Despite a rise in usage of biometric account security such as facial recognition, passwords still remain commonplace within organisations of all sizes, often as part of multi-factor authentication. But even with that vital mixture of upper case, lower case, numbers and punctuation marks, threat actors can and have continued to find success from infiltrating networks. With this in mind on World Password Day, we explore what more can be done to strengthen password authentication.
To combat password breaches, ensuring good password hygiene is key, along with ensuring that staff are following password hygiene protocol.
“If users must continue to use passwords, they should ensure they are following password hygiene in order to remain resilient to attacks on their personal information – many of which are not difficult to implement,” commented Dr. Mohamed Lazzouni, CTO of Aware.
Lazzouni went on to list the following steps that organisations should follow to achieve the strongest possible password security:
- First, choose challenging passwords using a combination of letters, symbols and numbers.
- Second, make them long enough and, where applicable, follow the guideline of the site providing password strength feedback.
- Do not use the same password across multiple accounts. This way, if a password associated with a lower-risk account is breached you prevent the attacker from carrying out additional breaches on higher-risk accounts that hold information such as financial records safeguarded by an often used password.
- Be cautious of anyone reaching out to “verify” contact information. Knowing definitively who you are providing your information to is critical.
- Look for security options that include biometrics (face, voice, fingerprint) during verification processes.
- Avoid sharing sensitive information over e-mail or other non-encrypted methods.
- Beware of phishing attacks where password reset requests are disguised though websites and phone calls impersonating legitimate businesses or government agencies.
- And if you suspect you have been a victim to identity theft immediately notify the concerned parties and authorities to report the incident.
Identity and access management – mitigating password-related cyber security risks
MFA as a default
Passwords alone have long been insufficient when it comes to user and organisational protection. As such, multi-factor authentication (MFA) is a must when it comes to keeping threat actors out.
“When World Password Day began, in 2013, its emphasis was on encouraging users to create and use strong unique passwords. Given the number of data breaches reported, where scammers have obtained a database of username and passwords, creating the strongest password in the world isn’t going to help if scammers already know it,” said David Cummins, vice-president EMEA at Tenable.
“Rather than reliance on passwords, the focus should be on implementing additional authentication methods, such as the use of biometrics or one time passcodes [OTPs]. In addition, rather than leaving the level of security for a user to choose, MFA should be implemented by default. It’s simple to use and provides an additional layer of security. As the majority of adults on the planet have a personal device (smartphone, tablet, etc.) capable of facilitating an authentication mechanism – beit biometrics, OTPs, etc, this really is a simple but powerful solution.
“Given that the use of passwords is still the main way to confirm identities for numerous online services and portals, consumers must protect these codes. We’re all told by our banks not to disclose our PIN (personal identification number) to anyone, however far too many scams focus on tricking individuals to disclose passwords because they work. Think before handing over any personal information, you might just be giving the keys to your online identity away.”
Could social media networks pave the way towards stronger authentication?
Privileged access security
A recent finding by the UK National Cyber Security Centre (NCSC) was that 15% of the population use pets’ names, 14% use a family member’s name, and 13% pick a notable date. With passwords proving a security challenge for employees and consumers, Joseph Carson CISSP, chief security scientist & advisory CISO at ThycoticCentrify, explained how privileged access security can mitigate risks.
“Thanks to the SolarWinds security incident in late 2020, we were all reminded that a poor password choice can not only impact your own organisation, but all connected organisations as well. This was likely one of the biggest supply chain cyber attacks in history — all stemming from poorly-created passwords,” said Carson.
“If you are a business leader, you should move beyond password managers straight into privileged access security. Rotating and choosing passwords is one of the biggest causes of cyber fatigue, so organisations can reward employees with privileged access security solutions that will eliminate one of their biggest work headaches and introduce security solutions that they will want to use.
“Privileged access security is one of the few security solutions that will transform your employee password experience into one that will make them more productive — and you’ll never need to create unique, complex passphrases for every account as privileged access management (PAM) will do that for them. It’s time to increase security and ease stress by moving passwords into the background with a modern PAM solution.”
How to control access to IoT data
With email networks proving to be a key target for hackers within the past year, a notable example being the recent attack on Microsoft Exchange, a strong email security solution has become more important as a result.
“Organisations should consider implementing an email security solution that conducts a security audit to analyse its admins, users, mailboxes, and rules for vulnerabilities such as outdated passwords so they can be resolved before a breach happens.
“Organisations should also use World Password Day to evaluate their internal password policies and send reminders to employees and customers alike about the importance of good password hygiene.”
Microsoft Exchange attacks highlight the wider issue: email is outdated
In the end, your company may find that the infrastructure in place would be best served by doing away with the password altogether. Francois Lasnier, vice-president, access management solutions at Thales, explained how this, along with a zero trust approach, can be achieved.
“This year’s World Password Day is in fact a timely reminder for businesses to drop passwords forever – they are no longer good enough and are the prime resource for hackers to gain access,” said Lasnier.
“Instead, companies should roll out access management solutions such as passwordless authentication, which verifies users through other methods like their IP address or if they are accessing through a device or operating system associated to them. This will overcome the inherent vulnerabilities of text-based passwords, while improving levels of assurance and convenience.
“No single solution is enough though, so organisations should also be looking to adopt a zero trust model in their approach to authenticating users and certifying their authorisation to access data. This strategy, based on the principle, “Never trust, always verify”, views trust as a vulnerability and requires employees to only access data they’re authorised to do so, while ensuring they verify who they are each time they want access.”