Last month, two of the key behaviors of Cybersecurity Awareness Month were the importance of using strong passwords and a password manager. In this article, we question whether passwords are here to stay, and whether they’ll always be a security headache for organizations.
Passwords are still the most common factor in data breaches. Even though most people know the importance of having strong, unique passwords for each of their online accounts, few people take the time to create them – and when they do, they often fail to keep them safe.
If your employees use the same password for everything, all of their accounts can be compromised if their login details are stolen. This can give hackers inside access to your organization, which can have devastating financial consequences, and do irreparable damage to your reputation.
Why do employees have bad password habits?
One of the key reasons why so many people have such bad password habits is that there is a lot of conflicting advice when it comes to how to create a strong password.
Jack Chapman, Egress VP of Threat Intelligence, explains: “The advice given around unique passwords should be to enforce a unique password for each account you own. Although this sounds like a chore, it can be easily done with the aid of a password manager which will save, hold, and provide you with custom passwords for each site.”
Most people know the benefits of password managers, but few people take the time to use one. It seems like there’s an app for everything now, and many people are suffering from ‘app fatigue’ – a phenomenon where customers are no longer eager, or are too overwhelmed, to download or use new apps, including password managers.
Google’s 2019 Online Security Survey revealed that only 35% of people use a different password for all of their accounts, and that only 24% of respondents used a password manager, despite many people saying they needed a better way to track passwords.
But there are benefits to using password managers beyond just helping us to remember our passwords. Chapman says, “Having unique passwords can also help you identify who has had a breach or sold your data. Adding a + and the website name [known as plus addressing] to the end of your email address is another great way to do this.”
Should people change their passwords every six months?
In addition to having a separate password for every online account, people are told to change these passwords often. Many organizations actually prompt employees to change their passwords every six months. However, this advice is quickly falling out of favor.
“Standard password guidance in large organizations worldwide often recommends passwords should be updated every six-month period as a precautionary measure. This doesn't always work as intended and can actually hurt cybersecurity,” explains Chapman.
In 2017, the National Institute of Standards and Technology (NIST) released Digital Identity Guidelines that offered updated advice on password security and addressed many widespread misconceptions.
“Humans are creatures of habit, we often just iterate on our current password instead of completely generating new and unique passwords every six months. For example, Password123, Password1234. In the process of trying to bolster our security, people often end up making their passwords even weaker and more easily hackable. People should actually update passwords on breaches only and if possible, use randomized password generators within their password manager,” says Chapman.
Instead of telling employees to update their password every six months, you should encourage them to create strong, unique passwords for each of their online accounts and emphasize the benefits of two-factor authentication (2FA). This means that even if a hacker does get their hands on an employees’ password, they’ll still need to steal an extra piece of information to break into your organization.
Will passwords ever be replaced?
With over 80% of company data breaches caused due to insufficient passwords, this raises the question: are we stuck with passwords? Could biometrics, or another technology, take over completely?
“Biometrics is a huge topic which has been discussed as possibly replacing the password in the future, as it’s a lot harder to guess a biometric hash value,” says Chapman.
Fingerprint scanning is already widely used by many institutions, including mobile banking. Although fingerprints aren’t secret like passwords, each fingerprint is unique and unchangeable, which means they can’t simply be guessed and typed by hackers. However, even this isn’t the perfect solution.
“A large downside to the transition to biometrics such as fingerprint scanning or voice verification is that if the unique hash is compromised, it is impossible to change your unique hash. With passwords, it's often quite quick and easy to update or randomize a password post-breach,” says Chapman.
Despite the security issues associated with passwords, they’re still one of the best options available when it comes to security. By encouraging your employees to use a randomized password generator, store their password in a secure password manager, and enable 2FA, you can help to significantly increase the security of your organization.
Having a strong password policy is vital – here are 18 more things you can do this week to boost your organization’s cybersecurity.