Today (Thursday 2nd May 2024) marks World Password Day, a celebration of passwords originally instigated by Intel back in 2016 to encourage people to be more vigilant online by creating complex and regularly updated passwords. Since 2016, the stakes of our digital assets have continued to increase, making World Password Day a more appropriate reminder of the importance of secure passwords than ever.
Indeed, given the extent to which we now function online, maintaining strong digital security is now equally, or maybe even more important than locking our front doors.
But nowadays, protecting our digital assets comes down to a lot more than just having a strong password. With the proliferation of AI-powered tools on the dark web, cybercriminals are now even more agile and powerful, particularly when it comes to cracking passwords. For this reason, there is a big incentive for web users to start using other access and user identification methods that are deemed more secure. These include:
- Multi factor authentication (MFA)
- Biometrics
- Passkeys
- Authentication apps
Are the days of password use numbered?
Several experts think that the days of using passwords are soon to be over. In a CNET article, for example, author Bree Fowler suggests that World Password Day is now the perfect opportunity to push for the elimination of passwords. She argues that passwords are now an outdated security measure that have only managed to stick around due to their popularity, ease-of-use, and the lack of any scalable alternative.
Ravi Bindra, CISO at SoftwareOne, also hints that the elimination of passwords will be the future of digital security:
“As technology evolves, passwordless authentication is emerging as the future of tomorrow’s security landscape, leveraging biometrics and hardware for a safer digital journey.”
Ravi Bindra, CISO at SoftwareOne
Indeed, many businesses are now using MFA to integrate other methods such as biometrics and authentication apps into their access requirements to increase resilience against potential cyberattacks.
For example, Signicat, a leading digital identity solutions provider trusted by thousands of companies to identify fraud, uses a variety of alternative verification methods to identify individuals. These include a mobile app and eIDs.
More recently, Signicat has also adopted the practice of using financial details to verify the identity of its customers, with its recent acquisition of mojeID Poland, a digital security company utilized by 98% of online bankers in Poland. Poland also happens to be the country with the strongest cybersecurity, according to the NCSI. Signicat’s acquisition of MoeID Poland, and move towards financial verification methods, indicates a move towards passwordless identification methods. This is particularly in more regulated sectors such as the financial sector, which would have particularly high stakes in a potential data breach.
But scaling these solutions across borders and sectors remains a key challenge, as company spokesperson Riten Gohil points out.
“Delivering a new electronic identity solution demands rigorous adherence to security and compliance standards mandated by public administrations and national regulations. Addressing the evolving requirements of regulated sectors remains our top priority, and we recognize mojeID Poland as a crucial asset for our clients.”
Riten Gohil, Digital ID, Fraud & AML Orchestration Evangelist at Signicat.
Passwords remain at the forefront of digital security
While the days of using passwords may be numbered, for the moment they remain one of the most widely used and targeted forms of digital security. For this reason, it remains crucial for individuals and businesses alike to continue to be vigilant with their password practices.
Indeed, while Software One’s Ravi Bindra sees a passwordless future on the horizon, he continues to consider passwords to be one of the most fundamental barriers against cybercrime.
“Passwords are the frontline guardians of our digital fortresses, yet complacency continues to invite breaches. In today’s cyber battleground, businesses must realise their security is only as robust as their weakest password. As hackers improve their tactics, neglecting password hygiene is a luxury no one can afford. World Password Day serves as a crucial reminder: fortify your defences with strong password practices. It’s not rocket science; it’s diligence. Embrace longer, diverse passphrases and bolster security with multi-factor authentication.”
Ravi Bindra, CISO at SoftwareOne
Steve Bradford, Senior Vice President EMEA for SailPoint holds a similar view, and advocates the practice of integrating stronger password requirements into software applications at the manufacturing level so that creating stronger passwords is no longer just an option, but a requirement.
“It’s important we stamp out weak passwords for good. Passwords are one of our most widely used security controls, but often they’re overlooked or abused. The common advice is to make these strong and unique – so we need to be encouraging these practices right from the start, and we need manufacturers to help set that precedent.”
Steve Bradford, EMEA Senior VP for SailPoint
Furthermore, Vivek Dodds, CEO of compliance training service Skillcast, highlights that a majority of cyberattacks still occur due to weak passwords.
