Holding the Line: Staying Secure in a Password-Centric Era
- By Morey Haber, BeyondTrust
- December 16, 2024
Cybercriminals know that new and malicious technologies can help exploit complex, undocumented pathways through cybersecurity defenses, including identities, entitlements, and permissions. Though the ideal of a passwordless future remains, businesses need to ensure that their current password security practices are robust enough to withstand potential attacks from emerging threats.
How password cracking has evolved
Also known as password hacking, bad actors attempt to gain unauthorized access to a network or system by resolving a user’s password. They do this in a number of ways, including:
- Brute-force attacks: A relentless, systematic attack of trying every possible password combination until they find the right one. It is computationally costly for complex passwords but is still incredibly effective against weaker ones.
- Dictionary attacks: An attack that exploits people’s tendencies to use predictable passwords by leveraging prepared lists of common names, phrases, and passwords to target the most vulnerable users.
- Spray attacks: A threat actor uses a single common password against multiple accounts on the same application in a random sequence. This avoids account lockouts that typically occur when an attacker uses a brute force attack on a single account through many attempts.
- Social engineering: An umbrella term for a myriad of techniques like phishing or shoulder surfing that exploit human vulnerabilities to circumvent technical security measures to mislead users into showing their passwords.
The soft underbelly of identity security
Though largely agreed to be one of the weakest security measures, passwords are still the primary authentication method for most systems. The volume of users, particularly non-human identities (NHI), that are used for automation only exaggerates the problem. For example, the FIDO Alliance’s 2023 Online Authentication Barometer estimates that the average person types in a password 1,280 times per year.
Despite the availability of alternatives like biometrics — facial recognition and fingerprints — and the FIDO2 token, these methods suffer the common pitfall of legacy integration technology. After all, older systems still tend to require password-like elements for setup or as a backup authentication method. Modern technologies need to be backward compatible for organizations to continue to operate.
How to boost password security
To mitigate the risks posed by password hacking, businesses can apply a few best practices, such as:
- Require password managers: These tools eliminate the human factor in password generation and storage by creating complex and unique passwords for each account while enforcing best practices such as avoiding dictionary words. These apps can also auto-fill login credentials, thereby reducing the risk of hackers getting hold of passwords via social engineering attacks.
- Centralise password management: Use a central vault for all password storage within the organization. This provides full visibility and control, allowing IT security teams to identify weak passwords, enforce regular updates, and streamline reset processes in cases of lost or forgotten passwords. For organizations, this is achieved through Privileged Access Management (PAM)
- Implement strong passphrases: Require passwords to be longer than 12 characters, incorporating upper and lowercase letters, numbers, and symbols. Encourage using unrelated words or phrases to create highly secure and complex passwords that are easily remembered yet unique.
- Avoid repeating passwords: People tend to repeat passwords across accounts, which can lead to multiple breaches from the same credentials. Strong password policies and training on the importance of unique passwords when a password manager has not been implemented.
- Refine password rotation standards: Some accounts, like administrators, may need more regular changes than personal accounts. Prepare clear guidelines and reminders for this. Ideally, organizations should enforce strong password rotation practices during any event that could expose secrets. For example, changes in personnel during a joiner, mover, and leaver process.
- Implement multifactor authentication (MFA): For all accounts, deploy MFA for added security. An additional authentication, such as a code received via an authenticator app or a hardware token, is more secure than a single-factor authentication. Note: MFA using SMS or voice calls is better than single-factor authentication but can easily be spoofed by new hacking techniques.
- Modify access when needed: Promptly add, change, or remove employee access and change passwords to all systems they had access to after they change roles within the organization to minimize the risk of potential unauthorized access by inappropriate roles. This should be a key part of any HR process.
Striving for a password-less future
Ultimately, passwords remain a fact of our digital lives — at least for now. Despite alternatives like biometrics and FIDO2 tokens showing to be more secure and user-friendly, the fact that they are not seamlessly compatible with legacy systems poses a significant barrier. A middle ground is needed for organizations to mitigate the risk of current security best practices and legacy technology.
That said, organizations can minimize risk via a multi-layered approach. Password management, privileged access management, strong password policies, multifactor authentication, and adequate cyber hygiene best practices training are essential. With that said, organizations need dynamism in the current cyber threat landscape, and these strategies ensure that, while a password-free future is in the works, businesses can protect themselves and secure their assets using modern guidance to safeguard passwords and secrets regardless of where they are used in a company.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/Patserg
Morey Haber, BeyondTrust
Morey Haber is the chief security advisor at BeyondTrust.