Ensuring strong password hygiene is an important task for CIOs and CISOs, as it helps build the foundations underpinning solid organizational security. However, is good password hygiene enough in today’s cybersecurity climate? This World Password Day experts are warning that passwords are a dated tool and offer little protection against today’s threat landscape.
Leading experts have shared their insights on password hygiene, organizational best practice, and a passwordless future.
Implementing strong password hygiene
Passwords are still an essential first line of defense against hackers and good hygiene is important for CIOs to encourage.
According to Field Technology Officer at CyberArk, David Higgins: “Advice encouraging organizations to better their password hygiene and improve their overall security isn’t new… And the advice itself hasn’t changed. Yet, here we are in 2023 with the same identity issues plaguing organizations who still haven’t got the hang of password management as part of their identity security programs. As such, it’s leaving sensitive data and assets at risk.”
Simon Horswell, Fraud Specialist at Onfido agrees, “‘Password’ and ‘12345’ remain among the most popular passwords in the UK, despite repeated warnings about the security risks they pose. In fact, 83% of the most commonly used passwords can be cracked in less than a second.”
But it’s not just password hygiene that is failing. Our everyday online practices are also leaving us vulnerable.
OneSpan’s Field CTO, Will LaSala, says: “Every time you type in your password online, you share part of your digital identity, opening up opportunities for your sensitive data to be compromised. With a strong and secure password, you can help reduce the likelihood of breaches – but as Web3 adoption nears and cyber-attacks rise, this is no longer enough.
Best practice, makes (almost) perfect
So, what should organizations focus on moving forward? In today’s digital world, we must remember the importance of safe password storage, using tools like password managers.
Analysis from Veracode found that over 40% of software scanned by their tools contains some form of credential management flaw and that the most common is the use of hard-coded passwords. Veracode’s EMEA CTO, John Smith, says: “It is therefore important to avoid the use of hard-coded passwords or the storage of credentials in easy-to-locate areas; all authentication communication should be encrypted, without the use of hard-coded encryption keys.”
Scott McKinnon, Field CISO, VMware, sees third-party password managers as an alternative to creating unique passwords. “These services generate and store unique and complex passwords for each account with encryption. They often come as a package deal with a mobile device such as Apple Keychain and Google Password Manager or are available for download in app stores.”
While password managers may not be the perfect solution, they are better than nothing. Paulo Henriques, Head of Cybersecurity Operations, Exponential-e, states: “When used cautiously, password managers can be a great security tool and are at the very least better than employees storing hard-to-remember passwords in spreadsheets or documents.”
ForgeRock’s CEO, Fran Rosch, believes the first step is getting rid of passwords and moving towards newer solutions. “Abolishing weak passwords by going passwordless significantly helps enterprises reduce risk and stop threats at scale. As identity theft and breaches reach unprecedented levels, organizations need to take advantage of technology that strengthens security. This includes the adoption of passwordless solutions that incorporate things like biometrics, authenticator apps, tokens, and certificates, as well as AI-based access management.
F5’s Director, David Warburton, corroborates Rosch’s thoughts and thinks that multi-factor authentication is essential. “Multi-factor authentication should be used by everyone. Sometimes the theft or brute-force of guessing a password is inevitable. Having a second factor of authentication, such as a time-based code on a mobile phone app, can prevent attackers from gaining access to your account even if they obtain your password.”
When it’s all said and done, no matter the technological solutions in place, training remains imperative to organizational security.
Higgins recommends using modern identity protocols, adopting a security-first approach built on the principle of least privilege. He says: “This is a holistic method to implementing better identity security, bolstering a business’s password protection levels, but also providing much better all-round security for identities, which are a critical attack vector.
“World Password Day makes us reflect on our own passwords and how they can be made stronger with the use of further precautions,” states Fortinet’s Deputy CISCO, Renee Tarun. “There must simultaneously be more training and education of cybersecurity ensuring people are up-to-date with trends and techniques hackers are using.”
Organizations should also be auditing their current security practices and training. Unless up to date with current threats, they are at risk of doing more harm than good.
Matillion CISO, Graeme Cantu-Park, states: “Many businesses demand their employees to modify their passwords approximately every three months, but this often does more harm than good, as most users simply rotate through a number of weak passwords, which can be easily broken through by attackers. It would be much more user-friendly to empower users to have one single strong password per system. Each password could be based, for example, on three memorable random words, thus reducing the need to periodically recycle passwords and making them harder to crack.”
An alternative to traditional passwords
“Passwords remain the de facto standard for user access and authentication for online applications,” states Horswell. “But, it’s time we remind ourselves that they are no longer a sufficient form of digital authentication. Instead, businesses should pursue alternative ways to protect online accounts and customers’ personal data.”
Rosch agrees: “As we reflect on World Password Day, it’s clear that unless we eliminate passwords altogether, we will continue to live in a lose-lose situation where online experiences will remain frustrating for users and attackers continue to keep stealing our information.”
However, it’s important to realize that a passwordless future still relies on various other forms of credentials.
Henriques says, “We hear a lot of excitement for a password-less future but it’s important to remember that this is not a catch-all solution for information security. To be password-less still means relying on biometric authentication, and fingerprint or retina scans offer a vulnerable database for attackers to compromise.”