Experts discuss whether passwords are still fit for purpose

Experts discuss whether passwords are still fit for purpose

Cybersecurity professionals discuss how far we can rely on the use of passwords to secure our most valuable information, and how organisations should be securely operating until we can develop a more reliable method to replace passwords.

The concept of a password has existed for millennia and while the idea of them has remained the same, our use has not. A password is no longer required to just be a word, but taking all into account, the password has remained very similar over the ages. That is now changing.

Since passwords were invented, people have been trying to bypass, steal and disrupt their use. After researchers at the Massachusetts Institute of Technology introduced the first computer-borne passwords in the 1960s, it was only a year later when the first computer hacker stole them. Over the years, our reliance on computers has increased, so the value of a password can unlock huge rewards for cybercriminals – both cash and other valuable assets. In fact, it was only six months ago when a researcher succeeded in guessing the Twitter password of then US President, Donald Trump.

In many ways, criminal hacking has also become more accessible, meaning the threats we experience today are more advanced than ever before. Our use of the password has changed in response. We now use autofill functions, password managers and Multi-Factor Authentication (MFA).

For World Password Day this year, we spoke to four senior security experts to explore the evolution of passwords in closer detail.

Bypassing weak passwords with MFA

The acceleration of Digital Transformation during the pandemic is a cause for potential concern, according to CyberArk’s EMEA Technical Director, David Higgins.

He said: “This transformation may have boosted innovation within an enterprise, but it’s also created challenges for security and IT professionals. Every new corporate application or tool becomes a new identity silo, with unique password management requirements.”

Higgins added that our use of weak passwords is a result of an inability to remember multiple strong ones.

“In fact, 84% of remote workers admit to reusing passwords, based on our own previous studies,” he said. “Added to this, passwords are still often the only verification method in use. Because of this, IT professionals consider passwords to be among the weakest links in their company’s defences.”

To overcome the weak-password crisis, Higgins suggested organisations start to mandate MFA.

“The first part of the authentication process should require something the user already knows, for example, like a password and the second something the user doesn’t already know, such as a code sent to the mobile phone by authentication software or created by a designated application on the phone. This code becomes the other half of a user’s login authentication.”

By taking this step, Higgins said attackers won’t gain access to an account even if they stole a password – they need the other form of authentication.

Another MFA advocate is Head of Cyber Consultancy at Exponential-e, Mark Belgrove. Belgrove highlighted the challenge created by our mass transition to remote working in 2020.

“The pandemic has made the issue of password security worse because many employees aren’t connected to a VPN,” he said. “It is very hard to change and update passwords without being connected to network infrastructure, so many employees will have now had the same passwords for over a year. Even those that are connected to a VPN may be using easy to guess passwords as most VPNs don’t understand special characters.”

Belgrove claimed this small difference in circumstances poses a threat because criminals find weaker, repeated passwords easier to breach.

“When credentials are breached and an individual is using the same password for every service, including work accounts, criminals can access corporate infrastructure quickly,” he said. “Once they have this access, it’s then fairly easy for them to use those credentials to escalate permissions until they have administration privileges, which grant them access to the gold they’re looking for – sensitive assets and information.”

Belgrove iterated that other verification methods are needed on top of MFA.

“Its success does rely on organisations securing and verifying biometric credentials to ensure they cannot be seized, modified or duplicated by attackers, as it’s impossible for any of us to change our own retinal scan or fingerprint,” he said. “There have been instances where retinal and fingerprint scanners have been fooled into giving access, which is why MFA – and the additional layer of security it provides – is generally far more preferable than Two-Factor Authentication (2FA).”

Managing machine security is important too

While MFA is crucial to bolster security defences, Checkmarx’s SCA and Open Source Evangelist, Robert Haynes, believes organisations should look beyond human password use.

He said: “It’s important for organisations to think about how passwords and other credentials are stored in IT automation systems like Infrastructure as Code and container build files.”

In Haynes‘s experience, machines as well as people have often exposed credentials, causing security compromises.

“The same level of attention, therefore, should apply to how passwords and secrets are managed by our processes, instead of just by our people,” he said. “The risks are similar and the results of exposure can be just as serious.”

Haynes said a secret management tool – similar to a password manager – can help organisations combat threats, while also performing routine scans of infrastructure.

Buying our time with better passwords

If passwords are at the root of many security challenges, when can we give them up? F5’s Global Head of AI, Shuman Ghosemajumder, asked that exact question. He believes passwords are “inconvenient and create numerous security vulnerabilities”. So why can’t we just replace them?

“The short answer is: there’s not a better method – yet,” said Ghosemajumder. “Companies are beholden to their users and while most users claim to value security over convenience, their actions speak otherwise. Even when users’ accounts are taken over, fewer than one out of 10 will adopt MFA because of the associated complexity and friction.”

According to Ghosemajumder, we’ll replace passwords when we find a solution that matches their usability, security and deployability. He also said we may find future hope in invisible MFA, which requires factors invisible to the user. But this will not replace passwords yet.

“In the interim, businesses should outlast attackers by denying them their most precious resource: time,” Ghosemajumder said. “If an organisation can significantly increase the time it takes criminals to monetise their attacks, most cybercriminals will abandon the pursuit in favour of weaker targets. Businesses must upgrade password security methods to something secure like bcrypt to slow attackers down before even launching an attack.”

While some have suggested the security industry needs to move on from passwords, it’s clear they are still a crucial ingredient in the security pie. Part of that mixture must be filled by MFA, according to Higgins and Belgrove. IT teams must also seek to verify both human and the increasing number of automated accounts operating on our networks.

Cybercrime is a business, Ghosemajumder added as a parting note.

“Attacks are organised based on a predictable rate of return and until a better method is developed to replace passwords, the most effective preventative measures organisations can put in place are ones that slow attackers down.”

Browse our latest issue

Intelligent CISO

View Magazine Archive