It’s World Password Day 2024! What’s clear is that passwords and creating and maintaining good password hygiene is still one of the most effective ways to protect businesses. We’ve gathered some insights from cybersecurity experts who have had their say on passwords below, from whether they’re here to stay, more secure alternatives and everything in between.
Thomas Richards, Principal Security Consultant at the Synopsys Software Integrity Group insisted passwords are here to stay, commenting: “Using passwords to authenticate users will continue to be the main way to authenticate for the foreseeable future. Authentication mechanisms are further strengthened by the use of multi-factor authentication as a way to validate the intended user, and not an imposter, is trying to access the system. What we’re seeing lately is organisations shifting to identity management systems to reduce the instances where a user will need to re-enter their password so long as they are authenticated properly.”
Nathan Dove – Managing Consultant at Pentest People added: “Password managers are essential tools for securely managing and storing credentials, empowering individuals to use strong and unique passwords across all their accounts. While some employees may initially resist changes in IT processes, I would personally pose to these individuals that password managers actually make life easier! These tools can automatically generate complex passwords for new accounts and streamline the login process by allowing you to simply copy and paste stored credentials instead of typing them out manually. Some even support an autofill feature, meaning you don’t even have to click a single button to login to some of your applications.”
Patrick Tiquet, VP of security & compliance at Keeper Security, added: “Basic password hygiene remains the single most important cybersecurity measure. The use of a password manager is integral to enforcing comprehensive password policies. This will ensure employees are using high-strength random passwords for every website, application and system, and further, will enable strong forms of two-factor authentication, such as an authenticator app, to protect against remote data breaches.
“In addition to strengthening password policies, organisations must prioritise education and awareness initiatives to ensure that employees understand and follow cybersecurity best practices. This includes educating them about common password mistakes, such as using easily guessable passwords or reusing passwords across multiple accounts. Regular training and simulated phishing exercises can help reinforce best practices and identify areas of concern.
“No matter how a threat actor accesses the network, though, the next step is to make sure they are unable to go any further. Organisations large and small should implement a zero-trust architecture with least-privilege access to ensure employees only have access to what they need to do their jobs. Companies should also have security event monitoring in place. Privileged access management software can help with privileged account and session management, secrets management and enterprise password management. By adopting a zero trust framework within their infrastructure, enterprise leaders will be in a stronger position to not only identify and react to attacks on their organisation but also mitigate any potential damage.”
And to be extra secure, Roger Grimes, data-driven defence evangelist at KnowBe4 and one of the world’s leading experts on the topic of passwords, also provides some advice on using phishing-resistant MFA in this video:
And if you’re looking for an alternative to the password, Darren James, senior product manager for Specops, an Outpost24 company recommended:
“We’ve been told for years that passwords are dead and yet we still have a day each year to remind people to set a good ones. This time around we do see a growing interest in Passkeys to replace passwords for many web applications, but these solutions, although a great step in the right direction, still don’t remove the need for passwords in all circumstances.
“Take a new starter at a company, how do you get them logged in for the first time on their machine? What happens if they are, like many of us today, remote only? Do we send them their First Day Password in Plain Text over the airways, surely no one will intercept that? In our recent 2024 Breached Password Report, we discovered that one of the most common breached passwords included the terms “New Hire”.
“So, it’s still a good idea to look for alternatives to just sending the credentials over an email or SMS text, ideally ones that don’t rely on sharing a First Day Password with the user at all.
“Of course, when that new starter does get to set their password, we still need to make sure that it’s not already been breached and that it isn’t easy to guess. We still recommend 3 random, memorable word passphrase, maybe with a deliberate spelling mistake, as a great option, if it’s something you need to type regularly, just don’t be tempted to reuse it.”