There really is a day for everything and today we celebrate the humble password. This annual event, which seems to have slipped past the notice of the trendy people on the social pages of your local newspaper, takes place on the first Thursday in May each year. And it must be special because it even has its own website. But, seriously, passwords remain important so it's worth giving them some extra thought and, perhaps, planning for their demise.
Passwords remain a necessary, albeit annoying, part of your security strategy. And while the trusted mantra of "uppercase, lowercase, number and symbol" for creating a password along with the need to regularly change it every month or so remains a staple for IT and security admins, even the guy that created those rules regrets putting them on paper.
The trouble is, those password rules make life harder for users so they look for ways to circumvent them, such as changing a number on the end of a password, using easy-to-recall words or writing them down and sticking them under their keyboard in case they forget them. All those things render passwords pretty much useless. Of course, the security industry responded by creating systems that make life even more difficult for users by not allowing them to do things that help them remember passwords by enforcing rules about repeating characters, not being able to re-use an old password and so forth.
Two factor or multi-factor authentication (2FA or MFA respectively) are popular and a step towards compensating for weak passwords but, the use of passwords remains an easy but potentially weak way to protect systems.
As Niall King, Senior Director for access management company Centrify puts it "Relying on passwords alone to protect your online identity and assets is like trying to ward off a rainstorm with a sheet of paper - it’s just not up to the task".
Another challenge is password reuse. The idea of a password was conceived back at a time when there were just a handful of computers in the world. Now, we have a handful of different computing devices, connecting to hundreds of services at our fingertips. That leads to password re-use. That's convenient for users but means that a single data breach can result in a cascade of data losses and account compromises. There have been several attacks executed by hackers that have used user credentials stolen in one attack to access other services.
Password managers are a great tool for managing this as you only have one master password with passwords for other systems stored in an encrypted database. At an enterprise level, there are single sign on solutions that allow a single, strong authentication tool to all users to access other systems.
I first tested biometric devices, like fingerprint scanners back in the late 1990s and they were terrible. But fingerprint and facial recognition are reliable and robust enough to let us access smartphones and other devices today. We see that with Microsoft's Windows Hello system, Apple's FaceID and TouchID and other similar systems on Android and other platforms.
“Instead of celebrating passwords, we should ditch them in favour new tools like two-factor authentication to better protect our online selves. It’s time to kill the password,” added King
Update your strategy
So, what's the point of World Password Day? Rather than purely think about what you can do to strengthen your password strategy, it's a good reminder to take a step back and reconsider how you protect data.
Rupert Taylor-Price, Founder and CEO of Vault Systems, said "World Password Day gives people a reason to step back and re-assess how secure their data truly is and to analyse where they can apply further security measures".
Something that is becoming a catch-cry across the security industry is that identity is the new perimeter. Security strategies need to evolve to a new world. Rather than protecting systems, we need to take an information-centric approach. In the past, the username and password was used to identify a user. But we need a more complete view of identity today as people access information from more devices, across more locations and during more times than ever before.
Matthew Brazier, Regional Director for ANZ at CyberArk adds, "Increasingly common attack vectors allow hackers to bypass passwords and breach desktops, laptops, servers, cloud platforms and applications. Additional layers of authentication can help to enhance protection on the perimeter, while securing the network beyond the endpoint has become an essential step in protecting businesses against the advanced threat landscape".
By making passwords more complex and forcing users to change them more often - which is really a way of saying we expect passwords will be hacked so we'll make you change it so the damage can be limited - we shift the onus on protecting the business from the security team onto end users. That's not to say end users don't have a role in security. But we need to look for ways to simplify access.
World Password Day may seem like a dumb idea. I suggest using it as an opportunity to reflect on how you understand identity and use that to ensure access to systems is only given to authorised parties at the right time.
Perhaps your World Password Day resolution can be to create a plan to completely ditch passwords in favour of a more secure and less annoying-for-users solution by 2 May 2019 - the next time it rolls around.