Going passwordless this World Password Day
It’s World Password Day and everyone should be familiar with the phrase “Open Sesame”. Ali Baba (not the tech company) in Antoine Galland’s version of One Thousand and One Nights used it to open the mouth of a cave in which forty thieves have hidden a treasure. Ali Baba got the password when the head thief said it out loud.
While Ali Baba may not be a cybercriminal, the same scenario could be applied today. In this case, the treasure in the cave would be the data cybercriminals are after. Cybercriminals listen and lurk around the web, trying to find a victim who may have accidentally unveiled their password. And they have been successful for many decades with almost every organization facing at least some sort of breach due to weak passwords.
To protect data and secure businesses, passwords have evolved over the years. What started as numerical combinations soon involved alphabets and special characters. Eventually, these characters needed to be case-sensitive. Yet, even then, cybercriminals still kept finding a way through.
This led to more security protocols like multi-factor authentication. Some programs had security questions. And as technology improved, biometrics became the modern password key for most organizations and devices today.
When Intel created World Password Day several years ago to address the critical need for solid passwords, many would not know have realized how important of a role a password would play in the future.
Today, almost everything done requires a password. From unlocking a mobile device to accessing emails to even entering a home. For some, having too many passwords can be a burden and many have often kept to the same password or use phrases familiar to them. All these have still failed to keep them secured as breaches continue to happen.
For the head thief in Ali Baba, perhaps if he had whispered the password instead of saying it out aloud, his treasure would still remain secure. Yet, he chose to boast about his automated voice-activated secured cave, not knowing the consequences that could arise.
To avoid the same pitfalls, several tech experts shared their views on password security this World Password Day.
Time to get rid of passwords?
According to Teck Wee Lim, Head of ASEAN for CyberArk, credential access is the number one area of risk for organizations today, as uncovered by the CyberArk 2022 Identity Security Threat Landscape Report. However, Lim pointed out that many businesses still rely on passwords to secure business apps and other sensitive data even though passwords are so often what attackers use to get in the door and what attackers go after once they are inside to escalate privileges.
“This World Password Day, organizations should consider eliminating password pains for business apps and other sensitive data by using passwordless authentication such as multi-factor authentication (MFA) and biometrics. A strong passwordless experience can be created by authenticating each identity with a high degree of accuracy — a foundational Zero Trust component.
When combined with broad least privilege enforcement, context-aware access controls, and continuous monitoring mechanisms, organizations can benefit from a structured way to secure digital identities that every staff member possesses— human or machine — without slowing things down,” added Lim.
Niel Pandya, CTO & Cybersecurity Lead, Asia Pacific & Japan at Micro Focus shares the same sentiments. For Pandya, passwords are a foundational security element for any organization. They are at the essence of the Zero Trust philosophy, which dictates that no identities should be automatically granted access to a system. Today, this philosophy is an important part of a company’s cyber resilience strategy.
“Yet, passwords are challenging for humans, making it a weak security solution. We have all heard how popular passwords such as “password” or “12345” are, despite being easily hackable,” explained Pandya.
Considering this, Pandya believes that organizations need to strengthen their security controls to carve a path to greater cyber resilience, such as the use of multi-factor authentication coupled with encryption and data masking. This ensures that sensitive data stays secure, even if systems are compromised.
Pandya added that organizations can also consider risk-based authentication through adaptive intelligence. This looks at various log-in scenarios, for example, geolocation or device, and assesses if they carry the same risk.
“Password strength and complexity, while important, is just one piece of the security puzzle. Making access harder through stronger security controls is the key to breach prevention and resilience,” said Pandya.
World Password Day reminder of password management woes
Meanwhile, Chern-Yue Boey, Senior Vice President for Asia-Pacific at SailPoint highlighted that with today’s hybrid (on-premises, cloud, and mobile application environments), legacy password management solutions are no longer viable as they lack enforcement controls and are unable to integrate into an identity governance strategy.
“A good password management solution today should work in tandem with an organization’s identity security solution, while supporting applications on-premises and in the cloud. It should also empower employees with an easy and intuitive way to change or reset their passwords themselves. Once this is sorted, enterprises can protect business assets by enforcing strong password policies across all of their applications and systems,” explained Boey.
Moreover, Boey pointed out that this self-service approach enables employees to remain productive wherever they are, without the hassle of being locked out of accounts. For IT and security teams, this not only provides the visibility essential for compliance and security but also offers consistent policy across each application and a level of “future-proofing” that fits within the long-term strategic objectives of today’s modern enterprise.
“When rolling out a password management strategy, enterprises should consider three key aspects; if the solution advances security and compliance initiatives, if it improves efficiency and if it addresses the needs and risks of all employees,” stated Boey.
To sum it up, Boey concluded that with thousands to millions of identities such as employees and customers in an organization today, it is crucial to discover, secure and manage every type of identity, to stay ahead of cyber risks.
Happy World Password Day.