World Password Day: Is The Password Still Fit For Purpose?
The password has become a significant source of security breaches and user friction. On World Password Day, have we arrived at the point where the password must be replaced with new security protocols?
As businesses continue to adapt to remote mass working, how these connections are secured has been coming under increasing scrutiny. The use of passwords is an accepted and standard component of logon protocols.
However, the password has for several years come under criticism by consumers and businesses alike. On World Password Day, Silicon UK asks whether the COVID-19 crisis is the ideal opportunity to make radical changes to how we use passwords in the future.
According to the Thales Access Management Index of more than 400 IT decision-makers across Europe and the Middle East found that the majority (57%) of IT professionals revealed that unprotected infrastructure is one of the biggest targets for cyber-attacks. Therefore, any organization utilizing it, as a result of business pressure driving them to adopt digital transformation technologies, are likely to be putting themselves at a higher level of risk.
While some organizations still rely on legacy authentication methods like usernames and passwords, growing awareness of the threats is prompting action with almost all (94%) organizations having changed their security policies around access management in the last 12 months.
Thales also revealed staff training on security and access management (47%), increasing spend on access management (43%), and access management becoming a board priority (37%), have all seen an increased focus. This is set to pay off in compliance terms too, with nearly all (98%) European respondents admitting controlling who has access to their company’s data. This will help them meet data regulation requirements like GDPR.
“As more and more businesses move to adopt cloud-based services for CRM, email, employee collaboration and IT infrastructure as part of their digital transformation strategies, the struggle to extend old solutions, designed to protect internal resources, to the outside world becomes very problematic,” said Francois Lasnier, Vice President for Access Management solutions at Thales.
“Often, to adapt to the new working habits of users connecting from anywhere, which is increasingly pertinent right now and will become standard moving forward, businesses tend to revert to old password-based logins for cloud services in despair. This is knowingly increasing their security exposure to credential stuffing and phishing attacks,” Lasnier concluded.
Password passive
Businesses have had to rapidly adjust their threat perimeters to stretch to the homes of their employees. With furloughing potentially having many months to run and, the possibility that remote working becomes the default environment for many organizations, keeping control of access privileges is critical, yet poor network security remains prevalent.
“Organizations everywhere are facing unprecedented challenges as millions of people are working from home, said Brad Brooks, CEO and president of OneLogin [https://www.onelogin.com]. “Remote work security is mission-critical for managing and securing digital identities for workforces and customers in this challenging environment.”
A closer look at how individual countries practice security highlights differences in password sharing, willingness to access high-risk websites and more. The study uncovered the following user behaviours:
- Risky sites: 5% of UK consumers admitted to accessing adult entertainment from a work device, in comparison to 17% of US consumers.
- Home networks: UK consumers are the worst in the world for Wi-Fi security, with 50% of them not having changed their Wi-Fi password in more than a year, compared to the global average of 36%.
- Device security: Half (50%) of UK consumers did not change their work device’s password when they began remote working
- Shadow IT: 10% of UK consumers have downloaded an application to help them with their work without their work’s permission, and 17% have accessed work applications from a non-work device.
- Remote working: 60% of UK consumers expect a change in business culture towards remote working, compared to 73% in France and 50% in the US.
With high-profile members including Google, Samsung, PayPal and Visa, The FIDO Alliance is a non-profit consortium that’s addressing the authentication problem by providing convenient and secure logins to web services and mobile apps. Andrew Shikiar, executive director of the FIDO Alliance, comments:
“It is time to reconcile with the fact that few things are holding data security back more than the ‘shared secret’ model of password-based authentication. Today’s average consumer has dozens of accounts online, with a handful of often recycled passwords ‘protecting’ them. This is an incredibly potent security risk, as the information sitting between hackers and valuable data is stored on centralized databases that can be easily intercepted and then reused for nefarious means.
“Luckily, major players across industry sectors are collaborating to revolutionize the way that consumers log in – in favour of more sophisticated approaches, such as multi-factor authentication and biometrics. This standards-based approach eliminates the need for centrally-stored passwords and centralized management of authentication credentials and instead, presents a user-friendly approach to public-key cryptography that allows consumers to log in directly through leading browsers, phones and PCs that they already use on a daily basis.”
Early last year Gartner predicted: “During the past year, we have seen a small increase in client inquiries specifically citing ‘passwordless’ and an increase in inquiries about other passwordless approaches,” says Ant Allan, vice president, Analyst, Gartner. “By 2022, Gartner predicts that 60% of large and global enterprises, and 90% of midsize enterprises, will implement passwordless methods in more than 50% of use cases — up from 5% in 2018.”
Multi-factor authentication
Increasingly identification is being carried out via multi-factor authentication. Large online retailers are using this method to safeguard their customers. And as biometric authentication has moved to mobile devices, using these platforms has enabled developers to move forward with new authentication solutions, which abandon the password.
