Expert discussion: What best practice approach should businesses take to password security?

Expert discussion: What best practice approach should businesses take to password security?

Password protection is a critical component of a strong business cybersecurity strategy. Kevin Curran, Senior Member of the IEEE and Professor of Cybersecurity at Ulster University, says that the number one rule for companies to manage passwords securely is for their employees to use different passwords across all sites. However, in doing this, individuals often forget their passwords, which not only impacts their productivity in the workplace, but also results in a headache for IT teams. Businesses must have a reputable password manager, which will create complex, strong passwords, and store them in an encrypted file.

We hear from a number of experts who offer their opinions on the subject of password security.

Richard Meeus, Security Technology and Strategy Director, EMEA at Akamai: “Fundamentally, passwords suck. They have been a thorn in the side of IT professionals for decades, from when 40% of a helpdesk’s time was spent helping users change their passwords, to poor advice in asking users to update their password every 90 days, and make it really complex – every single time.

“The fact that passwords are so ubiquitous and seen as the default mechanism for user authentication means they are often used without considering the wider picture. This is evident in our public health service, where a myriad of systems with different accounts creates significant delays when staff need to login. Single Sign On (SSO), a technology that’s been around for many years, is being used to try and address this delay. But, if it still revolves around a username and password, then staff are still tasked with remembering a complex password. The NHS is looking to adopt Multi-Factor Authentication (MFA) – a process that’s more secure as it only grants a user access once they present two or more pieces of evidence. Users can prove their identity by passing a combination of verification stages, providing something they know, something they have, or something they are. As a result, we’re now able to take this to the stage where a password is no longer necessary – users could sign-on with something they ‘have’, such as a hardware token, and something they ‘are’, using their fingerprint.

“We have adopted this internally here at Akamai and we use a combination of push authentication to mobile devices, along with certificates on company laptops to provide a password-less experience.

“Moving away from passwords, or at least complementing them with another factor of authentication, is important considering the volume of data breaches we witness on a daily basis. As users, we’re fundamentally lazy and will often reuse passwords across many sites. Witness the recent ‘attacks’ on two high street retailers, where stolen usernames and passwords from previous beaches were used to perform an Account Takeover (ATO), where the criminals seek to monetise whatever is within the account – normally in the form of cashing out on vouchers or gift cards. The fact they were both high street retailers with significant online business adds interest from an attacker’s perspective. Normally a ‘credential stuffer’, somebody who takes these breached usernames and passwords and tries to find ones that work on a new site, can expect a 1-2% hit rate. If these cybercriminals target the same verticals, the hit rate can be significantly higher. If one were to do a Venn diagram of the users at both stores, there would be a high probability of significant overlap – ensuring the attackers get more bang for their buck.

“For businesses, reducing passwords, implementing SSO and adding MFA is an important step. However, if that can’t be done, due to lower IT management budgets or the operational nature of the business, then password managers are essential to ensure good, random, unique passwords are utilised.”

Stuart Sharp, VP of Solution Engineering at OneLogin: “According to a recent PwC report, 80% of UK CEOs are worried about the risk of cyberthreats to their business, making it the issue they are most concerned about. Rather than living and working in a state of perennial fear of hackers, businesses should modernise their approach to password security best practices.

“When it comes to security, humans are the weakest link. According to a recent CybSafe analysis of data from the UK Information Commissioner’s Office (ICO), human error caused 90% of data breaches in 2019. This incredibly high percentage demonstrates the importance of managing the risk associated with human behaviour when addressing cyberthreats.  Employees using weak or reused passwords across multiple sites and services (including personal and professional accounts) is one of the riskiest forms of user behaviour an organisation faces. In fact, the World Economic Forum found that four out of five data breaches are caused by weak/stolen passwords. 

