Password Management Is A Critical First Step, But It’s Not Enough


Passwords aren’t going away anytime soon. Industry experts tell us why adding security layers to them is crucial on World Password Day

A few years ago, experts predicted that the password would disappear entirely. But it hasn’t been the case. Passwords have been around for years, and they will continue to be, remaining a relatively weak first line of defence against cyberattacks.

Cybersecurity threats continue to be an issue for businesses of all sizes, and basic passwords are one of the most common ways to hack into a device or app.

“In today’s world, passwords alone are not enough to secure IT access. As such, tools like multi-factor authentication (MFA), which requires users to provide two or more verification factors to gain access to a resource, have become available to improve security hygiene further. Companies, no matter the industry or size, must recognise the value of strong security and doing the small things, like implementing MFA, right,” says Hadi Jaafarawi, Managing Director – Middle East, Qualys.

Research shows that 23 million account holders use the password 123456. So what can companies be doing to improve password hygiene? For starters, ensure that users cannot use a simple dictionary word as their password and enforce different controls so they cannot reuse the same password multiple times. It is important to apply rules on the length of passwords and the variety of characters used and look out for poor security practices such as missing MFA or lack of role-based access control, according to Jaafarawi.

While good passwords are important, there are other mechanisms that can keep personal data safe. Security practices have moved on, and MFA is now commonplace, with biometric information increasingly used to thwart attacks. “It’s critical for organisations of all sizes and sectors to educate employees on best practices for password management,” says Aparna Rayasam, Chief Product Officer at Trellix.

“Sharing or reusing passwords should be avoided, and using software that prompts regular updates can be beneficial. However, cybercriminals will continue to look for ways around defences. So, organisations must remain vigilant for unusual activity on their network, implementing security that detects, stops, and adapts quickly to incoming threats,” Rayasam adds.

In terms of password security, at an organisation level, two of the biggest mistakes companies make are adopting extremely stringent password policies that can be counter-productive and not using MFA. “When you force employees to adhere to strict password policies and require them to change passwords too often, they will tend to use simpler passwords and ones that will most easily comply with your policy which is counter-productive,” says Sam Curry, chief security officer, Cybereason

His advice is not to trust passwords and use additional factors in all accounts and services. “In addition, password managers are a useful tool that can improve password security and management. However, they exist as a compromise due to the failings of passwords themselves,” he adds.

Reducing the chance of cybercrime

No matter what the future holds for password usage, passwords will remain a vital part of securing accounts and reducing the chance of cybercrime.

Protecting user credentials is one of the most important things organisations can do to defend against ransomware and other cyberattacks. The 2021 Verizon Data Breach Investigations Report reveals that threat actors value credentials more than any other data type, including personal data. “Once compromised, stolen credentials can be used in a myriad of malicious ways, including unauthorised access, credential stuffing, password spraying, and brute force attacks,” says Toni El Inati – RVP Sales, META & CEE, Barracuda Networks.

Despite significant awareness, employees still utilise weak passwords, so user training needs to go hand-in-hand with tools and policies. Password management is a critical first step, but it’s not enough. “Companies need to deploy anti-phishing protection and the right application and edge security solutions. Passwords aren’t going away anytime soon, and with 80 per cent of all basic web application attacks still relying on stolen credentials, neither are attacks,” adds Inati.

To highlight the importance of strong passwords is to make people understand the value of the data that these passwords are supposed to protect. Think about the amount of sensitive data we store on online platforms.

“We do our banking on mobile devices, manage our healthcare online, pay our taxes, shop, and apply for jobs. Strong passwords can prevent an attacker from gaining access to your bank account information, government identification, and more,” says Bahaa Hudairi, Regional Sales Director META, Lookout.

“Also, consumers tend to assume that the services where they upload and share this sensitive information will protect them, but in reality, the best line of defence is at the point of the consumers themselves. People should be educated about enabling MFA, wherever possible, as an absolute must. This provides a second layer of defence if the attacker can get your password.”

If you liked reading this, you might like our other stories

Challenges Of Keeping An Eye On Mobile Security
What’s Holding Back Passwordless Authentication?