Is the password passé this World Password Day?

Maintaining basic cyber hygiene principles like password security are key practices to the digital resilience of an organization, with potentially drastic repercussions if not followed.
5 May 2022

Today is World Password Day. Yet, despite passwords playing an important role in everything done today, more devices and platforms are moving towards a passwordless ecosystem. The reason is simple, passwords are no longer as secure as they used to be.

Over the last few years, there have been numerous data breaches in organizations around the world simply because the password was easily hackable. In most cases, an employee uses the same password for multiple access across both personal and company-issued devices or platforms.

In fact, over  40 million Microsoft users were found to have reused passwords – so if it’s lost in a breach, cybercriminals have exposed all accounts simultaneously. It is also estimated over 23 million account holders are still using “123456” and 57% of those targeted in phishing scams do not change their credentials.

While multi-factor authentication is an added security measure for passwords, the reality is that cybercriminals are still able to infiltrate systems and wreak havoc on organizations. With that said, the next best option is biometric passwords.

However, even biometric passwords do have weaknesses in some areas. To understand more about passwords and if a passwordless future is possible, several tech experts share their views with Tech HQ.

Bolstering defenses

According to Gee Rittenhouse, CEO of Skyhigh Security, cybercriminals today are more sophisticated at obtaining usernames and passwords making it easier for them to carry out a data breach. Rittenhouse highlighted two steps businesses should look into to boost their security.

“A first step is to bolster their approach to authentication. Simply having a username and password is no longer enough. We need to move beyond this to adopt more secure processes, such as two-factor authentication or multi-factor authentication.

The second step is the adoption of Zero Trust across the enterprise network. This means that no trust is given automatically to users – instead, it is earned through logging in patterns and behaviors, which facilitates tighter security. Also, employees are only given access to data, apps, and systems that are related to their daily jobs meaning that if passwords are compromised, the subsequent damage is limited,” said Rittenhouse.

password day

(Photo by Natalia KOLESNIKOVA / AFP)

For Simon Marchand, CFE at Nuance Communications, World Password Day acts as a reminder to businesses and consumers alike that PINs and passwords are an archaic tool, no longer fit for purpose. Passwords are being sold on the dark web, exploited for fraudulent activity, and have even cost unfortunate individuals vast sums of money in terms of forgotten passwords to safeguard cryptocurrencies.

“In our current landscape, effective fraud prevention strategies are no longer optional. Indeed, recent research from Nuance found that on average, victims of fraud lost over £3,300 each in a 12-month period – three times higher than in 2019. As such, it is high time traditional authentication methods – such as PINs and passwords – are confined to the history books,” commented Marchand.

Marchand explained that this will enable modern technologies – such as biometrics – to be more widely deployed to robustly safeguard customers.  Biometrics authenticate individuals immediately based on their unique characteristics – taking away the need to remember PINs, passwords, and other knowledge-based credentials prone to being exploited by fraudsters and providing peace of mind, as well as security, for end-users.

“When it comes to fraud, prevention is always better than a cure. Today, consumers are more aware than ever of the importance to protect their own information, and they will hold accountable the organizations that don’t do enough to protect the information they share with them. Without question, businesses need to be one step ahead and education around the most effective security solutions — like biometrics — is key,” he added.

For best security, do away with the password

When it comes to creating passwords, Helena Nimmo, CIO of Endava suggested that password security can be improved by encouraging employees to connect their chosen passwords more to positive thoughts or good memories.

“Doing so will create a different mindset instantaneously. In addition, there is a myriad of tools that can be used to improve password security. Password managers are also an excellent way to achieve more password sophistication,” she added.

Interestingly, Gary Cox, Director of Technology Western Europe at Infoblox commented that even strong passwords are not enough to secure users’ accounts, let alone network access for a business. Added to that, many organizations are still figuring out their security strategies for cloud and hybrid infrastructures, with their employees often given the choice of working location and BYOD.  

“To me, World Password Day highlights the importance of securing identity and leveraging that to practice what the industry is calling zero trust. Assume your network has already been breached, that your connections and systems are already compromised,” said Cox.

Ramsés Gallego, International Chief Technology Officer at Micro Focus subsidiary CyberRes,  also mentioned that with a constantly evolving threat landscape, it’s essential that organizations take stock of their current cyber defenses and bolster their capabilities accordingly.

To make matters worse, Gallego pointed out that according to research from the UK Information Commissioner’s Office (ICO), human error was responsible for 90% of the UK’s cyber data breaches in 2019.

“As a result, it’s imperative that we secure systems and infrastructure to ensure that the right people have the right access to the right assets at the right time. No more, no less. Importantly, we now live in an era where we do not need passwords alone – or sometimes at all – to enable trusted access. There’s no denying that multi-factor authentication is a useful tool to replace or augment passwords,” he mentioned.

(Source – Shutterstock)

Passwords here to stay?

At the same time, Gallego also felt that despite these advances, there’s no doubt that passwords aren’t going anywhere, at least for now. What’s more, boosting password security – and cyber-resiliency more widely – cannot be achieved by technology alone.

For Gallego, businesses have a responsibility to provide their teams with both the tools and the knowledge needed to mitigate the risks of cyberattacks. They must ensure they are educating their employees on best practices of cybersecurity hygiene, beginning with how to create strong passwords and the importance of using different ones for different applications and services.

“Not only that, they must make sure workforces understand the various tactics used by hackers to target unsuspecting users, from phishing to fake websites. Crucially, increasing awareness among staff on how they could potentially be putting their organization’s data at risk is key, especially as workforces continue to access systems remotely during and after the pandemic,” said Gallego.

Flick March, UKI Security and Resiliency Practice Leader at Kyndryl also shared his views stating that as enterprise data grows exponentially in volume and becomes increasingly diverse it’s essential that organizations are adopting comprehensive data protection strategies to protect against data corruption and cyberattacks.

March believes that while implementing the appropriate technology to support this approach is crucial, organizations also need to focus on training. It’s important to remember that the responsibility of cyber security falls on everyone in an organization and employees need to be educated on at least the basic best practices of cyber hygiene. Password security plays a huge part in this and it’s the area that is most often neglected.

“We’ve all heard it a thousand times, but too few stick to it. Use secure passwords: a different one for each account. Specifically, a secure password contains at least 10 characters and is made up of a combination of lowercase and uppercase letters, numbers, and special characters. Passwords that follow this guidance are as good as unbreakable.

“Maintaining the basic principles of cyber hygiene, such as password security, are key practices to the overall cyber resilience of an organization and could have drastic repercussions if not followed,” March concluded.

This World Password Day, TechHQ hopes readers would consider bolstering their password protections to be on par with the rest of the advanced security strategies put in place for the organization — or maybe consider, for the first real time, doing away with passwords altogether.