Expert Commentary on World Password Day 2019

Expert Commentary on World Password Day 2019

Today, May 2, 2019, is World Password Day! This represents an excellent opportunity to assess your identity security policies and consider whether you need an access management upgrade.

After all, passwords prove largely inadequate for protecting users against threat actors internal or external. Generally, hackers can use social media or public information to guess most users’ passwords. Otherwise, they can purchase and employ tools to crack the passwords in a matter of days if not hours.

Furthermore, users often utilize well-known weak passwords or to repeat their passwords across multiple accounts. Both practices play right into hackers’ hands.

Thus on World Password Day, we wanted to assess the actual state of enterprise identity and access management. What can enterprises do to improve their password security? Which strategies prove most effective against password guessing or cracking? What does the future hold for authentication?

To answer these questions, we compiled expert commentary from throughout the IAM space. Here’s what the professionals had to say on World Password Day:

World Password Day in Context

Identity and access management solution provider OneLogin today released a study of 300 IT decision makers throughout the United States. What they found puts World Password Day 2019 into context.

Indeed, OneLogin discovered 44% of enterprises take up to a month or more to deprovision former employees. Additionally:

  • American enterprises’ IT departments waste 2.5 months a year on password resets.
  • 65% fail to check employee passwords against lists of common passwords.
  • 76% don’t check passwords with complexity algorithms.
  • 63% fail to implement password rotation policies.
  • Moreover, 63% of American enterprises don’t require numbers in their passwords. 72% don’t require upper and lower case characters.    

Robb Reck, CISO at Ping Identity

“The current digital sprawl not only makes it tough to manage our passwords, but it also leads to bad habits that can cause data breaches. Using the same password on multiple sites, easily guessed passwords, and passwords with patterns that change based on the site—can all lead to account takeover and data theft.

“Technologies like two-factor authentication, continuous authentication tools, and risk engines that look for suspicious behavior before granting access, all allow companies to limit or remove passwords from the regular user workflow. This not only improves the user experience but can also be a net gain to security when done correctly. Companies that jump on this trend will be the ones with the most seamless customer experience.”  

George Cerbone, Principal Architect at One Identity

“Each World Password Day reminds us how important the password remains to online authentication. And it also highlights how the password has become a weak link. According to research, 63 percent of data breaches are linked back to weak, reused, or stolen passwords. Compromised credentials lead to highly lucrative and devastating attacks.

“We have made passwords more and more complex so they cannot be easily guessed by bad actors. Unfortunately, this is also one of their biggest drawbacks. The forgetting and resetting of dozens of passwords is a broken cycle that we should strive to end.

“We’ve reached a breaking point, and the power of the password is rapidly diminishing.

“Some are turning to biometrics as the answer to get around passwords altogether. And while biometrics technology is well on its way to being the authentication approach of the future, there are still shortcomings, such as not being able to update or create a new biometric login when fingerprint data is stolen from a leaked database. As biometrics emerges for today’s businesses, there is another recommended approach for authentication, which is multifactor.

“Layering security through a multi-factor process does authentication right. And the good news is that as biometrics evolves, it can serve as a portion of the multi-factor authentication process. While it is World Password Day, one can see a transformation in authentication that could ultimately move us away from the password. One day, we might have to call it World Authentication Day.”

Peter Galvin, Chief Security Officer at nCipher

“While we’re all drowning in passwords, they’re what we still trust to give and get access – and for now, they’re here to stay. Given the lengths to which people will go in order to get their hands on them, we really should be doing as much as possible to keep them safe and secure. For organizations, this means having a centralized security policy and effective encryption key management to assure control of data across every physical and virtual server on and off your premises.”

Ameya Talwalkar, Co-Founder and CPO at Cequence Security

“We hope to live in a password-less world, one day. Until then, protect yourself with a few good habits:

“Do not use the same password across multiple sites.

Use biometric authentication on mobile phone apps

Use at least two online password managers to securely save and sync your credentials

Change passwords on finance and healthcare related applications on a regular basis.”

Sarah Whipp, CMO and Head of GTM Strategy at Callsign

“Earlier this month the National Cyber Security Centre released a list of the most common passwords. This included 3.6 million people using ‘password’ and 23.2 million with ‘123456’ as a means of security. Despite organizations trying to impose stronger password requirements and striking awareness campaigns, clearly the message is not getting through. What’s more, the first computer passwords were first introduced in the 1960s. Yet half a century later the technology has moved on very little and isn’t doing a particularly good job at keeping information secure. This is why organizations need to take more responsibility and why additional layers of security, beyond the password, are so important.

“It would be foolish to suggest that passwords are completely redundant, they will always have a place in the authentication process, however, organizations are now able to draw on more reliable and intelligent data points in order to identify people. Now they aren’t restricted to one or two authentication methods but can offer their customers a choice in how they want to authenticate themselves. By giving them this choice, those who haven’t created a secure password will have alternative measures in place to make sure their data won’t be compromised.”

Gavin Millard, VP of Intelligence at Tenable

“World Password Day was originally introduced to raise awareness of the importance of creating strong passwords—so that worked! However, with the sheer volume of data breaches where users’ passwords are stolen and sold on the Dark Web, the issue is less about creating strong passwords or phrases and more about educating people of the need for a unique code for each online account.

“Considering millions are still using 123456 as a password, the chances of changing password behavior is nothing short of a miracle. Instead, I advocate the use of password managers that create and store complex passwords, with some capable of alerting users when compromised passwords are found in data breaches. So on World Password Day, instead of improving your complex recipes for password success, do yourself a favor and automate.”

Thank you to these cybersecurity experts and professionals for sharing their thoughts and concerns with us on World Password Day!

If you would like to learn more about password security and identity management, check out our Free 2019 Buyers’ Guides. Additionally, you should consider registering for Identiverse 2019. You can use the discount code “REGISTERNOW19” through May 31 to get $250 off. Check it out here

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner