Last week, the world celebrated World Password Day, a global holiday dedicated to password best practices and credential security as phishing attacks and credential harvesting continue to run rampant.
The holiday has never been more important as compromised credentials play a role in more than 80% of global cyberattacks.
And, despite the growing technical ability of bad actors and the extreme sophistication of nation-state actors like the ones behind the SolarWinds Orion compromise and the Microsoft Exchange Server hacks, compromising the credentials of just one end user remains the most popular initial intrusion vector, says Myke Lyons, CISO at data intelligence company Collibra.
“Phishing is still the top attack method,” Lyons says. “You click on a link, login and they harvest your password and away they are, operating as you. It’s still the most effective. Users fall for these things.”
Phishing attacks don’t typically require a great deal of technical ability, and it’s relatively inexpensive to conduct. And, these kinds of attacks target an organization’s least secure asset – it’s people.
“You can really get into any organization if you just keep peppering them, and you pepper them by doing a touch of social engineering,” Lyons says.
Multi-factor authentication should be standard where possible
With the overwhelming majority of cyberattacks starting with attacks against individual end users and their credentials, implementing some kind of multi-factor authentication should be standard wherever possible.
Multi-factor authentication requires at least one additional token on top of a password to log into an account, and can include things like biometrics, a hardware key, a message sent to a mobile phone or an authentication app.
“There’s no reason why someone shouldn’t have multi-factor on,” Lyons says. “It’s low friction and high impact.”
In fact, multi-factor is poised to become standard in the tech industry, with Google planning to automatically enroll users in two-step verification.
Rather than World Password Day, Corey Nachreiner, CTO of WatchGuard Technologies, says a “World MFA Day” should take its place. Attackers are adding million of new usernames and passwords to the dark web every day, and more than 80% of cyber breaches last year began with compromised credentials, he says.
Good password security – like choosing a strong password with at least 16 characters, using a different password for each account and using a password manager – should be table stakes at every organization by now, Nachreiner says.
“MFA allows you to ensure that even if an attacker gains access to one of these tokens, like a user password, they’ll be unable to log in without the second (and sometimes third) authentication token,” Nacrheiner says. “It’s an absolute no-brainer when it comes to addressing the widespread and persistent issues around poor password security and should be a primary focus for both businesses and individual users.”
Passwords could soon be a thing of the past
Every time a user types their password to log into an account, they risk it being exposed in some way. However, the technology is still catching up to the cybersecurity community’s consensus that passwords are an archaic way of authentication.
“I think there’s a way forward – it’s just going to take the industry pulling us in that direction,” says Lyons of Collibra, adding that Microsoft and Google – among others – have made moves in that direction with security keys and password-less authentication.
If your organization is still mandating password changes every few months, you should consider Zero Trust Network Access, says Ric Longenecker, CISO at Open Systems.
“By simply adding a few variables of context around a login, enterprises will be able to remove the traditional login requirements and password changes and at the same time have a greater degree of assurance that every authentication is legitimate,” he says.
Like Lyons, Longenecker says passwords are becoming more trouble than they’re worth. He pointed to NIST, Microsoft and other tech companies who are doing away with traditional password requirements or forced changes every 180 days, but said legacy infrastructure can hold up that innovation.
After all, no one likes to enter their password, and maybe a 2FA token number 5-10 times a day,” he says. “Once we move past this, it’ll be like the change from writing an SMS with a phone’s on-screen keyboard as opposed to a T-9 Nokia flip-phone. No one’s going to miss it.”