Passwords often pose challenges. They’re arduous to recall, resetting them can prove troublesome, and even with vigilance, they remain vulnerable to cyber-attacks.
However, there are often several resources not encompassed by the security of SSO. These could encompass cloud-based platforms utilized for data storage, external communication services employed to connect with colleagues or clients, or even instances of shadow IT. Passwords remain extensively utilized across organizations of all sizes, despite numerous forecasts predicting their obsolescence as a security measure. In fact, rather than diminishing, the volume of passwords continues to increase as individuals necessitate access to a growing array of systems to fulfil their daily responsibilities.
World Password Day, observed on May 2, serves as an apt occasion to contemplate the obsolescence of passwords. Although it’s an artificial commemoration instigated by Intel in 2013, its objective is to encourage us to examine our logins and ensure they adhere to security standards.
In response to this trend, the implementation of a single sign-on (SSO) infrastructure by IT departments has become commonplace. SSO permits an employee to authenticate just once and gain entry to all requisite applications and data sources. Despite their ancient origins, cybersecurity experts advocate for the retirement of passwords. While this may have seemed impractical in earlier eras, modern technology presents alternatives promising simpler and more secure authentication methods.
With some dedication, you can significantly bolster your password security. Here are some tips to aid you in achieving that objective. Passkeys offer an enhanced user experience and mitigate the risks associated with weak, reused, or compromised passwords, as well as phishing attacks. Enter passkeys, an innovative approach replacing passwords with cryptographic keys. Endorsed by the FIDO Alliance, passkeys utilize protocols and standards. Apple incorporated them into iOS 16 in 2022, and last year, Google followed suit across major platforms.
Nevertheless, widespread adoption is still pending, necessitating integration into numerous applications and websites. In the interim, password managers can alleviate the burden by securely storing intricate character strings. Our experts debate the future of authentication and weigh in on best practices for securing your accounts.
Patrick Harding, Chief Architect, Ping Identity
“As threat actors become more sophisticated and lean on new technology like artificial intelligence, most users underestimate the risks associated with relying on passwords to protect valuable information. On top of that, a whopping 48% of IT decision-makers are not confident they have technology in place to defend against AI attacks. Traditional passwords make organisations vulnerable to these types of attacks, leaving the door open for hackers to access critical data. Consumers have also become increasingly frustrated with remembering multiple, complex passwords and often choose to reuse the same password on various sites, increasing security risks even further.
“The good news is there are more secure alternatives that provide better digital experiences for the user. Passwordless authentication replaces traditional passwords with more seamless and secure methods and helps enterprises reduce risk and stop threats at scale. This World Password Day, let’s focus on moving towards a passwordless future that offers better and safer digital experiences while educating organisations about technology that strengthens security.”
Wayne Phillips, Field Chief Technology Officer – Asia Pacific and Japan at SentinelOne
“Passwords aren’t going away any time soon. While biometric data, facial and fingerprint scanning all have a role in helping secure access to services, the one over-riding benefit of a password is it’s the “something you know” and not the “something you are”. The latter might be simple to set up, simple to use and always available, but that means it can be read without you knowing, in some cases from a coffee cup or social post, but the former cannot, so long as you ensure that it’s sufficiently complex, unique, secret, and you haven’t unwittingly shared it with someone else.
“The downfall of passwords is the need to share them with the system you need to access, to ensure you can access them. Sharing passwords at account creation is the paradox for security, and where the whole notion of trust begins. Combine passwords with as many factors as possible without increasing friction, and your chances of suffering data loss through password hacking are both extremely low and – importantly – highly limited. Combining “What you know”, “What you have”, “What you are”, “Where you are”, “When you are” can be a hard chain of secrets to break.
“In today’s password-protected world, a strong security policy includes the vendors and people on every team. Policies need to be well thought out, users need to comply, and admins need to assume breach, continuously run compliance checks against their Identity providers, and implement a robust Identity Threat Detection and Response program (ITDR) program.“
Carla Roncato, Vice President of Identity, Watchguard Technologies
“On this World Password Day, we should all pause and think about how we can adopt passkeys. Passkeys represent a significant industry shift in identity security, moving away from traditional credentials of usernames and passwords to a more secure “no knowledge” approach to authentication that is a vastly better user experience. As a form of password less authentication, passkeys aim to eliminate the inherent risk factors of traditional credentials. At the same time, any use of biometrics and biometric data for fingerprint or face unlock remains on your device and is never shared with Google (in this example) or any website that accepts passkeys. It’s also a good time to think about better password hygiene and password management practices. First, it’s time to do away with weak and reused passwords. Use complex passwords, consisting of more than 16 random characters or passphrases unique for every login. Since that can be onerous, using a password manager is optimal. Password managers can auto-generate and securely vault complex passwords. Plus, with a password manager, there is only one password you’ll have to remember: the one for your vault. Passwords alone are woefully insufficient; you should always use multi-factor authentication (MFA).
“By combining multiple factors of authentication, you verify that the use of your credentials is really YOU. MFA is still considered a significant (albeit not a complete) deterrent for hackers attempting account takeover.”
Sadiq Iqbal, Cyber Security Evangelist, Check Point Software Technologies
“As we observe World Password Day, it’s essential to acknowledge that robust passwords form the bedrock of effective security measures. Even with the most advanced security technologies, the simplest oversight on passwords can grant attackers access to our systems. Strong passwords are more than just a recommendation; they are a critical defence mechanism. Recent attacks on major organisations like Okta and 23AndMe were facilitated by stolen login details, demonstrating the widespread impact and ongoing threat posed by weak password practices. However, by reinforcing password security, we protect not just our data but maintain the integrity and trust of our entire organisation.
“To strengthen password security, we recommend the following best practices:
- Complexity and Length: Create passwords with a mix of numbers, letters, and symbols, aiming for 12-16 characters to enhance security. Extending this to 18 characters can make a password nearly unbreakable, given the exponential increase in possible combinations. Ensure the password is unique to you and avoid using easily guessed personal details like birthdays or anniversaries.
- Unique Passwords for Different Accounts: Avoid reusing passwords across multiple platforms. Use memorable phrases or sentences, like ‘meryhadalittlelamb’, or a more secure variant with special characters ‘#M3ryHad@L1ttleL4m8’.
- Regular Updates: Change your passwords regularly to mitigate the risk of breaches. This practice is crucial, especially after security incidents like data leaks. Tools like Have I Been Pwned can help check if your accounts have been compromised in a breach, prompting timely updates.
- Multi-Factor Authentication (MFA): Always enable MFA to add an additional layer of security. This ensures that even if a password is compromised, unauthorised access is still blocked.
- Security KPIs: Organisations should enforce regular password changes and use Privileged Access Management (PAM) solutions to manage and monitor account and data access effectively. Finally, educating users on robust password practices is vital to fortify defences against increasing cyber threats .”
Keep up to date with our stories on LinkedIn, Twitter, Facebook and Instagram.