Nic Sarginson Senior Solutions Engineer UKI & RSA, Yubico commented: “With our improved security awareness, some hoped last year’s World Password Day would be the last – but the reality is, we still have a long way to go. Risky password and authentication practices are still rife in our professional and personal lives. In fact, research from Ponemon Institute found that UK IT professionals reuse their passwords across an average of ten personal accounts. At the same time, 39% of individuals and 58% of IT professionals have also done this across workplace accounts.
“These security gaps point to the urgent need for additional layers of authentication tools – but to be successful, they must also be convenient. Security keys are a great example of this. They deliver phishing-resistant two-factor authentication and a higher level of security than memorable words or SMS one-time passwords (OTPs). Requiring employees to authenticate using a device – also, login credentials – will better protect networks, applications and data in the long run.”
Silicon UK spoke with Anna Hammond, content analyst at Capterra and began by asking On World Password Day, how are businesses approaching the security of their workers who are now working from home?
The majority of the UK workforce received IT security training while working from the office. However, when switching to remote work, only 10% of our survey respondents said they had received additional instructions.
Even with the respondents who said they had received training, most employees weren’t aware of who to contact in the event of a data security issue. Almost half (49%) said they didn’t know of an individual within their business that is responsible for data security, privacy or compliance or didn’t know how to contact this person. Of those respondents, 65% were middle management staff members.
Without their knowledge, it’s difficult to expect lower-end staff to have a thorough understanding of the steps they can take to work securely. The results indicated that senior SME leaders are most equipped with essential cybersecurity information. However, the staff’s lack of knowledge could be their businesses biggest threat.
Is the password no longer fit for purpose as a standard for security?
Passwords are an excellent way to secure sensitive information, but only if all the guidelines are followed. A strong password should be unique, include around 8-16 characters, and ideally a combination of capital and lowercase letters.
Lax passwords put small businesses at risk. We saw that only 15% of our survey respondents use strong passwords with randomized letters, numbers, and characters. It was also concerning to see that a fifth of them are securing their online accounts with very basic passwords, such as using three or more consecutive letters, numbers, and even using the word “password.”
Worryingly, 52% of respondents said they share passwords between personal and business accounts. This, combined with the fact that 61% of workers use personal devices (even occasionally) to carry out work, puts companies at higher risk of exposure should one account be compromised.
Our survey showed that 67% of respondents use software and platforms in the cloud (wholly or partially), indicating that the number of access credentials that an employee has is considerable. Expecting employees to memorize strong, unique passwords for all of these accounts is unrealistic. Luckily, there are plenty of alternatives, such as multi-factor authentication and behavioural recognition that can make this process more secure and less time-consuming.
Will the ‘new normal’ have to include a move away from passwords as the central login identifier?
Cybercriminals are always waiting for people (and companies) to make a mistake. Sadly, coronavirus has given them more opportunities rather than slowing them down. This is mostly due to teleworkers not taking adequate steps to secure their work environment, which could be partially a system’s failure. Relying solely on employees to follow the security measures has proved to be an inadequate measure. More companies will likely turn their heads to alternative solutions for central login identifier.
How can businesses strengthen their use of passwords as the lockdown continues?
One of the fastest ways to implement strong password security is the use of a password management system and multi-factor authentication. It was concerning to find the majority of UK SME employees rely on human memory to store account logins and passwords. It’s probable that this is the reason why a third of respondents use an identical password for all accounts. Password management systems can help to generate random passwords for security and also safely store them; they also often offer multi-factor authentication option.
The question that is asked continuously is the password no longer fit for purpose as a standard for security?
“Far from it,” says Emmanuel Schalit, the CEO of password manager Dashlane. “I’ve lost count of the number of times over the last decade that I’ve heard of a new technology launched in the security space which promises it will ‘kill the password’. And yet passwords are still going strong. Every new alternative, from facial recognition to fingerprint ID, can be breached in the same way any data can.
“You can change your passwords if they are compromised, but you can’t change your fingerprints if the same happens to them. Cybersecurity may be evolving, and the popularity of practices such as two-factor authentication rightfully on the rise, but passwords will be needed for a long time to come.”
With Yubico’s Nic Sarginson also explaining: “In an ideal future, we will move away from usernames and passwords entirely. This isn’t a transition that will happen overnight, but we’re well on our way. The technology didn’t exist to support a passwordless future until recently, and only now are we beginning to see it come to fruition with the widespread support of the modern FIDO2 and WebAuthn open standards in all major browsers and operating systems.
Sarginson concluded: “Within just one week, Google reported that it saw more than 18 million daily malware and phishing emails related to COVID-19. The unfortunate reality is that hackers thrive in times of crisis, and right now, almost everyone is distracted by the influx of news, increasing feelings of fear and uncertainty, lack of social connection, or disrupted home routines.
“Now more than ever, it’s imperative that organizations seek out the strongest levels of protection that can defend against phishing attacks 100% of the time. The reality is that it’s not mobile-based 2FA, so resist the temptation to implement something that gives the impression of increased security while playing into the hands of the bad actors.”