For most of us, password security is the most visible line of defence when it comes to protecting sensitive information. With the rising threat of cybercrime, organisations both large and small need to adopt ever more robust practices to safeguard their networks and user-data. Alan Roper, RiskSTOP Group’s IT Support Manager, discusses current best practice around passwords and asks, will we even need them in the future..?
PASSWORDS HAVE been the primary means of authentication for decades, but they remain susceptible to various attacks, such as brute force, dictionary attacks and phishing. A study by Verizon suggests that as many as 80% of data breaches are a result of weak or compromised passwords.
It’s also alarming that the top three most common passwords as recently as two years ago were "123456," "password," and "123456789," highlighting the lack of awareness regarding best password practice among users.
With this in mind, a good place to start with password security best practice is what is known as “password complexity”. Users should always be encouraged to create strong passwords by including a mix of uppercase and lowercase letters, numbers and special characters. This helps to thwart dictionary-based attacks, which basically try all words in a pre-determined list in order to gain access. That list could potentially include each and every word in a dictionary!
Regular password changes should also be encouraged, or even better… enforced! Doing so will minimise the risk of prolonged unauthorised access to user accounts, although it’s also essential to strike a balance. Ironically, overly frequent changes can lead to weaker passwords being chosen.
Multi-Factor Authentication (MFA) is something we’re all becoming more familiar with, adding an extra layer of security by requiring users to provide multiple forms of identification. This could include a combination of something they know (a password), something they have (a smartphone) and something they are (a fingerprint). Password managers can also be useful, as these generate and securely store complex passwords for different accounts. This way, users don't have to remember multiple passwords, reducing the likelihood of using weak ones. It’s important to store passwords using strong encryption methods, to ensure that even if data is compromised, passwords remain indecipherable to hackers.
One area often overlooked, due to our overall familiarity with using passwords in our day to day lives, is employee training and awareness. It's always a good idea to build password best practices into regular cybersecurity training sessions covering other cybersecurity issues, such as phishing scams.
Could passwords disappear?
As cyber threats evolve, many experts believe that traditional passwords may eventually become obsolete. Several emerging technologies and practices are already reshaping the landscape of authentication.
Biometric authentication, using fingerprints, facial recognition and iris scans for example, potentially offer a more secure and convenient method. They are difficult to forge and eliminate the need for users to remember complex passwords.
Behavioural biometrics is a little more innovative. This approach examines things like typing patterns, mouse movements and device usage, to create a unique profile for each user. One major advantage is that it offers continuous authentication, making it more difficult for malicious actors to mimic user behaviour. Then there is what’s known as the zero-trust model, which assumes that no user or device should be inherently trusted. Instead, users are continuously authenticated and authorized based on various factors, such as location, device health and behaviour.
Finally, tokenisation and Single Sign-On (SSO) are also becoming more frequently used. Tokenisation replaces passwords with random tokens, making it difficult for hackers to decipher. SSO allows users to access multiple services with a single set of credentials, reducing the need for multiple passwords.
Ever-evolving landscape
Password security remains a critical concern for organisations everywhere. With cyber threats constantly evolving, the need for robust authentication practices has never been more apparent.
By implementing multi-factor authentication, password complexity requirements and through continuous employee training, organisations can bolster their security and protect sensitive information.
Furthermore, the future of password security looks promising, with advancements in biometrics, zero-trust architecture and passwordless authentication offering more secure and user-friendly alternatives.
As technology progresses, organisations must stay vigilant, adapt to emerging trends while adopting innovative authentication methods to safeguard their data effectively. By doing so, they can build a resilient defence against the ever-evolving landscape of cyber threats.
Stay secure everyone.
Join in our discussion around risk management on Linkedin here.
Discover more about RiskACUMEN.