Is A Passwordless Future A More Secure Future?

Uploaded on 2024-05-10 in TECHNOLOGY--Resilience, FREE TO VIEW

Following the news that the UK has introduced the worlds-first law banning weak passwords, minimum security standards must now be enforced by manufacturers of all internet connected devices. The Telecommunications (Security) Act mandates stricter cybersecurity measures for smart devices to protect consumers.

Manufacturers are now required to eliminate default passwords, establish a security issue reporting point of contact for consumers and disclose the minimum duration for which the device will receive important security updates.

While this legislation is a step in the right direction, it begs the questions, what can we do to better secure our first line of defence? 

The Perils of Poor Password Hygiene 

Password negligence has far-reaching implications, especially for businesses. With over 23 million people using simplistic passwords like ‘123456’, the stakes are alarmingly high. Such lax security can unravel an organisation, leading to data breaches, ransom demands, and irreparable damage to customer trust. In fact, just a single weak password can open the floodgates to wide-ranging cyberattacks. For instance, recent attacks on major organisations like Okta and 23AndMe were facilitated by stolen login details, demonstrating the widespread impact and ongoing threat posed by weak password practices.

From phishing exploits to brute-force attacks, the techniques used by cybercriminals are evolving. With advancements in AI, hackers now harness machine learning algorithms to predict and crack passwords more swiftly than ever, exploiting every chink in our digital armour.

This escalation in attack capability necessitates the adoption of passwords that are not only longer, but also more complex.

The Possibility Of A Passwordless Future

The role of traditional passwords amidst the advent of biometric authentication is a subject of lively debate among security experts. While some advocate for completely abandoning passwords in favour of biometric solutions—such as fingerprints or FaceID—and modern alternatives like Google Passkey for their convenience and enhanced security, others support the continued use of password managers or a combination of methods. Despite advances in authentication technology, traditional passwords remain prevalent across various platforms.

Biometric authentication, while secure, has a significant drawback: once compromised, biometric data cannot be changed. This vulnerability can lead to irreversible identity theft. In contrast, traditional passwords can be frequently updated to prevent unauthorised access following a security breach.

Furthermore, many individuals and industries still depend on passwords to access critical services, such as email and personal accounts. However, there is a noticeable shift toward passwordless authentication, especially in sectors with rigorous security needs like banking and corporate communications. This shift includes the adoption of hardware tokens, multi-factor authentication using alternate devices, and one-time verification pins, offering secure access without traditional passwords.

Remove Reliance On Passwords 

Executives need to enact and enforce good cybersecurity practices. The best way to do that is to reduce the reliance you have on passwords alone. This means organisations need to adopt other authentication methods to reduce the chances of becoming overwhelmed. For example, by combining multiple account protection solutions such as two-factor authentication with biometrics, you will lower the chances of a successful attack while at the same time, helping to improve the overall security posture in your organisation. 

Businesses could also consider using Single Sign-On (SSO), which allows a user to authenticate themselves on multiple, separate platforms via a single ID. This solution negates the need for several different passwords. There is an element of risk, but by combining SSO with multi-factor authentication you can add a second layer of protection. 

Essential Password Hygiene

To strengthen password security, I would recommend the following best practices:

1.    Complexity and Length:  Create passwords with a mix of numbers, letters, and symbols, aiming for 12-16 characters to enhance security. Ensure the password is unique to you and avoid using easily guessed personal details like birthdays or anniversaries.

2.    Unique Passwords for Different Accounts: Avoid reusing passwords across multiple platforms. Use memorable phrases or sentences, like 'meryhadalittlelamb', or a more secure variant with special characters '#M3ryHad@L1ttleL4m8'. There are solutions available that prevent the reuse of corporate passwords on external sites and protecting against phishing and malware.

3.    Use a password manager:  Sometimes having a password is a mandatory requirement, so you cannot rely on other authentication methods alone. Conduct an evaluation to decide if a password manager would be appropriate for your organisation. Password managers have several benefits. They allow your employees to securely store credentials, generate unique passwords and they can auto-complete fields on websites. This removes the reliance on remembering hundreds of passwords or writing them down for anyone to see.  

