As the annual World Password Day comes around again, it’s encouraged more conversations about password hygiene and why it’s important for individuals and organisations alike to delve deeper into the root issues of failing to protect data and devices.
This World Password Day (2 May, 2024), is a day designed to promote safe password practice. Recent regulations from the UK government enforce consumer protections against hacking and cyberattacks, mandating that Internet-connected smart devices must meet minimum-security standards by law. Figures show 99% of UK adults own at least one smart device, and UK households own an average nine connected devices.
The UK has become the first country in the world to introduce these laws and marks a significant step to boosting resilience towards cybercrime.
Under the new regime, manufacturers will be banned from having weak, easily guessable default passwords, and users will be notified to update common passwords.
An investigation conducted by Which? showed that a home filled with smart devices could be exposed to more than 12,000 hacking attacks from across the world in a single week, with a total of 2,684 attempts to guess weak default passwords on just five devices.
Are passkeys the way forward?
However, passwords are no longer fit for purpose and should be consigned to history, according to cybersecurity firm, Thales.
Thales’ Digital Trust Index found that password resets are a top frustration for 64% of the public. They’re not just inconvenient, but a security risk too with traditional passwords easily hacked or stolen.
“Every year World Password Day comes around, and every year we see the same advice about the need for strong passwords issued. The advice simply isn’t working. Passwords are no longer fit for purpose – they’re easily hacked and put too much onus on the end-user,” said Simon McNally, Cyber Security Expert, Thales.
Instead of the traditional password, the experts at Thales believe that we should use passkeys instead.
“If we need an awareness day, it’s time to re-brand and highlight the importance of passkeys. Using cryptographic techniques, passkeys are harder to crack – making them far more secure,” said McNally. “They’re also automatically generated and can be safely stored on devices, making it easier for the consumer and eliminating the need to create long, complex passwords or phrases. Finally, passkeys enable greater privacy by granting authentication without handing over sensitive information – reducing the risk of data breaches.
“We’re already seeing great strides in this area, with Google last year announcing that passkeys are now enabled by default for users, with Amazon and Apple adopting too. This is the type of development that needs to be promoted, which is why we strongly believe World Password Day should be consigned to the history books,” McNally added.
Problematic authentication
Nevertheless, passwords and the like have been and will continue to be problematic, as other experts believe we still don’t have any good enough alternatives to secure ourselves in today’s threat landscape.
“In one form or another, passwords have been around for thousands of years. And they’ve been a bad idea the whole time. Passwords are entirely too easy to guess – and most people don’t even try to have a difficult password,” said Mike Loukides Vice President of Emerging Tech at O’Reilly. “The common practice of password rotation makes the problem worse, not better, a fact recognised by organizations as authoritative as the US National Security Agency and the National Institute of Standards and Technology.
“But we’ve also failed to come up with good alternatives. Authentication is a difficult problem,” Loukides added. “Passwords are still problematic, but less so when they’re combined with one or more other forms of identification. There’s no excuse for not practicing Multi-Factor Authentication. The simplest form of Two-Factor Authentication (2FA) is sending a text to a cellphone with a one-time code. That has its problems, but it’s adequate.
“Some alternatives to passwords are passphrases, which are short sequences of words that are much longer than individual passwords. My guess is that passphrases would prove to be almost as easy to guess as passwords, if they were widely used. Security keys are physical devices that plug into a USB port. They should be more widely used than they are, but like any small physical device, they can be lost. They aren’t expensive individually, but costs add up as organisations get large; and USB connectors change from time to time,” continued Loukides. “Passkeys are a widely implemented cryptographic standard, but they are difficult to configure correctly and the standard has loopholes that make interoperability a problem. Nothing is going to work when vendors are trying to use a standard to implement a walled garden.
“Biometrics is the one alternative that seems to be getting broad acceptance. Most new phones support either fingerprint or face recognition. But that has its own problems. If someone steals a fingerprint database, you can’t change your print, and face recognition doesn’t work in the dark, or if you take off your glasses, or even get a new hairstyle.”
Cybercriminals won’t take a break, but we should
Assessing the overarching scenario, cybercriminals are adamant to pursue any vulnerabilities regardless of improved protection strategies, therefore the next steps should be encouraging awareness. Dave Spencer, Director of Product Management at Immersive Labs, said: “Bad actors are constantly searching for the weakest link in an organisation’s security posture. That weak link is often poor password management. Most people attempt to pick strong, unique passwords for the numerous platforms they use which, unfortunately, only gives the illusion of security. In reality, this approach leaves numerous access points for attackers to infiltrate.
“With inadequate password hygiene being a common contributing factor in cyber incidents where credential stuffing and phishing attacks can expose corporate data as well as personal users, it’s clear that both organisations and individuals need to reassess their password strategies.
“Rather than hope to keep data secure with only passwords, tools like MFA and password managers provide an added layer of protection, requiring bad actors to do extra work and limiting the avenues they can use to gain access to the sensitive information. But beyond implementing these tools, users need to know why these solutions are being utilised,” Spencer added. “A baseline knowledge of cybersecurity is necessary as we see more and more attacks targeting those who least suspect it. When we create a culture that prioritises cyber-resilience rather than finding out who to blame, we are more inclined to report malicious attempts at password stealing and other attacks.
“However, it’s crucial to choose your MFA method wisely. Push fatigue has become prevalent, where users mindlessly tap a button on their phone to authenticate, potentially authorising requests without proper verification. This tendency to habitually tap away without confirming the legitimacy of the request can often happen, especially at the beginning of the day or post-lunch breaks.”