“Although having a strong password may seem obvious, research from the World Economic Forum shows that 80% of all breaches are due to weak passwords. It’s important to understand the significance of avoiding easy-to-guess patterns, staying away from obvious information like common words or birthdates, and incorporating a mix of different character types for added complexity. Additionally, regularly update passwords to stay ahead of evolving threats is crucial.”
Vivek Dodds, CEO of Skillcast
This means that although advanced hacking tactics exist to bypass even the strongest of passwords, the overall rate of cybercrime could be still significantly reduced by the simple practice of enhancing password strength.
The vulnerability of ‘unlikely targets’
Maintaining high vigilance in digital security practices is particularly important for small and medium businesses, who are less likely to consider themselves a target for a cybercrime attacks. In fact, as many as 59% of small business owners with no security measures in place believe that their business is too small to be attacked, according to research by StrongDM.
But this only makes them a more vulnerable target in the eyes of cybercriminals. While hackers may ultimately be after the big rewards that come from hacking into big corporations, they are also likely to target smaller players. This is because SMEs typically have less secure digital infrastructure, which increases the chance of success for an attack. For many cybercriminals, this higher chance of success might outweigh the appeal of a bigger payoff.
Alternatively, many cybercriminals will target smaller businesses which are part of a wider supply network or ecosystem to then get access to bigger and more desirable corporations that are in business with the smaller business. Thus, it is crucial for smaller businesses to recognise themselves as equally vulnerable to cyberattacks as big businesses, if not more.
Furthermore, businesses which operate remotely or with hybrid working options may also be more vulnerable to cyberattacks. In the notorious data breach against password manager LastPass in December 2022, the hackers gained entry to LastPass’ corporate cloud by hacking into the personal computer of one of the employees. This illustrates the danger that remote and hybrid work options pose to businesses’ digital security – and there are four key reasons for this:
- Personal computers are less likely to have the most updated, state-of-the-art security infrastructure, given that digital security tends to be less of a concern to individuals than businesses.
- On personal computers, there might be more points of entry for hackers due to users having weaker passwords for less important applications which can then lead to hackers gaining access to personal information that they can then utilize to gain entry into higher stake applications.
- Personal computers are more likely to have the option turned on of remembering the users’ passwords, or accessing a saved password through a general-access pin. This again increases the points of entry for potential hackers.
- Employees working at home might be less inclined to be vigilant and on high alert for security risks at home because it is a more relaxed environment in which users are unlikely to feel targeted.
Research from Cobalt also finds that the average cost of a data breach is approximately $173,074 higher when it involves remote work, highlighting the added risk and vulnerability that remote and hybrid work options bring to digital security.
Thus, vigilance is necessary across all business models and sizes. The very act of considering itself to be at low risk of a cyberattack is one of the greatest mistakes a business can make that will increase its vulnerability to attack.
Indeed, SailPoint’s Steve Bradford argues that using strong passwords and additional verification methods such as MFA should be standard practice for both users and businesses, small and large alike.
“In today’s complex digital landscape, individuals and businesses need to do more to keep hackers at bay. Tools such as multifactor authentication (MFA) should be used, providing an additional layer of protection to all online accounts. Using free password managements tools can also lend a hand in creating complex passwords for accounts and storing them securely, eliminating the need for user memory. Tools like these should be standard practice for businesses and users alike.”
Steve Bradford, EMEA Senior VP for SailPoint
Similarly, Vivek Dodds advises an integrated approach that combines strong passwords with MFA.
“For enhanced security and protection of sensitive information, it’s advisable to prioritise the use of password management tools and multi-factor authentication. These tools securely store and encrypt passwords, emphasising their importance in safeguarding your digital assets.“
Vivek Dodds, CEO of Skillcast
As both experts point out here, there are tools to help us out with password management, which can otherwise be daunting given the mental strain of remembering complex passwords for multiple accounts, which each require regular updating.
But we should also be cautious to rely too much on external applications to safeguard all of our digital assets. As incidents such as the December 2022 data breach of password manager LastPass demonstrates, even companies which specialize in digital security aren’t safe from cybercrime.