Today is the eighth annual World Password Day, aimed at encouraging everyone to choose and protect more secure passwords.
But a number of infosec professionals argue that this should be the last time this day is acknowledged.
The fact is passwords aren’t secure anymore. People choose weak passwords that can be guessed or cracked with brute force attacks. They also share and re-use passwords on multiple websites, cost employers money by asking IT to reset passwords and cost businesses money by abandoning purchases because they forget passwords.
Numerous studies show that credentials theft is one of the leading contributors to data breaches.
With biometrics, hardware-based authentication, the argument goes, it’s time for CISOs to abandon passwords.
“Passwords are a deprecated notion that served their purpose,” Dave Lewis, the Burlington, Ont.-based global advisory CISO for Cisco, said in an interview. “When we look back to 1962 and the CTSS (compatible time-sharing) system at MIT, that was the advent of password use in a computer system. It was a reactionary measure that unfortunately has become what we refer to as a security control.”
Passwords are like a house key that a parent leaves under the door for a child, Lewis argues. If someone uses the key it doesn’t necessarily mean they’re a family member.
Transferring the analogy to information security, the CISO needs a way to authenticate the key user.
“Enterprise CISOs need to start focusing their attention in moving away from passwords, which unfortunately have been the subject of many a data breach over the years, to a better way of doing things,” Lewis said.
The easiest way, he noted, is using multi-factor authentication to negate the use of stolen passwords.
Another is the use of biometrics such as fingerprints, voice or facial recognition. But ultimately, Lewis said, the CISO’s goal should be a complete passwordless solution – using smartphones or USB keys – based on public key cryptography so users don’t have to regularly log into systems.
FIDO2 champion
Jerrod Chong, chief solutions officer of Yubico, which makes the Yubikey hardware-based authentication keys, says his firm is among those championing the FIDO2 open standard for passwordless single factor or multifactor authentication (MFA).
It’s incorporated in a number of mobile and computer operating systems, as well as browsers.
The problem with text-based MFA is the user has to wait to get a security code and then type it into a form, he said in an interview. Any passwordless solution has to be secure, easy to use and easy to scale, he said. FIDO2 meets that criteria.
“There are many legitimate reasons to use a password and an authenticator and an authenticator like a Yubikey,” Chong added. “There’s also a lot of legitimate reason to just use the authenticator with biometrics. You might want to use all of them. The standard we created allows all of that.”
Not every business can transition to passwordless immediately, he explained. There will be a journey. But the end solutions must be easy for users and have tech industry support. However, not all internet-connected services have enabled FIDO2.
On World Password Day, he said, CISOs should ask themselves, “What is your strategy to reduce your reliance on passwords?”
Start testing with a small group of users this year, he advised.
“CISOs need to look at ways to find alternatives to passwords to prove the identity of individuals,” said Johannes Ullrich, dean of research at the SANS Technology Institute.
Passwords not only have been proven to be insufficient to identify users, but they also have been a major hurdle to business success in adding friction without providing sufficient value.
Organizations need to look at risk-based approaches to identifying users. For lower risks applications (simple e-commerce for example), password less authentication like the use of emails may suffice. Higher-risk transactions, for example, employee access to corporate VPNs and online banking systems should look at multifactor authentications via hardware tokens.
‘World Multifactor Authentication Day?’
Corey Nachreiner, CTO of WatchGuard Technologies, goes one step further: We should celebrate World Multifactor Authentication Day.
That, he said in an email “would be a more powerful and effective observance when it comes to strengthening corporate and individual security. Authentication is the cornerstone of good security, and multi-factor authentication means users must provide at least one additional token on top of their password to log into an account.
“These authentication tokens are typically something you are (biometric fingerprint or facial scans), something you have (like a hardware key or mobile phone) and something you know (like a password). MFA allows you to ensure that even if an attacker gains access to one of these tokens, like a user password, they’ll be unable to log in without the second (and sometimes third) authentication token.
“It’s an absolute no-brainer when it comes to addressing the widespread and persistent issues around poor password security and should be a primary focus for both businesses and individual users.”
How unsafe are your users’ passwords? Darren James, head of internal IT at Specops, which makes password policy management solutions, suggests CISOs that don’t have password policy solutions to run the free version of its Password Auditor application to scan Windows Active Directory.
Often, he said in an interview, at least 20 per cent of passwords don’t meet accepted standards.
Policy enforcement solutions
Many vendors make password policy management solutions to enforce corporate policies including Microsoft (Azure Active Directory Domain Services) Activate, Anixis, ManageEngine and One Identity as part of identity and access management suites. Some capabilities may also be included in enterprise password managers.
Two of the biggest mistakes CISOs make are relying only on the controls in Active Directory for password management and relying on employees to come up with secure passwords on their own, James said.
“Users generally don’t care about passwords. So it’s about coming up with a good policy and being able to enforce it.”
But James and others also stressed the importance of educating on why a safe password is important, not just to themselves but also to the organization.
Still, experts admit that eliminating passwords entirely will be a long-term effort.
In the meantime, CISOs should make sure
- The organization has a password policy, and it’s enforced. The policy should encourage users to have passphrases that are easy to remember following the NIST guidelines.
- Use MFA to protect passwords, and make sure the MFA solution is protected from being tampered with.
- Have an enterprise password management solution so employees don’t have to remember lots of passwords.
- Have an access management policy that limits access to sensitive assets to only those who need it.
More experts chime in
“World Password Day is a timely reminder of how important it is for enterprises to recognize the importance of secure sign-in credentials and its shifting landscape,” said James Carder, CSO of LogRhythm.
An estimated 80 per cent of hacking-related breaches can be attributed to lost or stolen credentials, which leads to millions of dollars in financial damages and creates a snowball effect of stolen data. Protecting passwords has become an industry-wide concern that continues to remain an ongoing problem. It is therefore imperative for organizations to prioritize password security by adding in multiple authentication layers, limit employee privileges and consider passwordless alternatives.”
Adopting a Zero Trust security model can further help limit password exposure in on-premises or cloud environments, he added, while also ensuring that proper network access is strictly granted to authorized individuals.
Organizations should investigate behavioural biometrics technologies for identity access and authentication purposes, said Tyler Reese, senior product manager at One Identity.
Using machine learning to identify a baseline of user behaviour, systems can flag when users deviate from their typical behaviour and take immediate action, shortening the time it takes to detect and remediate an incident. Combining consistent messaging to employees, access and authentication practices, auditing and behavioural biometrics creates a strong cybersecurity defence for enterprises, and will be fundamental to the industry’s step towards a passwordless future.