4.    Implement security tools to prevent credential harvesting:  Always enable MFA to add an additional layer of security. This ensures that even if a password is compromised, unauthorised access is still blocked. Employ encryption protocols to safeguard sensitive data during transmission.

Regularly update and patch software to mitigate vulnerabilities that could be exploited by cyberattacks. Additionally, educate users on recognising phishing attempts.

By proactively integrating these security measures, you fortify your defences against credential harvesting and enhance the overall security posture of your online presence.

5.    Implement an account monitoring solution:  You can only protect what you can see, so it’s important that you have visibility of all accounts that have been compromised by an attack. Otherwise, how are you going to make improvements to stop an attack from happening again? This is why you need to review the default account settings and turn on features like locking an account after certain attempts. You don’t want an attacker to have unlimited time or an unlimited number of login attempts, allowing them to force their way into your organisation. 

By adhering to these guidelines, individuals and organisations can significantly enhance their digital security posture.

The Takeaway 

In the current cyber environment, an attack is inevitable. However, preventing an attack is possible with the right combination of technologies and security protocols. Put simply, action must be taken now to keep your accounts safe.

Given that poor password hygiene and the resulting impact can damage an organisation’s reputation beyond repair, companies need to treat this situation with the level of seriousness it demands. 

Muhammad Yahya Patel is a Security Engineer and member of the Office of the CTO at Check Point. 

Image: Unsplash

You Might Also Read: 

How Poor Password Hygiene Could Unravel Your Business:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Using AI To Defend Against AI-Enhanced BEC Scams
LockBit Resurrection »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Asavie

Asavie

Asavie provide solutions for Enterprise Mobility Management and secure IoT Connectivity.

Interpol

Interpol

Interpol is the world’s largest international police organization. It is committed to the global fight against cybercrime, as well as tackling cyber-enabled crimes.

Asigra

Asigra

Asigra provides an industry leading cloud backup and recovery software platform called Asigra Cloud Backup.

DTS Solution

DTS Solution

DTS Solution delivers advanced cyber security solutions through is technology partnerships with industry leading security vendors and advanced consulting services.

Cobalt Labs

Cobalt Labs

Pen Testing as a Service for Modern SaaS Businesses. Cobalt is redefining the modern pen test for companies who want serious hacker-like testing built into their development cycle.

Viscount Systems

Viscount Systems

Viscount Systems is a global security software solutions company that is changing the way access control is deployed and managed in the enterprise.

BHC Laboratory

BHC Laboratory

BHC Laboratory is a cyber capabilities’ development company for a wide range of global customers.

Cypherix

Cypherix

Cypherix is tightly focused on cryptography and data security. We leverage our expertise to deliver state-of-the-art, world-class encryption software packages.

SecureDrives

SecureDrives

Passwordless Authentication & Encrypted Data Storage Solutions from SecureDrives. We are enabling organisations to work safely and securely, using technology driven solutions.

ADGS

ADGS

ADGS is a deeptech company focused in the fields of Agent-Based simulations (Emergent Behavior), Cybersecurity and Biometrics, Social Dynamics, Natural Language Processing and Artificial Intelligence.

National Cybersecurity Consortium (NCC) - Canada

National Cybersecurity Consortium (NCC) - Canada

The NCC’s mandate is to keep Canada’s cyber and critical infrastructures and citizens safe while ensuring Canada’s global competitiveness and leadership in cybersecurity.

FastNetMon

FastNetMon

FastNetMon is a very high performance DDoS detection and mitigation tool which could detect malicious traffic in your network and immediately block it.

Curatrix Technologies

Curatrix Technologies

Curatrix Technologies is a Managed IT Service provider based in Hampshire, UK, providing high quality and reliable Managed IT Services since 2015.

Esprinet

Esprinet

The Esprinet Group is an enabler of the technology ecosystem: a team of people who promote access to technology through an extensive network of professional resellers.

Token

Token

Token is changing the way our customers secure their organizations by providing passwordless, biometric, multifactor authentication.

Soteria Communications

Soteria Communications

Soteria Communications supports clients to prepare for and manage crises, with a focus on cyber incidents.