As World Password Day approaches, top cybersecurity experts from companies like Entrust, Veriff, Nightwing, and more weigh in on the evolving landscape of password security, offering invaluable insights and practical tips to enhance digital defenses in an age of heightened cyber threats.
Viktoria Ruubel, Managing Director of Digital Identity, Veriff
In the past year alone, there has been a 71% increase in attacks that use stolen passwords. As the digital landscape continues to evolve, passwords are no longer the most secure method to protect their data. In fact, two-thirds of consumers feel facial recognition software provides easier and safer access to online accounts than passwords. Consumers would accept a longer sign-up process involving the use of an ID document and a selfie if it means better identity and personal data protection.
Relying on legacy approaches like two-factor authentication or knowledge-based authentication (using knowledge of a mother’s maiden name, for example) can expose an organization to bad actors. Passwords are vulnerable to data breaches and malware, and two-factor authentication is susceptible to device compromise and social engineering.
We must improve how accounts are secured, like pairing passwords with biometric technology. A report found that 38.5% of respondents believe facial recognition and biometrics are the most secure method for protecting their accounts and information. In addition, biometric data is hard to steal and cannot be forgotten like a password. When you add biometric facial authentication on top of password protections, sign-in becomes secure and seamless.
While there is no one-size-fits-all solution to combating fraud, this World Password Day we should seek solutions that can complement and augment existing security measures.
Rishi Kaushal, Chief Information Officer, Entrust
Identity continues to be the most targeted attack vector by bad actors with nearly two-thirds of data breaches caused by compromised credentials and AI is only accelerating new types of attacks. Our passwords should be an extension of our identities. You wouldn't share your social security number with just anyone, so why are your passwords any different? This World Password Day, we must look beyond typical password measures like alphanumerics and seek to improve how we are securing our data - taking a “never trust, always verify” approach to our accounts.
Too many organizations either still rely on a single-factor authenticator like the password or enable relatively weak multi-factor authentication (MFA) with an over-reliance on one-time passcodes. Instead, we need to encourage implementations like phishing-resistant MFA technology, which requires more authentication than just a click or a compromised password to put you at risk - it is also a key foundation for organizations implementing Zero Trust principles. Another option is incorporating identity verification with authentication processes, adding biometric checks as step-up authentication. Organizations and consumers must work together to ensure their data is safe, and the combination of the right tools and mindsets will allow them to do just that.
Dave Spencer, Director of Product Management, Immersive Labs
Bad actors are constantly searching for the weakest link in an organization's security posture. That weak link is often poor password management. Employees take the path of least resistance, which usually means satisfying the complexity requirements of passwords in the easiest way to remember possible. Most people attempt to pick strong, unique passwords for the numerous platforms they use which, unfortunately, only gives the illusion of security. In reality, this approach leaves numerous access points for attackers to infiltrate. With inadequate password hygiene being a common contributing factor in cyber incidents where credential stuffing and phishing attacks can expose corporate data as well as personal users, it's clear that both organizations and individuals need to reassess their password strategies.
Rather than hope to keep data secure with only passwords, tools like multi-factor authentication (MFA) and password managers provide an added layer of protection, requiring bad actors to do extra work and limiting the avenues they can use to gain access to the sensitive information. But beyond implementing these tools, users need to know why these solutions are being utilized. A baseline knowledge of cybersecurity is necessary as we see more and more attacks targeting those who least suspect it. When we create a culture that prioritizes cyber resilience rather than finding out who to blame, we are more inclined to report malicious attempts at password stealing and other attacks.However, it's crucial to choose your MFA method wisely. Push fatigue has become prevalent, where users mindlessly tap a button on their phone to authenticate, potentially authorizing requests without proper verification. This tendency to habitually tap away without confirming the legitimacy of the request can often happen, especially at the beginning of the day or post-lunch breaks.
Frederik Mennes, Director of Product Management & Business Strategy, OneSpan
Today, organizations face a more threatening array of security concerns than ever before, and the average CISO faces immense pressure to safeguard the business. Traditional authentication such as passwords no longer offer effective protection against current threats. At the same time, more secure products like digital signatures combined with public key certificates in a public key infrastructure (PKI) often present implementation or usability challenges. In this setting, passwordless authentication emerges as a viable alternative, providing defense against evolving threats combined with enhanced usability.
Passwordless authentication methods have the capability to mitigate security risks by eliminating vulnerabilities associated with password-based credentials. It’s the case because passwordless products do not rely on static passwords. Instead, they generate dynamic authentication codes that have a limited lifetime and can be used only once, or are based on unique human biometric characteristics, such as fingerprints.
Passwordless authentication has advanced in reducing the risk of breaches, allowing CISOs to build future-ready and adaptable systems for their organizations. Phishing-resistant passwordless authentication systems such as those based on FIDO standards can also eradicate the threat of phishing. With such products, they can safeguard corporate data, resources, and the wider workforce, while enabling a flexible workforce without compromising security. This can ensure a secure and user-friendly environment for dispersed workforces for 2024 – and well beyond.
Yiftach Keshet, Vice President & Identity Security Expert, Silverfort
For businesses to improve and think more broadly about securing identities, there needs to be a perspective shift in how the most crucial entry point is protected— passwords. Securing passwords with Multi-Factor Authentication (MFA) and not reusing passwords is basic security hygiene, yet we should continue doing it. However, it’s 2024. Organizations need to take the conversation beyond passwords for human identities and start talking about how to successfully protect the other tools attackers use, such as command line tools, PowerShell, and machine-to-machine communication. I’d like to get to a place where CISOs demand strong MFA protections for their non-human identities and the critical resources MFA can’t secure.
World Password Day serves as a reminder that identity gaps throughout the identity infrastructure continue to cause many major breaches. If a hacker successfully steals a password, it’s easy for them to move discreetly throughout an environment and even use identity infrastructure as a gateway to access cloud assets and environments. Recent research found that 67% of organizations sync their on-prem passwords to the cloud. While this is convenient and can help boost employee productivity, it also dramatically increases risk by creating a gateway for cybercriminals to jump from on-prem to the cloud and wreak havoc on an entire organization’s network.
Security leaders should ask themselves how they can secure the identity infrastructure that often leads to compromise. When organizations start having more conversations about the forgotten resources that go unprotected and how to secure them, we’ll advance security to a place that can actually stop an attacker in their tracks.
Joe Richard, Associate Director of Program Management, Nightwing (formerly Raytheon)
As digital infrastructures grow more interconnected and complex, an organization’s priceless data and mission-critical systems are increasingly vulnerable to cyberattacks. An effective cybersecurity strategy requires multiple layers of defense spanning networks, endpoints, data, and user access.
Passwords are often viewed as the first layer of defense, serving as the primary means for authentication and access control. Frequently, poor practices and prioritization of convenience over security leave this layer susceptible to multiple attack vectors such as brute force attacks, phishing campaigns, and social engineering.
We all share responsibility for fortifying this layer of defense; however, organizations must assume that advanced attackers will eventually find a way inside the security perimeter. Beyond password discipline, organizations should embrace zero-trust principles to continuously authenticate every user, device, and application attempting to access DT resources. Organizations should also include cyber resiliency measures to adapt, withstand, and recover from potential attacks.
As users, and as stewards of our organization’s security, we must all pay attention to our cyber hygiene by making sure our passwords are secure, complex, and regularly updated. It’s up to each of us to do all we can to bolster this first layer of defense to prevent criminals from accessing networks, stealing sensitive information, and undermining systems.
Doug Kersten, CISO, Appfire
Today, malicious threats are much less predictable and, therefore, more difficult to defend against. While passwords were once the key to safeguarding private information, attackers have perfected countless techniques to access them.
Regardless of whether you’re using a professional or personal device, it’s essential that your passwords are unique, difficult to guess, and not used across a variety of devices or platforms. World Password Day is a great reminder to stop and think about the last time you audited the passwords you’re using, where you’re storing that information and whether that information is easily accessible, and to take the time to change the passwords you use frequently or you know have been compromised in data leaks.
Many internet browsers are improving their password protection practices, sharing with users their security blind spots. However, responsibility remains with the user to take the next step to change compromised passwords. Always think in terms of something you are — your user name; something you know — your password and something you have — a device or software that provides a second factor, such as biometrics or authentication codes from common and free authenticator apps like Google or Microsoft Authenticator. Using these in a thoughtful way will greatly reduce the impact of a password compromise and make for a very happy World Password Day.
Patrick Harding, Chief Architect, Ping Identity
As threat actors become more sophisticated and lean on new technology like artificial intelligence, most users underestimate the risks associated with relying on passwords to protect valuable information. On top of that, a whopping 48% of IT decision-makers are not confident they have technology in place to defend against AI attacks. Traditional passwords make organizations vulnerable to these types of attacks, leaving the door open for hackers to access critical data. Consumers have also become increasingly frustrated with remembering multiple, complex passwords and often choose to reuse the same password on various sites, increasing security risks even further.
The good news is there are more secure alternatives that provide better digital experiences for the user. Passwordless authentication replaces traditional passwords with more seamless and secure methods and helps enterprises reduce risk and stop threats at scale.This World Password Day, let’s focus on moving towards a passwordless future that offers better and safer digital experiences while educating organizations about technology that strengthens security.