This World Password Day we should not only consider how we make passwords themselves more secure, but how we ensure that the management and handling of passwords does not compromise their integrity as a form of security and authentication. The dangers of password reuse have been made abundantly clear through the rise in successful credential stuffing attacks, yet recent research has shown that 45% of working adults admit to reusing the same password for multiple services.
This issue will likely persist into the future due to human beings’ desire for convenience and the difficulty of remembering ever more complex passwords for the multitude of online services they use. The repercussions can be serious however, as one compromised password can open an individual up to identity theft or even put their entire organisation at risk.
Likewise, cybercriminals are continuing to leverage sophisticated strains of information-stealing malware or keyloggers, often delivered through email phishing campaigns leveraging social engineering. Even in the best case scenario where a user has complex and unique passwords in place, a carefully targeted phishing attack dropping a stealer or keylogger can deliver these credentials directly to the attacker. For instance, according to the latest Cost of Insider Threats 2020 Global Report, Middle East organizations have experienced the highest number of insider-related incidents over the past 12 months, and are likely to experience credential theft.
Both individuals and organisations, not only in the Middle East but globally can do their bit to respond to these threats. Password reuse can be tackled through greater education and training, but it must be combined with technological solutions to reduce the onus on the individual, which is consistently the route most exploited by cybercriminals. Organisations should be implementing multi-factor authentication as standard, and it is also encouraging to see a rise in the use of password management applications which mitigate the risk of relying on the human memory for password security.
Additionally, going beyond simple web-based training routines and instead deploying rich simulated attacks can provide a much more sustainable and effective form of human defence against phishing attacks. This, combined with robust email security to ensure as few attacks as possible ever reach their intended target, will help to reduce the reliance on the password as a last line of defence against threats.
As we look ahead, there is the potential that security advice will be to move away from passwords altogether. We have already seen a rise in methods such as facial recognition and other biometric authentication forms in use in place of the traditional password. This shift may be essential, because although technical vulnerabilities may be harder to exploit in future, humans are already and will remain the most targeted link in cyber security, with the most tech-savvy individuals vulnerable to increasingly personalised and complex attacks. Relying on passwords may be a thing of the past.