May 5 is World Password Day, created in 2013 by cybersecurity professionals to foster clean password habits that in turn, enhance cybersecurity and keep important data safe. But are passwords on their way out? Anita Joseph, Editor, Security Advisor ME, examines.
Passwords were created as a security measure to help keep information secure. Over the years, they have ranged from basic words to complex number-symbol-alphabet combinations. However, most of us take our passwords for granted, considering them as a gateway to access personal information online.
But how relevant are passwords today? Considering that hacking is becoming more and more sophisticated today and that technology has introduced much more strong and in-depth defence mechanisms that easily outshine the age-old password, isn’t it time we replaced it with something more futuristic?
According to Bernard Montel, Technical Director and Cybersecurity Strategist at Tenable, “When World Password Day began [in 2013,] its emphasis was on encouraging users to create and use strong unique passwords. Given the number of data breaches reported, where scammers have obtained a database of username and passwords, creating the strongest password in the world isn’t going to help if scammers already know it.”
In his opinion, it’s “frightening” that we’re still protecting digital identities solely with an email address and password combination in 2022. “And when it comes to non-human service accounts, that often have administrative access to core databases and applications, the use of passwords is still common practice,” he adds.
The problem with passwords is that most of us think of it as fool-proof and ‘enough’ to protect our online data. What we don’t realise is that it takes hackers mere minutes to tear into those passwords and access all the information we thought was safe. In fact, it’s alarming that despite the advent of Multi-Factor Authentication (MFA) and other tools [that don’t solely rely on passwords], far too many online services still won’t enforce these additional measures. There is also an argument when implementing MFA, to strengthen this by using a strong Privileged Account Management tool, implementing policies that require least use privilege for all accounts, strong auditing for all service accounts, and limiting the applications and data that can be accessed.
Aparna Rayasam, Chief Product Officer at Trellix, says passwords are at most “weak” defences and certainly shouldn’t be a primary counter measure against the growing range of cyber-attacks.
“Security practices have moved on and multifactor authentication (MFA) is now commonplace, with biometric information increasingly being used to thwart attacks. That being said, the use of passwords persists and it’s critical for organisations of all sizes and sectors to educate employees on best practices for password management.”
Sam Curry, Chief Security Officer at Cybereason, concurs. “My advice to companies is to instruct employees not to trust passwords and use additional factors in all accounts and services. In addition, password managers are a useful tool that can improve password security and management. However, they exist as a compromise due to the failings of passwords themselves.”
So then, it’s amply clear that the time has come to junk the password habit. However, in a world where passwords are still the norm, how do we ensure that our passwords are strong enough to withstand cyber assaults?
MFA to the rescue
Hadi Jaafarawi, Managing Director – Middle East at Qualys, has a solution to the password problem. “In today’s world, passwords alone are not enough to keep IT access secure. As such, tools like multi-factor authentication (MFA) – which requires users to provide two or more verification factors to gain access to a resource – have become available to further improve security hygiene. Companies, no matter the industry or size, must recognise the value of strong security and doing the small things, like implementing MFA, right,” he suggests.
So, what can companies be doing to improve password hygiene? “For starters,” he says, “ensure that users cannot use a simple dictionary word as their password, and enforce different controls so they cannot re-use the same password multiple times. It is important to apply rules on length of passwords and the variety of characters used, in addition to looking out for poor security practices such as missing MFA or lack of role-based access control.”
Toni El Inati – RVP Sales, META & CEE at Barracuda Networks points out that despite significant awareness, employees still utilise weak passwords so user training needs to go hand-in-hand with tools and policies. “Password management is a critical first step, but it’s not enough. Companies need to deploy anti-phishing protection as well as the right application and edge security solutions. Passwords aren’t going away anytime soon, and the with 80% of all basic web application attacks still relying on stolen credentials, neither are attacks.”
Bahaa Hudairi, Regional Sales Director META at Lookout puts it differently. “The best thing to do to highlight the importance of strong passwords is to make people understand the value of the data that these passwords are supposed to protect,” he says.
“Consumers tend to assume that the services where they upload and share this sensitive information will protect them, but in reality the best line of defence is at the point of the consumers themselves. People should be educated about enabling multifactor authentication, wherever possible, as an absolute must. This provides a second layer of defence in the event that the attacker is able to get your password,” he goes on to add.
