World Password Day – the first Thursday of every May – is intended to remind people of the importance of protecting themselves when online by using strong passwords. With cybercriminals growing increasingly bold and sophisticated in their methods, one fact stands true- that there are more effective strategies to keep data secure than passwords. Ironic – isn’t it!
Most data breaches are the result of credential theft. Simple passwords make companies more vulnerable in brute force attacks, which involve cybercriminals trying millions of possible passwords in just seconds. Credential stuffing is a type of cyberattack that involves cybercriminals purchasing stolen account user names and passwords off the dark web and trying using them to try to gain unauthorized access via automated login requests. These are especially successful when people reuse old passwords.
Like a car thief who checks doors for one that is unlocked, a cybercriminal wants the easiest route possible into a company’s data. Tight online security within the company is a big deterrent. For companies that insist on relying on passwords for online protection, there are strategies to make them more secure.
These include using:
· Unique passwords for each site or app. For example, do not use the same password to log into your project management app as you use for a social media site or a banking site.
· A phrase rather than a more standard one- or two-word password (think “To be or not to be” rather than “Hamlet”)
· A shortened version of a favorite phrase that can be memorized, like 2Bor!2b?
· A password randomly generated and suggested by your browser. If you access the site on the same browser on your computer or have it linked with other devices, you will not need to enter the password every time (just make sure it is a strong password).
· Three or more unrelated words together, like SapphirePuzzleMongoose
· A notebook to store passwords – just make sure to keep it in a separate place from your desktop or laptop (No passwords scribbled on a scrap of paper and slid under your keyboard or stuck in your top drawer!).
· An online password manager to store and manage online credentials.
Even if you take these measures, the reality is passwords are no longer sufficient to combat attacks from bad actors and there are several significant reasons to embrace alternatives to passwords. For World Password Day, here are three reasons to consider ditching passwords – and what to replace them with to keep your company safer online.
Reason #1 – People hate them
Like filing their taxes, creating, and managing passwords rank high on the list of activities people love to hate. Requiring that employees keep and maintain passwords – especially if they must change them every 60 to 90 days – can lead to frustrated employees. Passwords also probably are not popular with vendors, customers, and partners that need to access your site. And they create headaches for the business too. After all there are costs and complicated processes associated with developing, deploying, and managing a repository to keep user passwords secure. And the average help desk cost to reset a user’s password is $70.
Reason #2 – Passwords are a weak link Passwords can be problematic
In fact, 80% of data breaches resulted from hijacked and misused passwords. The typical user has dozens of online accounts and 51% of their passwords are reused among the accounts. Lost business can also be a negative consequence of passwords, with one-third of online purchases given up when consumers cannot remember their passwords.
Arguably, user names and passwords are the weakest links in your cybersecurity program. Password fatigue can lead employees to make unwise choices, such as creating weak passwords they can more easily memorize or re-using a password for multiple sites, which can increase the company’s risk.
Reason #3 – Modern challenges require modern solutions
Passwords have been around for decades but so much has changed in that time. With the surge in mobile phone use, the subsequent proliferation in the number of apps, and increase in data stored in the cloud, cybercriminals have new endpoints to attack and more incentive to launch attacks. Plus, there are many more cybercriminals now – even working in groups – to worry about.
When companies sent their workforces home to work remotely in 2020, we saw how even the most technically savvy companies can be challenged by new circumstances. The number of potential security attack surfaces increased, making remote workers targets of attacks. Situations can change fast so companies must remain agile in all aspects of their business, including cybersecurity, and be prepared for the unexpected.
What should replace passwords?
Companies have a few major password-less options for identity authentication if they evolve from passwords. Make sure any security method you use is scalable. Biometrics authentication verifies identity by unique physical identifiers – like a fingerprint or facial scan – to assess if the proper person is requesting access. These physical characteristics are the ultimate in unique credentials and cannot be duplicated.
Operating system authentication has been introduced by some software vendors. Accessing the business software takes two-factor authentication instead of a password and involves a new kind of credential associated with a PC or mobile device.
Another option is password-less authentication. You may be familiar with multi-factor authentication, or MFA, which requires traditional passwords. With this method, a person enters a user name and a password to request access to an app or document and a verification code is sent via email, SMS, phone, or a smartphone app. They then enter the code to gain access. While more secure than using only passwords, this takes extra steps and creates additional friction for customers, partners, and employees.
Password-less authentication simplifies and speeds the process. Users no longer need to remember passwords and can use any device, service, or application, including VPN, VDI, cloud, mobile, and web. The right standards-based approach for logins can be secure and interoperable across any website, application, device, and supply chain. And the best way to manage this approach – including modern authentication methods like security keys, facial and voice recognition, fingerprints, smart cards, key certificates, and apps for access tokens – is with centralized authentication.
Free yourself from passwords
Simeio supports more than 100 organizations in streamlining, simplifying, and saving costs in their digital transformation engagements. We are passionate about helping companies secure their data and increase the confidence of the people who entrust them with it. Our modern access management solution with password-less administration can help boost security, decrease cost, increase agility, and reduce user friction. Modernizing your IAM program can help your company realize these benefits. Learn how our team with its expertise has made it happen!