Latest News

Passwords are here to stay – how can we better protect them?

Written by Steve Bradford, Senior Vice President EMEA at SailPoint

Passwords will remain central to login verifications online for years to come, so this World Password Day, it’s important to make sure we’re taking the right steps to keep these secure and robust.

Poor password hygiene drastically increases the attack surface of companies. According to a recent study by LastPass, 65% of users still use the same or very similar password for multiple accounts. The research also found that compromised passwords are among the main causes of data theft, with login data hacked in 80% of these cases.

Although both company managers and employees are aware of the risks, many organisations are still struggling to implement and, above all, enforce an effective password policy. This isn’t just since the pandemic and the accompanying shift towards decentralised working models, when it was sometimes common practice to pass on login data within the workforce. Weak passwords are also an underestimated problem: According to the Hasso Plattner Institute (HPI), simple numerical sequences, “hello” or “password” are still very popular when choosing a password.

Creating risk awareness, offering additional protection

Many users are unaware of the risks when using the same passwords for work and private accounts. Once a cybercriminal has gained access to an account via compromised login credentials, it’s easy to move freely around the network and shimmy their way to the most sensitive data. For this reason, it’s imperative passwords are changed regularly, at least every three months. Holding on to used login data for too long is far too risky.

Companies themselves can also take proactive measures to avoid pitfalls on the one hand and provide additional protection on the other. First, an effective password policy should be communicated clearly and understandably, so that no misunderstandings arise. To better protect critical data, companies should also embrace multi-factor authentication (MFA). Although it still requires a password, it still provides another layer of protection. Single sign-on (SSO) offers an alternative to constantly entering passwords, requiring only one login that applies not only to the identity provider, but also to all other assigned applications.

Certainly, passwords could soon disappear completely from our everyday lives – but alternative authentication factors do not necessarily have to be more secure. The key here is to weigh things up carefully and examine the strengths and weaknesses of each authentication method, taking into account the factors of security, user-friendliness and cost.

For example, while FIDO authenticators are easy to use and difficult to steal remotely, the defect or loss of a security key could cause problems. On the other hand, fingerprint or facial recognition cannot be stolen, but are not universally usable either.

So, since the combination of a username and password will be with us for a while, companies should do everything they can to establish good password hygiene, while also putting their access practices to the test.