This is part of a running commentary series for #WorldPasswordDay 2021.
Each year on the first Thursday in May, World Password Day strives to encourage users to elevate their password security strategy.
We heard from cybersecurity experts on what strong password security looks like and what the future of passwords holds.
Bindu Sundaresan, Director, AT&T Cybersecurity:
“The use of passwords, the most common digital authentication method to log into a company system, is rife with problems, from being an annoyance to posing a security risk. Today, the number of data breaches that have spiked across different organizations means your password is likely already on the internet somewhere. As a result, reusing a password (even if it’s a strong one) can be dangerous. The passwords you create should be strong and unique.
Weak or unprotected passwords continue to be a top cause of security breaches. There is a rise in credential stuffing attacks stemming from the original theft of usernames and passwords, through their sale and distribution among cybercriminals, to their eventual use for fraud. Credential stuffing remains an enormous problem that demands the attention and investment of the security community.
At the root of these problems are the systems that authenticate users with passwords. Passwords are inconvenient and create numerous security vulnerabilities. A password by itself should be considered a point of high exposure. In today’s connected world, hackers can easily access systems and personal devices. Passwords are shared, stolen, reused, and replayed. They are the hacker’s favorite target, and entire categories of vendor products exist to make up for the shortcomings of passwords. While passwords are not the only reason for diminished trust, they are certainly the most expensive. Two distinct authentication factors, each acting as a separate padlock, are necessary to help secure information. 2021 may be the year we move away from passwords. Companies are accountable to their users, and while most users claim to value security over convenience, their actions speak otherwise.”
John Xereas, Senior Director, Raytheon Intelligence & Space:
“Businesses large and small invest increasingly to educate their employees on how to practice appropriate password hygiene, implement associated best practices, identify social engineering attacks, and yet user password theft continues to be a serious security concern. Compromised credentials in today’s interconnected enterprises, many of which leverage resources across multiple data centers and cloud providers, represent an even greater risk and impact of data and financial losses.
Organizations need to reimagine their credentialing approach and implement well designed, ICAM solutions that not only incorporate the latest in multi-factor authentication capabilities, but incorporate everything from behavioral analytics and machine learning techniques, to strict policy controls that are part of a continuously monitored security apparatus.”
Rick McElroy, Principal Cybersecurity Strategist, VMware Security Business Unit:
“Using a password is as antiquated as using a standard key on your front door -- it's locked but someone can copy the key or pick the lock and still get access. For this reason, it’s important to prioritize multi-factor authentication, in the form of behavioral and continual authentication, and move away from a central store of identities, which can easily be hacked.
Moving forward, we’ll begin to witness hand and fingerprint biomarkers, two-factor authentication with a mobile device and facial recognition replace traditional password authentication processes. At some point in the future, DNA will probably be used to verify identity in the medical field. Long term, I could see a future where a combination of measurements like a heartbeat and brain waves could be used, making it more difficult than ever for cybercriminals to break the digital lock.”
Robert Haynes, SCA and Open Source Evangelist, Checkmarx:
“On World Password Day, while the focus is traditionally on humans’ use of passwords, it’s important for organizations to think about how passwords and other credentials are stored in IT automation systems like Infrastructure as Code and container build files.
We have seen numerous compromises caused when credentials are exposed by machine, versus by man. The same level of attention, therefore, should apply to how passwords and secrets are managed by our processes, instead of just by our people. The risks are similar, and the results of exposure can be just as serious.
Organizations should use a secrets management tool, which is similar to how humans would use a password manager, while also performing routine scans of infrastructure as code templates and container builds for exposed passwords and credentials.”
Lamont Orange, Chief Information Security Officer, Netskope:
“This year, World Password Day comes at a time when business and life are conducted in a dramatically different virtual fashion due to the pandemic. As organizations suddenly shifted to remote work in 2020 and as they continue to rapidly increase cloud usage, they’re presented with new risks around user access and authentication, data security, and cloud threats. In order to embrace cloud apps and services while effectively managing them, the situation calls for dynamic access controls, for example, to ensure corporate data doesn’t leak to unmanaged devices. It also requires protecting sensitive data by governing the downloading of files by users accessing applications such as Microsoft Office 365 from personal devices or BYOD. To address these evolving challenges and enable collaboration and agility for a distributed workforce, IT and security teams need to modernize their data protection, with identity and access control of users being a critical first step.”
Faisal Bhutto, President, Cloud & Cybersecurity Solutions, AVCtechnologies:
“We have been raising awareness about good password hygiene for years, yet stolen credentials are still the number #1 reason for breaches. The rapid increase of remote workforce and BYOD since the pandemic has made it even more difficult for security professionals to enforce good password habits and policies. The good news is that more and more manufacturers in the tech ecosystem are adopting the FIDO (Fast ID Online) 2 standards due to which we are closer now to passwordless authentication than we have ever been. Most recently, companies like Cisco announced passwordless authentication for Duo using WebAunth while OKTA supports passwordless authentication for MFA factor. What is lacking is enterprise adoption of such technologies at a rapid pace. Cybersecurity focused solution providers and cyber professionals in the enterprises have a responsibility to work towards aggressive adoption of new standards to get us to the nirvana of a passwordless world. The reality, however, is that it will still take some time. Organizations will have to follow modern best practices for passwords such as using password managers, multi-phrase passwords, using salted passphrases or algorithms for security questions. As a security professional, think about what you must do to make sure the experience of an end user with password management is easier and the policies are not so antiquated and lacking behind the modern recommendations that it forces people to write down a password on a post-it!”
Kevin Breen, director of cyber threat research, Immersive Labs:
“The average internet user has 100+ passwords. So when it comes to picking strong, memorable, unique passwords for every single service you use, I’m going to be harsh and simply say: don’t. Use a password manager instead. Password managers can either be your salvation or your biggest downfall – but they’re certainly better than trying to cram hundreds of strong passwords into your head. They’re great at creating very complex and long passwords that you don’t have to remember, and they integrate into your browser and mobile device. But they do place all your proverbial eggs into the same proverbial basket. If your master password is compromised, then everything else could be too.
Multi-factor authentication as an extra layer of security should also always be added. This can range from a simple SMS code to a physical security key. It’s always worth setting up MFA if you can; it means that if anyone has stolen your password, they’d need to invest a lot more time and effort into specifically targeting you before accessing any of your accounts.
A great service that both individuals and enterprises can benefit from using is haveibeenpwned. It’s free and will allow you to register your email address or the domain so that any time the email or domain is found in a public breach, you will receive a notification on where and when it took place, giving you the chance to change your password.
To all the developers out there creating authentication flows in applications, you can help by making sure you select algorithms that are difficult or time-consuming to brute-force like bcrypt or PKDF2. You should also salt your passwords, and please never store the cleartext versions in logs anywhere. You could also consider implementing the haveibeenpwned password API to stop users entering known compromised passwords, and allow your users to enrol an MFA provider like U2F or Google Authenticator.”
Stephen Cavey, co-founder and chief evangelist, Ground Labs:
“Many data experts would argue that a ‘secure password’ is an oxymoron. Historically, passwords have been an extremely weak form of authentication and represented one of the greatest threats to an organization’s security posture.
The key to any successful security program is making security easy for an employee or user to follow. With less than 25% of Americans using a password manager to prevent password re-use across multiple applications and sites, data breaches caused by compromised credentials is unlikely to disappear anytime soon unless our dependency on passwords as a primary means to authenticate is eliminated. Modern security standards such as the PCI DSS compliance requirements now mandate the use of multi-factor authentication as part of achieving a comprehensive Identity and Access Management framework.
Furthermore, a modern Identity and Access Management framework that eliminates sole reliance on passwords will become a critical component of an organization's data security strategy, ensuring robust verification that a user is who they say they are, limiting their access to data to only what they need, and providing a comprehensive and reliable audit trail."