World Password Day: Celebrate or sayonara?
Every year, World Password Day serves as a reminder that passwords are the first line of defense against an ever-changing threat landscape. However, over the past few years, the notion that passwords actually do little to defend against hackers, has continued to snowball.
This World Password Day, we asked a group of experts within the cyber security and wider technology field to discuss the topics of password hygiene, best practice, and the notion of a password-less future.
We are plagued by new and old issues in 2023
According to David Higgins, Field Technology Officer at CyberArk, "Advice encouraging organizations to better their password hygiene and improve their overall security isn't new... And the advice itself hasn't changed. Yet, here we are in 2023 with the same identity issues plaguing organizations who still haven't got the hang of password management as part of their identity security programs. As such, it's leaving sensitive data and assets at risk."
Simon Horswell, Fraud Specialist at Onfido, corroborates this: "'Password' and '12345' remain among the most popular passwords in the UK, despite repeated warnings about the security risks they pose. In fact, 83 percent of the most commonly used passwords can be cracked in less than a second."
While password hygiene is still failing, the latest technological advancements also severely impact even the most exceptional password practice.
So, we know that password hygiene is still a major issue. But, the issue is now compounded following advancements in technologies like generative AI and Web3.
OneSpan's Field CTO, Will LaSala: "Every time you type in your password online, you share part of your digital identity, opening up opportunities for your sensitive data to be compromised. With a strong and secure password, you can help reduce the likelihood of breaches -- but as Web3 adoption nears and cyber-attacks rise, this is no longer enough."
What does a good cyber security strategy look like in 2023?
It is evident that organizations are dealing with added complications in 2023. So, what do experts believe organizations should prioritized moving forward?
F5's Director, David Warburton, thinks that multi-factor authentication is essential. "Multi-factor authentication should be used by everyone. Sometimes the theft or brute-force of guessing a password is inevitable. Having a second factor of authentication, such as a time-based code on a mobile phone app, can prevent attackers from gaining access to your account even if they obtain your password."
While ForgeRock's CEO, Fran Rosch, believes it is critical that we get rid of passwords and move towards newer solutions. "Abolishing weak passwords by going passwordless significantly helps enterprises reduce risk and stop threats at scale. As identity theft and breaches reach unprecedented levels, organizations need to take advantage of technology that strengthens security. This includes the adoption of passwordless solutions that incorporate things like biometrics, authenticator apps, tokens, and certificates, as well as AI-based access management."
Due to rapid digitization, many users within an organization often possess an array of complicated passwords, failing to safely secure them opens the door to an array of threats.
Recent analysis from Veracode found that over 40 percent of software scanned by their tools contains some form of credential management flaw and that the most common is the use of hard-coded passwords. Veracode's EMEA CTO, John Smith, says: "It is therefore important to avoid the use of hard-coded passwords or the storage of credentials in easy-to-locate areas; all authentication communication should be encrypted, without the use of hard-coded encryption keys."
While password managers may not be an all-encompassing solution, they are better than nothing.
Paulo Henriques, Head of Cybersecurity Operations, Exponential-e, agrees: "When used cautiously, password managers can be a great security tool and are at the very least better than employees storing hard-to-remember passwords in spreadsheets or documents."
Scott McKinnon, Field CISO, VMware, views third-party password managers as an alternative to creating unique passwords. "These services generate and store unique and complex passwords for each account with encryption. They often come as a package deal with a mobile device such as Apple Keychain and Google Password Manager or are available for download in app stores."
There is obviously enormous emphasis on technology when it comes to security. However, organizations must place the same emphasis on training individual employees.
Higgins recommends using modern identity protocols, adopting a security-first approach built on the principle of least privilege. He says: "This is a holistic method to implementing better identity security, bolstering a business's password protection levels, but also providing much better all-round security for identities, which are a critical attack vector."
"World Password Day makes us reflect on our own passwords and how they can be made stronger with the use of further precautions," states Fortinet's Deputy CISCO, Renee Tarun. "There must simultaneously be more training and education of cybersecurity ensuring people are up-to-date with trends and techniques hackers are using."
It is important that organizations look into their current security practices and training as some may, in fact, decrease the overall security of an organization.
Matillion CISO, Graeme Cantu-Park, agrees when it comes to password modification: "Many businesses demand their employees to modify their passwords approximately every three months, but this often does more harm than good, as most users simply rotate through a number of weak passwords, which can be easily broken through by attackers. It would be much more user-friendly to empower users to have one single strong password per system. Each password could be based, for example, on three memorable random words, thus reducing the need to periodically recycle passwords and making them harder to crack."
Is it time to wave goodbye to passwords?
Rosch believes it is time to move beyond passwords: "As we reflect on World Password Day, it's clear that unless we eliminate passwords altogether, we will continue to live in a lose-lose situation where online experiences will remain frustrating for users and attackers continue to keep stealing our information."
While a passwordless future is an exciting notion, we must remember that it will still rely on various other forms of credentials.
Henriques states, "We hear a lot of excitement for a password-less future but it's important to remember that this is not a catch-all solution for information security. To be password-less still means relying on biometric authentication, and fingerprint or retina scans offer a vulnerable database for attackers to compromise."
Passwords are an outdated security tool. The quicker that organizations come to terms with this, the better. However, we are currently stuck with them and need to use solutions like MFA, password managers, etc., and focus on training for employees to better protect themselves and keep organizations safe.
"Passwords remain the de facto standard for user access and authentication for online applications," states Horswell. "But, it's time we remind ourselves that they are no longer a sufficient form of digital authentication. Instead, businesses should pursue alternative ways to protect online accounts and customers' personal data."