“Although organisations have reacted to the ‘password risk’ and invested in cybersecurity training to make sure they stay compliant, they often overlook ways to help staff by improving the experience of their users.  With Identity-as-a-Service (IDaaS) now readily available, even small organisations can introduce a cloud-based identity system, so users will have a single set of corporate credentials for applications, networks and devices. Some even offer users a convenient, secure password vault for personal applications as well. These modern platforms allow users to log in once to access all their applications and provide them with the ability to easily and securely manage their own passwords and devices. They allow companies to enforce strong password policies and MFA while radically reducing the need for IT help desks to manually reset passwords or manage user devices. It also helps organisations combat shadow IT by offering fast onboarding of business applications with a Single Sign On experience. 

“Password best practice isn’t rocket science and plays a critical part in the security of a business. Organisations must go beyond traditional best practice methods and look at the tools and solutions available to create a process that both increases security and improves the end-user’s experience, making strong authentication simple and seamless to use.”

Jonathan Knudsen, Senior Security Strategist at Synopsys: “It was more than six years ago that the Defense Advanced Research Project Agency (DARPA), a research and development arm of the Department of Defense (DoD), issued a ‘broad agency announcement’ seeking research proposals for developing biometric authentication through analysis of various activities and behaviours — keystroke patterns, mouse use, sentence structure and use of language — that add up to what the agency calls a ‘cognitive fingerprint’.

“Those mechanisms go beyond ‘something you know’ (the password) and ‘something you have’ (a token or wearable) to enhanced ‘something you are’ biometric authentication (fingerprint, voice, face, retina). Implemented correctly, a user’s biometric measures are stored only on the user’s device. Passwords are ‘shared secrets’ that reside on both the device and on a server that, as we all know, can get hacked in various ways. To compromise biometric authentication, an attacker would need physical access to the device.

“But between now and when passwords really do become as rare as phone booths, be sure to use a password manager, which holds all your passwords in a ‘container’ locked by a master key that only the user knows. That means all you have to do is create one really complex password that you can remember. The manager will also help you create unique passwords for new websites or apps.

“Passwords are convenient for software creators but hard for humans to use correctly. Being human, we want to use the same password for every service, which is a terrible idea. We want to use passwords that are easy to remember, which is a terrible idea. We see passwords as a hurdle that must be jumped before we can actually start getting work done.

“Authentication, or proving identity, is always based on something you know, something you have, or something you are. Multi-factor authentication combines these. For example, a website might require you to supply a password (something you know) and also send a text message to your phone (something you have). Some apps these days will also rely on a fingerprint (something you are).

“Passwords are definitely on the decline, as fingerprint sensors become widespread in smartphones, a variety of USB authentication devices (something you have) are available, and smartcards now function as a physical manifestation of a private cryptographic key. These newer authentication methods will be easier for humans to use correctly, as the concept of the security of a USB device, a smartcard, or a fingerprint is much easier to understand than the problem of remembering a password, or knowing how to pick a password that is hard to guess.”

David Emm, Principal Security Researcher at Kaspersky:

“Businesses continue to invest heavily in security solutions but it’s essential for corporate security measures to cover not only external attacks, but internal weaknesses within an organisation. Due to human error, negligence and a simple lack of knowledge, staff often choose weak passwords, thereby making themselves the weakest link in the security chain. This applies particularly to businesses – one employee with a weak password could open the door to an attacker, compromising the entire network.

“Passwords provide one of the first lines of defence against cyberattacks and are frequently the only thing protecting confidential business plans, intellectual property, communications, network access and customer data. Therefore, it is so important to establish and implement a password security policy that includes both technical protection and education for employees. However, simply advising and exhorting businesses to follow good security practices is not enough.

“In order to ensure that passwords are secure and to help minimise the risk of a data breach, IT staff should enforce the following practices:

  • Prevent the re-use of old passwords – why go back to using an old key when you’ve gone to the trouble of changing the locks? Make sure to prevent the use of usernames as a password
  • Enforce minimum length and use of a combination of letters, numbers and non-alpha-numeric characters. Make every password at least 15 characters long – the longer the better
  • Implement a password manager such as Kaspersky Password Manager, to help staff to create complex passwords
  • Store passwords securely – for example, use secure hashing and salting algorithms, so that a breach of the network doesn’t reveal staff passwords
  • Use two-factor authentication, especially for logging in to strategic resources within the organisation

Browse our latest issue

Intelligent CISO

View Magazine Archive