World Password Day: Is it time for passwords to go?

World Password Day: Is it time for passwords to go?

As the annual World Password Day strikes, industry experts discuss the use of passwords and question whether they are simply outdated.

Historically, World Password Day has celebrated exceptional password hygiene across the globe. However, there is growing sentiment that they’ve become an outdated tool and experts are warning they offer little protection against today’s threats.

Nonetheless, for most organisations, passwords remain their essential first line of defence against hackers and are incredibly important until a new cybersecurity strategy is in place. 

To mark World Password Day, we have asked experts for their opinions on password hygiene, organisational best practice and a passwordless future. 

In 2023, we are still dealing with poor password hygiene

According to Simon Horswell, Fraud Specialist at Onfido: “‘Password’ and ‘12345’ remain among the most popular passwords in the UK, despite repeated warnings about the security risks they pose. In fact, 83% of the most commonly used passwords can be cracked in less than a second.”

Field Technology Officer at CyberArk, David Higgins, agreed: “Advice encouraging organisations to better their password hygiene and improve their overall security isn’t new… And the advice itself hasn’t changed. Yet, here we are in 2023 with the same identity issues plaguing organisations who still haven’t got the hang of password management as part of their identity security programmes. As such, it’s leaving sensitive data and assets at risk.”

While password hygiene is still failing, the latest technological advancements also severely impact even the most exceptional password practice. 

OneSpan’s Field CTO, Will LaSala, said: “Every time you type in your password online, you share part of your digital identity, opening up opportunities for your sensitive data to be compromised. With a strong and secure password, you can help reduce the likelihood of breaches – but as Web3 adoption nears and cyberattacks rise, this is no longer enough.”

With the rocketing speed of advancements in generative AI and Web3, IT teams have many challenges to mitigate.

2023 best practice

So, now that we know IT teams are dealing with recycled issues like weak passwords and the addition of new challenges from the likes of Web3 and generative AI, what should organisations focus on moving forward? 

ForgeRock’s CEO, Fran Rosch, believes the first step is getting rid of passwords and moving towards newer solutions. “Abolishing weak passwords by going passwordless significantly helps enterprises reduce risk and stop threats at scale. As identity theft and breaches reach unprecedented levels, organisations need to take advantage of technology that strengthens security. This includes the adoption of passwordless solutions that incorporate things like biometrics, authenticator apps, tokens and certificates, as well as AI-based access management. 

F5’s Director, David Warburton, corroborates Rosch’s thoughts and thinks that Multi-Factor Authentication (MFA) is essential. “Multi-Factor Authentication should be used by everyone. Sometimes the theft or brute-force of guessing a password is inevitable. Having a second factor of authentication, such as a time-based code on a mobile phone app, can prevent attackers from gaining access to your account even if they obtain your password.”

In today’s digital world, we must remember the importance of safe password storage, using tools like password managers. 

Analysis from Veracode found that over 40% of software scanned by their tools contains some form of credential management flaw and that the most common is the use of hard-coded passwords. Veracode’s EMEA CTO, John Smith, said: “It is therefore important to avoid the use of hard-coded passwords or the storage of credentials in easy-to-locate areas; all authentication communication should be encrypted, without the use of hard-coded encryption keys.”

Scott McKinnon, Field CISO, VMware, sees third-party password managers as an alternative to creating unique passwords. “These services generate and store unique and complex passwords for each account with encryption. They often come as a package deal with a mobile device such as Apple Keychain and Google Password Manager or are available for download in app stores.”

While password managers may not be the perfect solution, they are better than nothing. Paulo Henriques, Head of Cybersecurity Operations, Exponential-e, said: “When used cautiously, password managers can be a great security tool and are at the very least, better than employees storing hard-to-remember passwords in spreadsheets or documents.”

When it’s all said and done, no matter the technological solutions in place, training remains imperative to organisational security.

“World Password Day makes us reflect on our own passwords and how they can be made stronger with the use of further precautions,” said Fortinet’s Deputy CISO, Renee Tarun. “There must simultaneously be more training and education of cybersecurity ensuring people are up-to-date with trends and techniques hackers are using.” 

Higgins recommends using modern identity protocols, adopting a security-first approach built on the principle of least privilege. He said: “This is a holistic method to implementing better identity security, bolstering a business’s password protection levels, but also providing much better all-round security for identities, which are a critical attack vector. 

World Password Day also serves as a reminder that organisations should also audit current security practices and training as some may be doing more harm than good. 

Matillion CISO, Graeme Cantu-Park, said: “Many businesses demand their employees to modify their passwords approximately every three months, but this often does more harm than good, as most users simply rotate through a number of weak passwords which can be easily broken through by attackers. It would be much more user-friendly to empower users to have one single strong password per system. Each password could be based, for example, on three memorable random words, thus reducing the need to periodically recycle passwords and making them harder to crack.”

End of passwords

“As we reflect on World Password Day, it’s clear that unless we eliminate passwords altogether, we will continue to live in a lose-lose situation where online experiences will remain frustrating for users and attackers continue to keep stealing our information,” said Rosch. 

However, it’s important to realise that a passwordless future still relies on various other forms of credentials. 

Henriques commented: “We hear a lot of excitement for a passwordless future but it’s important to remember that this is not a catch-all solution for information security. To be passwordless still means relying on biometric authentication, and fingerprint or retina scans offer a vulnerable database for attackers to compromise.”

Even though we are stuck in a password-driven world, organisations must realise that they are an outdated security tool and are only effective when coupled with solutions like MFA, password managers and activity monitoring. 

“Passwords remain the de facto standard for user access and authentication for online applications,” said Horswell. “But, it’s time we remind ourselves that they are no longer a sufficient form of digital authentication. Instead, businesses should pursue alternative ways to protect online accounts and customers’ personal data.”

Browse our latest issue

Intelligent CISO

View Magazine Archive