 |
| Source: FIDO Alliance. Shikiar. |
"At the root of the problem is the fact that knowledge-based credentials such as passwords and one-time passwords (OTPs) are human-readable and can be pried out of users’ hands and/or stolen from corporate databases by enterprising hackers," he observed, also noting that poor cybersecurity hygiene practices like reusing the same password for multiple accounts can open the door for other accounts to get hacked once one password is compromised.
"Legacy forms of two-factor authentication like SMS OTPs are better than a password alone, but are also susceptible to hackers who can use SIM swapping or other techniques to intercept and relay the 'secure' passcode to take over the intended recipient’s account," he said.
"Even the savviest of users can fall victim to password attacks. Think phishing, credential stuffing and man-in-the-middle attacks. Cybercriminals often leverage social engineering techniques to deceive individuals into taking the desired action – including clicking on a link or unknowingly submitting their credentials via a fake website – to steal their passwords. These techniques prey on people’s intrinsic, emotional reactions and push them to bypass logic and overlook red flags. As such, it is unfair to expect users to become cybersecurity experts in order to protect themselves."
.JPG "Source: Syniti. Raymond Tan.") |
| Source: Syniti. Tan. |
"With data leaks and breaches becoming increasingly prevalent, World Password Day is a wake-up call for organisations to relook (their) data governance processes – from enforcing strong security practices, such as complex passwords and multifactor authentication, to ensuring compliance to local data privacy standards."
"Today, implementing robust passwords is just a small step in the wider data privacy, security, and governance agenda," Tan explained. "Not all data has the same security sensitivity, and not all data needs to be treated the same. However, having well-managed data will help leaders in understanding and applying the appropriate security and governance policies for better protection. Passwords are critical gatekeepers, thus ensuring good hygiene in creating complex passwords or refreshing old ones, reinforces organisational security posture in today’s digital first world."
Beyond change, a growing number of voices are calling for 'passwordless' approaches.
 |
| Source: Trend Micro. Ng. |
"We often see passwords as critical gatekeepers for our data. In many circumstances, this is still the case. However, in the context of an increasingly digitalised world, where individuals and organisations need to manage multiple digital accounts, remembering varying strings of complex characters is no longer sustainable. We must take traditional approaches to securing our accounts, systems, and data from unauthorised access to the next step. How? Think passwordless," he suggested.
"From biometrics, voice analysis, iris scans, we are at an exciting time where authentication can be done in new and creative ways. Today, this is being done by combining two factors: something the user has, such as a mobile device for obtaining a passcode; and something unique to the user’s identity, such as a fingerprint for identity verification. This is not only a stronger method of authentication, but it also enables efficiencies by eliminating the need to store or manage passwords and a better user sign-in experience."
.jpg "Source: CyberArk. Teck Wee Lim.") |
| Source: CyberArk. Lim. |
"This World Password Day, organisations should consider eliminating password pains for business apps and other sensitive data by using passwordless authentication such as multifactor authentication (MFA) and biometrics. A strong passwordless experience can be created by authenticating each identity with a high degree of accuracy — a foundational Zero Trust component," agreed Teck Wee Lim, Head of ASEAN, CyberArk.
"When combined with broad least privilege enforcement, context-aware access controls and continuous monitoring mechanisms, organisations can benefit from a structured way to secure digital identities that every staff member possess— human or machine — without slowing things down."
Shikiar called for concrete steps "to build a future digital landscape that offers greater security and convenience". "As cyberattacks in Asia Pacific continue to rise, organisations have a responsibility to ditch the password and adopt cryptographically secure, possession-based authentication. At FIDO Alliance, we are working closely with technology providers, governments and enterprises worldwide to make a passwordless future a reality – one that is not only more secure, but that is also more convenient.
"With FIDO’s authentication standards already available on over 4 billion devices and supported natively across major browsers and platforms, we believe it is only a matter of time before the world’s dependence on passwords becomes a thing of the past.”
"We have all heard how popular passwords such as 'password' or '12345' are, despite being easily hackable." - Niel Pandya, CTO & Cybersecurity Lead, Asia Pacific & Japan, Micro Focus
 |
| Source: Cybereason. Chim. |
Chim said that framing account compromise as a responsibility of end users is an easier argument but does not solve the problem. "Information security specialists should learn as much as they can – dispelling the perception of employees standing watch over the most critical company’s servers - the shift from (a) ‘prevention’ to ‘detection and response' cyberdefense approach to tackle the problem immediately if the first line of human-defence fails. The chances are good that robust cybersecurity can protect operations that are critical to your business or prevent pain points from worsening should there be a cyberattack," he said.
 |
| Source: Micro Focus. Pandya. |
"One of the best ways to prevent unauthorised access is through MFA. This, coupled with encryption and data masking will ensure that sensitive data stays secure, even if systems are compromised. Finally, organisations can consider risk-based authentication through adaptive intelligence. This looks at various log-in scenarios, for example geo location or device, and assesses if they carry the same risk," he said.
"Password strength and complexity, while important, is just one piece of the security puzzle. Making access harder through stronger security controls is the key to breach prevention and resilience."
Thomas Richards, Principal Security Consultant, Synopsys Software Integrity Group, thinks passwords are unlikely to disappear so easily. "The username/password combination remains at the core of all digital authentication; the use of which will not end in the foreseeable future," he said.
"While MFA adds an additional layer of security to better protect systems and end-users from compromise, passwords are still a core component of such MFA authentication."
Richards suggested that more can still be done to make the password issue less of a risk. "Password compromises can often be attributed to other security issues such as vulnerable software or poor development practices. When caused by poor password hygiene, there is likely a technical control which isn’t fully implemented, such as the requirement for strong/effective passwords. Humans tend to choose the easiest approach and without policies to require strong/long passwords, users prefer to default to weak/short passwords," he stated.
"I wouldn’t necessarily support the notion that more education alone is the way forward; however, companies should continue their cyber security training – including training around password security best practices. In this training, the curriculum should incorporate what constitutes a strong password. Companies should also stay up to date with industry standard best practices for password security."
Richards further suggested looking at password managers. "Password managers provide many benefits that assist people with managing the many different passwords needed in today’s world. They provide secure storage, feedback if a password is considered weak, and can generate complex passwords as needed. All of these things help the user maintain their passwords according to best practices to reduce the risk of a compromise," he said.
"Companies that have created password managers have put great thought into protecting passwords. Strong encryption is used for all storage and transmission of the password so that even the hosting company is compromised, the data is always encrypted with only a key or password the user knows.
"Password managers are also easy add-ons to web browsers, mobile phones, or are even part of the operating system or browser. This integration makes using them very easy for the user. Apple Keychain is an excellent password manager that is deeply integrated within the iOS and Mac ecosystem; however, it is limited to only Apple devices. The Google Chrome web browser has built-in password manager capabilities much like the Apple Keychain. With Chrome being cross-platform, the user is able to take their passwords with them when not on an Android device."
Richards' tips for better authentication include:
- Passwords should be as long as possible and contain a mixture of upper- and lower-case letters, numbers, and symbols.
- Instead of using a single word with variations (for a password), create a three- or four-word sentence. The length and complexity of a sentence greatly reduces the chance of a password being brute-forced in a password cracking attempt.
- Enable MFA where possible on any web application that allows it.
No comments:
Post a Comment