More important than all of these is perhaps, the most commonly committed, yet underestimated, password-related error: Using the same ID/email address and password across multiple sites and devices. “Password reuse is exacerbated by the increasing volume and success rates threat actors are reaping with advanced credential phishing campaigns that use fake websites resembling the login page of a legitimate online service to steal usernames and passwords,” says Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint.
“We recommend consumers use different passwords, especially on critical financial and data-driven accounts. Be sure to turn on multi-factor authentication (MFA) if available for as many accounts as possible,” he adds. “If MFA is not an option for the account, use a password manager. A password manager creates randomised passwords that are safely stored, encrypted, and accessible across all personal devices and reduces the burden of trying to remember complicated login credentials across multiple websites. If you use a passphrase as part of your password, make sure you never use common words or phrases, names or dates associated with you or direct family members. It’s also best to change all passwords twice a year and change business passwords every three months.”
Managing passwords is not an easy task, says Antoun Beyrouthy, Lead Cybersecurity Consultant at Axon Technologies. “Avoiding reuse and utilising complex passwords makes memorizing passwords nearly impossible. Individuals are therefore advised to use password managers which generate and store complex passwords when registering for a service. The password is then automatically submitted at each log on.”
“On the other hand, businesses are advised to deploy an Identity and Access Management solution, enabling single sign-on and centralised access management capabilities. Employees no longer need to remember multiple passwords, administrators have more control over accounts and privileges, and auditors can pull all user access information from a single source,” he adds.
Then again, he says, there might be challenges when integrating with legacy systems, so businesses need to ensure their IAM solution provides the customisability required for such integrations. “Finally, whether you are an individual or a business, always make sure that you are using multi-factor authentication, at least for critical services and applications.”
Lance Spitzner, SANS Senior Instructor and expert in human risk and security awareness, vouches for Multifactor Authentication (MFA) as a strong authentication method.
“One of the most effective and proven approaches for strong authentication is something called Multi-Factor Authentication or MFA for short. MFA is when multiple factors of authentication are used. That way, if your password is compromised, your account, system, or data is still safe as the other factor, or factors, still protect you. MFA is becoming a popular solution, but there can be a great deal of confusion on exactly how MFA works as well as the different implementations of it.”
In fact, Microsoft estimates that MFA defeats 99% of authentication-based attacks. While not fool-proof, MFA is one of the most effective steps organisations can take to dramatically reduce the risk of a breach. At its simplest level, MFA is multiple levels of authentication. An individual authenticates not only with a password (something they know), but some type of unique code or device they have. Even if their password is compromised, their account, or data, is still safe as the cyber attacker does not have access to the second form of authentication. Unfortunately, that is where the simplicity of MFA stops and things can get a bit complicated.
There are many different terms to describe MFA (Multi-Factor Authentication). Some organisations or vendors call it Two-Step Verification, Two-Factor Authentication (2FA), One-Time Password (OTP), or Strong Authentication. All are implying the same thing, authentication requiring two or even more forms of authentication, usually a password and something else – often a unique code sent to, or generated by, your mobile device.
In addition, there are multiple ways to implement MFA. Some of the most common methods are listed below. This list is by no means exhaustive. It merely highlights the most common.
- SMS Code: A one-time, unique code is sent to your mobile device. You then use this code in addition with your password to authenticate and log-in. This is the most commonly used approach as it is the easiest to setup.
- Code Generator: Your mobile device has an authentication mobile app (such as Google Authenticator) that generates the unique one-time codes for you. You download the mobile app to your mobile device, then to enable MFA for your accounts you synch the authentication app with each account. These authentication apps can support hundreds of accounts at the same time.
3. FIDO: You are given a physical device that connects to your laptop or computer. This physical device is registered with the websites you regularly log into. This physical device than must be connected to your computer (such as inserted into the USB port or connected via NFC technology) and authenticates you. Yubikey is a common, publicly available example of such a physical device supporting the FIDO standard. This approach is considered to be the most secure method of authentication, as there is no unique code or authentication request, there is nothing for cyber attackers to trick or fool their victims out of.