It’s World Password Day, where we recognize the ubiquitous, troublesome, and most-often-hacked step in any security process. Most people suffer from a love-hate relationship with passwords, which stems from the fact that we know we need them, but we hate the effort required to use them correctly. This results in us not following best practices, creating more vulnerability in our network and to our data. Therefore, I propose we switch to World “No” Password Day.
If we did passwords correctly – and everyone followed the rules – risk would be minimized, but the sheer volume and diversity of systems that need logging into makes it virtually impossible to consistently use strong hack-proof passwords.
According to research, 63 percent of data breaches are linked to weak, reused, or stolen passwords. I would argue that passwords have worn out their welcome and it’s time to look for more secure, manageable, and user-friendly options. We can see it slowly starting to happen in pockets throughout the corporate and consumer worlds. For example, the requirement for smart card authentication in U.S. Federal Government agencies, and fingerprint or facial recognition technologies used on smartphones, it can even be seen in the way that many newer applications have built-in support for stronger authentication methods beyond the standard username/password. These are all great ways we can see progress and where authentication methods are heading.
Even with these new security processes being integrated, from a practical standpoint, we are still far away from the end of passwords. However, it is relatively easy to augment existing password authentication with second factors that integrate a second, more progressive security step. As I noted above, many government agencies are being required to enable legacy applications with Common Access Card (CAC) login. While making this update, the agencies have found that rather than re-architect the application to support CAC, fronting applications with a modern single sign-on solution (SSO) can add the required integration quickly and easily. Similarly, most modern web SSO solutions include support for many multi-factor authentication options.
SSOs not only reduce the number of passwords a person must manage, remember, and reset, but SSOs can also replace the password with a stronger and more convenient authentication method.
Privileged access management (PAM) is perhaps the most troublesome password scenario. There is incredibly high power and risk associated with administrator access since they are the ones with the keys to the kingdom. While it is possible to add multi-factor authentication to legacy privileged password management, any new implementation should include built-in multifactor as well as newer methods such as “push to authenticate”. Push authentication involves sending a notification (via a secure network) to a user's device when accessing a protected resource. Both “push to authenticate” and multifactor are security measures that are virtually impossible for bad actors to steal or fake.
And finally, since passwords will unfortunately remain in use for foreseeable future, let’s look at ways to streamline using them, and ultimately make them irrelevant. . Look for ways to manage passwords through SSO and self-service password reset. Ask yourself how additional security measures (such as adding multi-factor authentication) are affecting users. Are users more likely to follow the rules because security made their lives easier? Or, are they going to look for ways around the rules to facilitate convenience? If your well-intentioned security measures are not going to be followed, you are worse off than if you had not implemented any type of security at all.
So, let’s get in the mindset of celebrating the password as a quaint nostalgic security measure of days gone by and turn our focus on moving on to more progressive and better security authentication methods. Now that would be cause for celebration.
For more on IoT Security solutions, register now for the Industrial IoT Conference and The Smart City Event.
