Ransomware

Password security needs a moonshot moment

Today’s columnist, Marcus Kaber of Specops Software, writes that as much as the tech companies are pushing biometrics options like facial recognition, most enterprises still run on legacy passwords. DeltaNewsHub CreativeCommons CC BY 2.0

Most people are unaware that they can trace back the majority of the past decade’s most notorious cyberattacks to compromised passwords as the source of entry.

From direct assaults on passwords via brute force attacks and password spraying to email phishing, ransomware and social engineering campaigns that act as precursors to credential stuffing attacks, adversaries are well aware that the path of least resistance almost always involves the compromising of a password. In fact, an estimated 81% of all data breaches are now facilitated by compromised passwords, according to Verizon’s 2021 Data Breach Investigations Report, and weak passwords now account for up to 30% of ransomware infections.

Enterprise security and IT are mostly well aware of these many password-driven risks. And in response, many security teams have begun to implement an identity and access management (IAM) framework as part of their defense-in-depth strategy to help mitigate the opportunities for adversaries to gain unauthorized access.

In some instances, a company’s IAM framework includes a robust password security policy, often comprised of both technology and security awareness training on password best practices. It’s especially true in Europe and in parts of the U.S. where enforceable regulations like the GDPR and CCPA play a pivotal role in crafting security policy.

Despite these time and resource investments in password risk mitigation, the perception among the critical mass remains that the password problem has become too complicated. At the same time, attackers continue to raise the bar, making many enterprise defenses obsolete by deploying AI-driven phishing, brute force and password spraying attacks with the intentions of harvesting credentials and defeating log-in screens.

Industry must double down on password protection

Despite what Microsoft, Cisco, and the media have to say, biometrics and fingerprinting are not replacing legacy passwords any time soon. And even if they eventually do become the primary authentication factor, people will still use a password as the second form of verification because it’s not possible to reset a retina or a fingerprint. 

Thus, it’s essential for industry and individual organizations to double down on efforts to reduce password-driven risks. Fortunately, there are multiple actions and strategies companies can implement to mitigate password-related risks.

Implement better technology for password security

It takes just minutes to crack an 8-character password. So, from a technology perspective, it's essential to adopt solutions that support passphrases, length-based password aging, breached password dictionaries and give detailed feedback to ordinary users when things go wrong. This type of functionality helps reduce some of the most prominent password-driven threats and vulnerabilities, and it also helps alleviate the burden that password management traditionally puts on IT and help desk teams.

Organizations can also protect their helpdesks and reduce their burdens by employing a secure self-service password request, using tools that offer clear-cut messaging for end-users and requiring user verification that’s more secure than just employee ID.

Train employees more effectively in password security awareness

It’s also important for organizations to start putting greater emphasis on employee awareness training. For example, a 2019 Google survey showed that 65% of adults reuse passwords for multiple or all of their accounts. So, security teams shouldn’t focus on when employees will reuse passwords; they should focus on how to prevent them from doing so. Using breached passwords lists can protect against this kind of vulnerability.

IT, HR, and security teams should collaborate on implementing password-focused trainings twice per year, akin to how many enterprises support anti-phishing, as well as adding dedicated password awareness sessions during onboarding. While employees might know about the password-driven risks, they likely don’t know how to mitigate them without ongoing organizational support.

Go all in on password security

Cyberattacks are intensifying in frequency and sophistication, and password compromises remain at the center of it all. While IAM and password security tools can mitigate risks, those alone cannot solve the challenges of today or tomorrow.

Instead, we must collectively work to change the misguided perception that poor password hygiene has become a “cost of doing business” to the more accurate sentiment that it’s something that businesses have the power to control. Changing that perception will take a “moonshot moment” where everyone agrees something has to change. But it’s an important goal that’s worthy of going “all in” on.  

Marcus Kaber, chief executive officer, Specops Software

prestitial ad