Sectors and organisations involved in the fight against Covid-19 are vulnerable to attack by malicious hackers, that is according to a recent joint notice issued by cyber-security agencies from the US and the UK, writes Danna Bethlehem, Access Management Expert, Thales.
Among the techniques being used by attackers is targeting weak password management.
Both agencies referenced password spraying attacks, where attackers are using an approach to test common passwords against many accounts for the same provider, enabling attackers to go undetected.
The debate about the effectiveness of passwords has long dominated the security conversation. So, on World Password Day, maybe there is no better time to ask the pertinent question – should we ditch the password itself to save the stress and improve security?
To answer that question, it is first worth understanding why passwords are used in the first place. Essentially passwords are still around because they are relatively easy authentication solution. They are cheap and they do not require special skills to be created. But it is becoming common knowledge in the security industry at least, that they should never be the only means of authenticating users.
Despite these warnings, some companies are persisting with them. According to the 2020 Thales Access Management Index, nearly a third (29%) of organisations in Europe and the Middle East still see usernames and passwords as one of the most effective means to protect access to their IT infrastructure.
Fit for purpose?
Looking deeper into why this figure should alarm people, Verizon’s Data Breach Investigations Report found 81% of hacking-related breaches were a result of weak, stolen, or reused passwords. Threats like man in the middle attacks and man-in-the-browser attacks take advantage of users by mimicking a login screen and encouraging the user to enter their passwords. It is even more unsafe in the cloud. Login pages hosted in the cloud are completely exposed, thus enabling a bad actor to carry out phishing or brute force attacks against publicly known login pages like outlook.com.
To combat this weakness, organisations revert to strong password policies, which normally requires employees to have passwords that are complex and that every password for every account must be unique. However, policy-driven password strengths and rotation leads to password fatigue, thereby contributing to poor password management.
With that, passwords become common property, an analysis of over five million leaked passwords showed that 10 per cent of people used one of the 25 worst passwords. Seven per cent of enterprise users had extremely weak passwords.
With everything considered, the pitfalls of using passwords are clear to see for businesses, especially in the new remote working world most are currently in.
Secure your system against poor authentication!
The good news is there are solutions to the password dilemma. It is time for a strong authentication solution that meets the increased security demands of the modern business.
Passwordless authentication replaces passwords with other methods of identity validation, improving the levels of assurance and convenience. This type of authentication has gained traction because of its significant benefits in easing the login experience for users and overcoming the inherent vulnerabilities of text-based passwords. These advantages include less friction, a greater level of security that is offered for each application and—best of all—the elimination of the legacy password.
There are various layers of passwordless authentication that offer increasing levels of security. Implementation of a specific model depends on the level of identity, authentication, and federation an enterprise wishes to apply based on the business and security risks and the sensitivity of the data to be protected.
In a further positive sign businesses seem to be waking up to the improved security methods out there, Gartner is predicting that 60 per cent of large and global enterprises along with 90 per cent of midsize employees will implement passwordless authentication methods in 50 percent of cases by 2022. This change will mark an increase from fewer than five per cent today.
World Passwordless Day!
So, with all that in mind, should we still be celebrating World Password Day next year? The short answer is no. In fact, we should rename it World Passwordless Day! In order to truly move forward though, we need to get to a point where we can encourage people to abandon weak and bad passwords, and create a culture of adaptive, passwordless authentication mechanisms, compatible with the perimeter-less nature of the modern businesses.