breaches are still a major concern, and organizations underestimate the risks associated with relying on passwords to protect valuable information. Closely monitoring password activity is critical to ensuring that attackers haven’t slipped through a company’s security. For example, if an employee gets locked out of the system and does not request help from their IT team, that person’s credentials are now at risk.As identity theft and breaches reach unprecedented levels, organizations need to take advantage of technology that strengthens security. This includes the adoption of passwordless solutions that incorporate things like biometrics, authenticator apps, tokens, and certificates, as well as AI-based access management.
It is clear that unless we eliminate passwords altogether, we will continue to live in a lose-lose situation where online experiences will remain frustrating for users and attackers continue to keep stealing our information.” — Fran Rosch, CEO, ForgeRock
-
Taking a holistic approach to identity security
“With as many as 921 password attacks occurring per second globally, it is time for organizations to treat every employees’ network credentials like the true operational risk they are. It is important to apply a least-privilege approach to ensure that employees can securely share credentials without revealing password characters.Recognize that all workforce users’ passwords should be protected with the same security-first approach that organizations apply to privileged users’ credentials.
Ultimately, as organizations bolster their password protection capabilities, they should also work towards a holistic approach to identity security, to ensure privilege controls are applied across the board for all identities.” — Vincent Goh, President and General Manager (APJ), CyberArk
-
They sufficed in the distant past, now let us put them to pasture already!
“Although passwords were reliable in the past, it is time to bolster security solutions with more secure and robust authentication methods, like biometric authentication, to ensure that the user accessing an account is the authorized and unharrassed user.For example, Netflix’s seemingly controversial new policy against password sharing is a best practice that all organizations should follow. For consumers, sharing a password may seem like a harmless way to help friends or family save money, but the best practice when it comes to passwords is to never share them because the practice opens up gateways for cybercriminals to pull off identity theft, financial fraud and phishing attacks.
For example, Netflix’s seemingly controversial new policy against password sharing is a best practice that all organizations should follow. For consumers, sharing a password may seem like a harmless way to help friends or family save money, but the best practice when it comes to passwords is to never share them because the practice opens up gateways for cybercriminals to pull off identity theft, financial fraud and phishing attacks.
Consumers and organizations alike the need to implement newer, more secure methods of authentication to safeguard their data.” — Stuart Wells, Chief Technology Officer, Jumio
-
Creating strong and unique passwords is hardly sufficient anymore
“The saying ‘use a strong and unique password across each website’ is a step forward for most people, but it is not easy to manage several hundred passwords daily. It is not just about creating strong and unique passwords, but leveraging features like multifactor authentication to ensure accounts remain secure even passwords have been exposed.As an interim aid, some sites offer password-less sign-on, which leverages a second factor such as a phone, to help facilitate logging in without passwords. This is not as widespread of a feature across many websites, but it is another solution to help address some of the challenges posed by passwords alone.” — Satnam Narang, Sr. Staff Research Engineer, Tenable
-
Taking the leap to a holistic Passwordless approach
“The password approach has undergone an evolution in recent years, and with good reason. The tendency for password recycling, as well as the unending possibilities for password theft, have rendered conventional passwords ineffective for the needs of today’s digital-first world. In its place are alternatives like non-SMS one-time passwords (OTPs), multi-factor authentication and biometric authentication methods.Yet, when even facial recognition or fingerprint-based authentication has proven fallible, the reality businesses must reckon with is that these methods alone simply will not suffice as the last line of defense against malicious cyber actors. Instead, the risks present today necessitate a multi-pronged (holistic) approach to securing identities. A passwordless approach affords IT teams better control over the organization’s overall identity management strategy by eliminating compromised passwords as a vulnerability. Using device or security keys also improves employees’ convenience, while reducing IT complexities. However, in an age of quickly advancing AI-based cyberattacks where publicly available biometric information can be used to launch attacks, a passwordless approach on its own is not a guarantee.
Instead, passwordless authentication methods should be integrated with intelligent and automated identity and access management (IAM) solutions that boost security for businesses by ensuring the right level of access is being allocated to the right users via a single digital identity. This is especially critical today, given that organizations are more reliant than ever on third-party vendors and non-employees for contingency labor.
By controlling the level of access that employees and non-employees alike have, businesses can then intercept illegitimate attempts to access privileged information or systems — and attain all-round network observability across their organization.” — Chern-Yue Boey, Senior Vice President, Asia-Pacific, SailPoint
-
Software firms and application developers have a major part to play
“Often, password compromises can be blamed on inadequate software development practices or vulnerable software. Additionally, poor password hygiene can occur when technical controls are not effectively and responsibly implemented, such as firm mandates for strong and effective password hygiene.Ensuring that users observe secure practices is a crucial element of protecting digital identities and sensitive information whether they are shopping online, participating in social media or using mobile banking apps. IT teams, software developers and commercial software firms need to take the bulls by the horns and make it seamless and painless for users to maintain a secure environment in which to protect their data. Take advantage of new technologies are continuously emerging to improve security and scalability while also accounting for a low friction user experience.” — Synopsys Software Integrity Group: Amit Sharma, Security Engineer; Thomas Richards, Principal Consultant
-
Until their total uprooting, let us make passwords less useful to hackers
“The risks of all kinds of breaches can be remedied in the meantime by establishing secure passwords, making it much more difficult for cybercriminals to guess these combinations, ensuring the highest level of security for our devices. Definitive keys to achieving this include:- The longer and more varied, the better: Passwords should be at least 14 to 16 characters long and consist of different upper- and lower- case letters, symbols and numbers. It has been noted that by simply increasing the password length to up to 18 characters combined can create a completely unbreakable key.
- Easy to remember, complex to guess: The unbreakable password should be a combination that only the user knows, so it is advisable not to use personal details such as dates of anniversaries or birthdays, or the names of family members. A simple way to create passwords that anyone can remember is to use complete sentences (i.e., a passphrase), either using common or absurd scenarios, with rudimentary examples such as ‘meryhadalittlelamb’ or its industry-standard version, ‘#M3ryHad@L1ttleL4m8’.
- Unique and unrepeatable: Always create a new password each time a service is accessed and avoid using the same password for different platforms and applications.
- Keeping them private, always: It is a premise that may seem basic but is important to remember. A password should not be shared with anyone, and it is especially advisable not to write it down anywhere near the computer or even in a file on it. Use tools such as password managers to automate the regime if needed, although even password managers can be breacked.
- Augmentation with other authentication routines: In addition to having a strong and secure password, the use of multifactor authentication is a major security enhancement.
- Change them periodically, no Ifs and Buts! Sometimes, even after following all these practices, incidents beyond our reach occur. Therefore, it is advisable to periodically check whether an email address has been involved in a third-party breach, as well as to try to trace the accounts that may have been compromised. To do this, there are public access tools such as the Have I Been Pwned website. Similarly, even in the absence of any breach it is always recommended to revise passwords every few months.” — Rebecca Law, Country Manager (Singapore), Check Point Software Technologies