SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image

The bad password advice you need to leave behind in 2023

If the start of 2023 has shown us one thing, it's that organisations are still falling short of cybersecurity standards. For companies to truly make a difference, it's time to throw away the bad password advice and take steps to eliminate passwords once and for all.

As organisations brace for a further deluge of cyber attacks this year, rethinking how authentication is managed across the enterprise should be a top priority for keeping customers, employees, and partners safe and secure. Those organisations that make the leap and eliminate the use of passwords and move to cryptographic passkeys will not only make life easier and much more streamlined for users. They'll also remove one of the top attack vectors hackers use to gain access to enterprise systems.

The problem with passwords

Difficult to keep safe, long and arduous to remember, and easily susceptible to breach or attack, passwords represent a major source of frustration for security professionals and users alike.

To enhance an organisation's security, users are constantly being urged to regularly change or update their passwords. The so-called 'helpful' tips regularly issued to users include: Use at least 15 characters, mix up letters and symbols, don't use sequential numbers or personal information, and don't use options that are easy to guess – such as "p@ssword".

Alongside placing significant security responsibility on users, this also generates frequent calls to help desks because users forget their latest convoluted password combination and find themselves locked out of systems. Wasting valuable time, energy and resources for all.

Similarly, users are often urged to utilise solutions like password managers in a bid to eliminate the hassle associated with having to remember complex and constantly changing passwords. The problem is that this still leaves users holding the bag when it comes to password responsibility. But that's not the only challenge where security is concerned.

Containing all passwords in one easy-to-target repository, the potential for damage resulting from a successful hack of the password manager itself – which also needs its own password – could potentially prove catastrophic.

Just look at what happened as a result of the LastPass hack as an example of the damage that can come from these attacks.

A more sensible approach is to dispense with passwords altogether and adopt a new approach to security that eliminates any need to put users under unnecessary or undue pressure.

Why eradicating password-based attacks should be a top 2023 mission

Hackers no longer break in, they log in. This is why 80% of data breaches start with a password-based attack.

According to the 2022 Verizon Data Breach Investigations Report, more than 80% of web application breaches were caused by stolen credentials, with phishing accounting for almost 20% of breaches.

This shouldn't come as a surprise because when an organisation's credentials are password-based, these will be stored in databases that are open to being breached. It won't matter if a password is over 1000 characters long and chock full of symbols because, the moment a user falls prey to a sophisticated phishing email, the complexity of their password will be irrelevant when it is stolen.

By moving beyond passwords, organisations are able to stop leaving credentials in multiple locations and databases where these are open to being snatched by hackers.

Verifying everyone – and everything – all of the time

In recent years, the approach and techniques used to drive concepts such as zero trust security offer the opportunity to transform how organisations are able to actively authenticate and monitor users, user behaviour and the devices they use to access systems in a truly continuous and secure yet frictionless way.

Eliminating the need for passwords or password-based multi-factor authentication (MFA) that involves magic links and one-time passwords that are phishable and subject to 'man-in-the-middle' style attacks, these next-generation solutions utilise immutable cryptographic credentials to take enterprise security to a new level. Recently, the FIDO (Fast Identity Online) Alliance, backed by the major cloud players, has endeavoured to create a standard to bridge to a passwordless future.

There is no need for users to remember or use passwords ever again. Instead, each user receives a credential on their device that can't be moved, cloned or tampered with and is stored and protected in a Trusted Platform Module (TPM) on their device. It's an approach that enables organisations to protect themselves against the remote access hacks and password exploits that typically result in a ransomware attack.

By using passwordless MFA, organisations are able to enforce the zero trust security principles that ensure only authorised users and devices that are known, recognised, and meet all security requirements can actually log in, shutting the door on all credential-based attacks.

Simplifying security and empowering users

Moving beyond passwords delivers significant security benefits for organisations. But that's not the only gain. Easy to deploy and maintain, today's leading solutions also eliminate the productivity killers that typically hamper users who are forced to depend on passwords to access systems and deliver a smooth and improved user experience when it comes to security authorisations.

Removing unnecessary login friction, there's no need to locate a second device to fish out a code or link. Plus, users are no longer responsible for choosing lengthy passwords and changing these frequently. Forgotten password lockouts and help desk password resets become a thing of the past.

Instead, organisations are able to bolster their security in an effective and highly efficient way, thanks to a passwordless authentication approach that delivers continuous risk-based authentication.

By eliminating passwords, organisations will be able to bypass password-based attacks and instantly make their security stronger. Making the move to a phishing-resistant MFA that uses factors like biometrics, cryptographic security keys and security checks of users and devices at the time of login and continuously thereafter now makes it possible to protect networks and resources in a way that can be centrally customised, managed, administered and monitored via a single platform.

Follow us on: