Research from LastPass by LogMeIn, a leader in password management, has revealed that while businesses are making strides in strengthening password security, there’s more work to be done – with the average password security score of organisations found to be 52 out of 100.
Intelligent CISO asked industry experts whether businesses and organisations needed to do more to strengthen password security.
Here’s what they said:
Paul Parker, Chief Technologist, Federal and National Government at SolarWinds
We live and work in the digital age, yet many of us still tend to approach our work and personal lives with the assumption that our high-value data is safe with just a password, even in public sector organisations. Unfortunately, assuming that ‘it won’t happen to me’ can be naïve, and perhaps even irresponsible, in an era that sees digital crime grow each day.
Awareness through education
Google has done much to elevate online security awareness. Most account users will be familiar with its 2-Step Verification process, introduced in 2011 and designed to add an extra layer of protection that’s unique to each individual, making it much harder for hackers to gain access to files and information.
Known generally as two factor authentication (2FA), this additional layer of security requires not just a username and password, but also something that is completely unique to that user, whether it be a piece of information or a physical token. It’s based on the concept that only those users will achieve access based on something they know (knowledge) and something they have (possession). Such a system makes it much harder for cybercriminals to access and steal information or identity.
The local 2FA landscape
From a UK public sector perspective, a growing number of government agencies are deploying encryption to help secure critical information properties. For example, the Code of Connection (CoCo) and public services network (PSN) frameworks recommend that any remote or mobile device should authenticate to the PSN via 2FA. While it is not a legal requirement, the uptake in two-factor authentication processes in public sector organisations is rising, with some vendors delivering authentication-as-a-service that can be used to authenticate cloud applications, infrastructure and information.
The practical way forward
Using 2FA in the public sector makes absolute sense, but logistically it’s understandable that it takes time and work to implement. Organisations wanting to use biometric or smartphone-based authentication processes, for example, will need to ensure that the back-end solutions are designed and in place to support the technology and work properly for system users. Thought also needs to be given to education and awareness when introducing new authentication systems. It could become overwhelming, particularly when considering that many public sector organisations may have only recently started to develop a Digital Transformation strategy. In the NHS space for example, just 24% of trusts and Clinical Commissioning Groups (CCGs) have begun to develop strategies.
The good news however, is that processes such as cloud adoption and 2FA are all part of the same Digital Transformation journey. Having the appropriate tools to manage each of these components will go a long way towards helping public sector organisations understand the processes and be able to do what is needed to best support them and the public. Striving for more secure authentication systems that provide far more confidence in the identity of both end users and systems administrators is a great example of this, and is why it matters.
Shannon Simpson, Cyber Security and Compliance Director at Six Degrees
Traditional password policies are becoming outdated, as hackers step up their efforts to gain illicit access to systems and data.
In this age of phishing emails, ransomware attacks and rumoured state-sponsored hacking regimes, the humble password is in danger of being overlooked. Many organisations that we speak to set their password policies a number of years ago and expect that semi-regular updates and the occasional uppercase letter to protect them from cyber-attack.
The truth is that modern password hacking techniques – fuelled by the constant increase in processing power available to hackers – require organisations to do more to strengthen their password security. In this blog, we provide five best practice tips to improve your organisation’s password security and reduce the risk of suffering from a damaging data breach.
Strengthen your password security: Best practice tips
To understand what makes a strong password, we need to look at how hackers crack weak passwords. Most password attacks rely on the attacker having access to the ‘hash’ of a user’s password. A hash is a one-way cryptographic function that takes the user’s password and transforms it into another randomised and non-human readable string. Attackers attempt to crack hashes by trying different inputs into the given hashing algorithm until the resulting hash they get matches that of the user’s actual password.
Hackers use dictionary attacks to test a list of words to see if the resulting hash matches a stolen user hash. Hackers will literally run through a dictionary and attempt every word until they find a match, and – in case you thought replacing an ‘e’ with a ‘3’ or an ‘o’ with a ‘0’ would foil them – they use word mangling algorithms to ensure that these common substitutions are accounted for.
So how can your organisation strengthen its password security? By learning the lessons from how hackers attempt to crack passwords:
- Use passphrases, not passwords. Passwords are relatively easy to hack, no matter how many numbers and symbols are substituted for letters. Consider implementing passphrases: ‘luxury dinosaur astronomy mountain’ is unlikely to appear in a hacker’s dictionary.
- Apply the same rule to everyone. We often speak to organisations who have special rules for senior executives. Just because your CEO doesn’t want to remember a complex password, doesn’t mean they should be allowed to remain a security risk.
- Education, education, education. Teach your users how to create strong passwords – here’s a helpful blog on how. Always use lowercase and uppercase letters, numbers and symbols, and if you struggle to convince users to set passwords with at least 12 characters, compromise with 10.
- Utilise a password management tool. Its best practice to never use the same password twice. But how can your users be expected to memorise so many complex passphrases? Password management tools store passphrases in a secure, encrypted manner – perfect for users who access multiple different systems each day.
- Implement multi-factor authentication. Passphrases alone may not be enough. By implementing multi-factor authentication, you can ensure that hackers are unable to gain illicit access to systems and data, even if they manage to hack your passphrase.
The threats posed to organisations by hackers have never been greater. Fortunately, if you apply a robust password policy you can significantly strengthen your password security and reduce the risk of suffering from a damaging cyberattack.
Stephen Moore, Chief Security Strategist at Exabeam
Modern cyberthreats are not simple to defend against. The biggest change in recent years has been a shift towards more targeted and more advanced attacks that traditional security systems struggle to detect. Cybercrime is changing because the cost to conduct the crime is falling, while profitability for cybercriminals is rising. For example, usernames and passwords can now be purchased on the Dark Web. Malware simply steals passwords by logging keystrokes or grabbing the hashed password from memory, regardless of the password complexity. Once this happens, the hacker is getting in.
The theft of IDs and passwords is by far the most common goal for today’s cyberattackers. Valid credentials especially when federated across many platforms really are the keys to the kingdom, once an attacker has them, they have a legitimate means to access files and databases at will.
To become aware of and stop such cases, businesses need to be able to detect unusual use of valid credentials – with easy and not hero work. This is why behavioural analytics has grown so quickly over the last couple of years. It can help combat insider threats by notifying the security team when someone is doing something that is unusual and risky – even out of context, both on an individual basis and compared to peers.
For example, if an employee begins moving around the network accessing multiple file-servers and databases for the first time, and no one else in his/her department has done so, it can be an indicator of a stolen – but valid – credential.
Ensuring that the password is more complex doesn’t help. With behavioural analytics and Machine Learning, this actionable information about these cases should be available in a couple clicks; not after a day of queries.
Rich Campagna, CMO at Bitglass
Acquiring credentials to access sensitive data is increasingly easy and incredibly lucrative for today’s hackers. Every additional character in a password increases the number of possible combinations, making brute-force attacks on long passwords far harder for hackers to crack. But increasingly the complexity of a password also makes it much harder for people to remember, hence why password123456 is still the most popular password today.
Rather than advising users to create random strings of alphanumeric passwords, we should be recommending the use of passphrases. These will still be lengthy but made up of real words, so easier to remember. It might seem simple but the truth is, if a password takes too long to crack, hackers will simply move onto the next batch.
Static passwords simply cannot provide effective corporate protection. In 2016, the Bitglass security team leaked a fake profile onto the Dark Web to show just how quickly phished credentials can spread. Within a month, the fake employee’s credentials had been viewed over 1,400 times and there were multiple successful login attempts into the phished account.
The number of large-scale data breaches and the fact that users regularly re-use passwords is a real issue for businesses today. Therefore, enterprises must follow best practices in authenticating users, starting with a proactive approach to identifying suspicious logins. Dynamic identity management solutions that can detect potential intrusions, require multi-factor authentication and integrate with existing systems for managing user access can be much more effective than basic password protection.
For example, if a system records an employee logging into a cloud application from a host of different countries, it can alert IT security teams of suspicious behaviour and they can lock that account, preventing a possible breach.
Tim Bandos, Senior Cybersecurity Director at Digital Guardian
Companies have a responsibility to keep data secure and a big part of that responsibility is stamping out employee’s bad password habits. This starts with educating staff about what makes a really good password and giving them advice about how to keep their accounts secure, by using unique passwords across all accounts and regularly changing them. This includes encouraging employees to use completely different passwords for their personal and professional accounts.
To strengthen security, CISOs can instil policies for password creation among their users, as well as enabling two-factor authentication for an additional layer of security. These policies may include a minimum of 10 to 15 characters and a requirement of a mixture of numbers and special characters. Leveraging tools like Password Managers (Dashlane, LastPass) can also aid in developing extremely complex credentials that don’t require the end user to remember every single one. These tools can auto-populate password field boxes with your passwords in a secure manner.
Ultimately, however, with the number of login dumps in recent years, password security will never be 100% secure. It’s inevitable that hackers will at some point breach a company’s network, so the focus must shift to preventing hackers from exfiltrating sensitive data. Deploying data-centric security technology can remove the risk factor associated with these threats because even if someone has access to the data, they are prevented from copying, moving or deleting it without approval.
Rupert Spiegelberg, CEO, IDnow
Password security is fairly near the top of most businesses and organisations’ employee agenda. Unfortunately, despite high levels of awareness and education around the importance of password security, the gulf between listening to advice and actually acting up on it is just too wide, and more often than not, hackers gain the keys to the kingdom via well-meaning employees.
Passwords are a ubiquitous part of the digital age and with the growth in online business, it is not uncommon for people to need multiple passwords, which unfortunately leads to duplication or simplification for ease of memory.
The problem with this is that, for passwords to be effective, they need to be an uncommon word of eight letters or more and not used anywhere else. It is perhaps not surprising, then, that passwords are often the easily opened gate into an organisation.
Perhaps the solution for businesses to move away from reliance on password-only security and towards biometric authentication techniques (face, voice, fingerprint, iris recognition). As these systems become increasingly intelligent, more companies are turning to biometric authentication for heightened security. HSBC is an example of an organisation that is offering its First Direct customers the opportunity to identify themselves using finger and voice print authentication, rather than stating their telephone security password or PIN number. HMRC recently revealed that 6.7 million people so far have signed up to its voice identification, while HSBC says it has more than 10,000 people registering each week.
While not yet perfect, many businesses are turning to biometric authentication as a more secure alternative to passwords. Perhaps voice recognition is enabling organisations to say goodbye to hard-to-remember passwords and pin codes.
Marc Vanmaele, CEO of TrustBuilder
User credentials give us a sense of security but in the age of massive data breaches, phishing attacks and password hacks, it is becoming clear that passwords are increasingly at risk.
Consumers are increasingly using their social IDs to access services and resources. You need to allow them easy access to your services through their existing digital identities. But when we see incidents like the recent data breaches suffered by Facebook and Google+, it’s clear that these credentials are not secure on their own.
Today, there are billions of passwords available to cybercriminals within a few clicks. If users have not changed their password, or have chosen something similar as a replacement, their accounts are vulnerable.
There are methods that can add an extra layer of protection to accounts, such as multi-factor authentication.
This is where users must authenticate themselves with additional information, such as a one-time-password generated on their mobile phone, a hardware token or biometrics such as a fingerprint. Although each of these can add complexity to the checkout process, users are becoming familiar with various methods.
Some organisations have assumed that end-users do not understand the need for security or privacy and must have an entirely frictionless login experience. We believe that people are smarter than that, as long as security is proportional to the perceived asset value, they accept and even encourage security – as long as this remains simple and user-friendly.
Still, there is a balance to strike. Today’s issue is to find the right balance between security and end-user convenience. This is the case when the user is a member of staff and even more so for the consumer. Google, Apple and many of today’s most popular mobile applications have set usability expectation to a high level.
In addition to allowing multi-factor authentication, organisations may wish to check more information than a user’s credentials and an additional authentication factor.
For example, if a user is in a location that is unrecognised or presents an increased risk of social engineering attacks – such as a public location that uses an open WiFi network. It is possible to check factors such as these by authenticating users dynamically considering not just who they are but also the context in which the transaction or session is taking place.
However, this can add complexity for the organisation and the user. That’s why some organisations are employing identity and access management (IAM) solutions to understand as much user context as necessary. The best solutions enable organisations to authenticate users dynamically, considering factors such as the user’s age, location and whether the device they are using is recognised.
While there is no one-size fits all recipe to find the right balance between security and simplicity, the balance is specific to each industry and even each company.
For our company, this is something we understood from our inception and we designed our TrustBuilder Identity Hub product in a way that allows organisations to define their own balance between a seamless end-user journey and the need for a high level of identity assurance.