Users can’t let go of passwords, despite all the risks and stress
Cloud professionals should rethink their reliance on passwords to secure their systems, according to new research.
A recent survey by Beyond Identity (opens in new tab) found that over four fifths are confident in the effectiveness and security of passwords, with over a third stating they are very confident.
However, Beyond Identity believes this confidence is misplaced, as passwords have “inherent security vulnerabilities, value as a target for threat actors, and [there are] widespread frustrations around password hygiene requirements.”
Over confidence
The firm also cited research (opens in new tab) which found that bad password habits are routinely exploited by threat actors, and 80% of all breaches are achieved using identities which have been compromised.
Despite the confidence, the survey also found discontent among the cloud professionals regarding the hygiene requirements for password-based systems. Their frustrations were caused by having to remember multiple passwords (60%), having to change them regularly (52%), and having to choose long and complex strings (52%).
A quarter use between 4-5 passwords a day, and a tenth use 10 or more. Over a third of organizations also recommend passwords be changed quarterly, whilst just under a third recommend monthly, and 6% recommend daily or weekly changes. And despite the effort involved, Beyond Identity claims that such practices result in “minimal security benefits.”
Even though using the a password manager and best password generator can greatly ameliorate these issues, the other serious security issue with passwords is their vulnerability to phishing. Over a third of cloud professionals said they had flagged between one and three phishing emails they received, whilst 18% had flagged between four and six and close to a quarter had flagged seven or more.
More concerning was the fact that 11% said they didn’t flag a phishing email they received and a fifth weren’t sure whether they had mistakenly clicked on a malicious link in an email. A fifth also reported that they knew of colleagues who had clicked on them, and a quarter said they have clicked on them themselves – with some doing so regularly.
When it came to multi-factor authentication (MFA), 82% cloud firms employed it, with the most popular method being the use of a mobile authenticator app. Over half were also very confident in MFA as a security measure.
Again, though, Beyond Identity claims MFA may not be as secure as professionals believe, refencing the breaches suffered by the likes of Reddit and Uber where MFA was compromised.
The solution, then, is to use passwordless systems, such as passkeys, which are phishing resistant as there are no credentials to go after. A cryptographic key is stored on a users device and combines with the public key of the given service to provide user access. No one – not even the user – knows what the private key is.
“If you want to eliminate the risk of a breach, you need these foundational systems in place. This research highlights a critical need for cloud organizations to update their prehistoric systems and focus on passwordless authentication and phishing-resistant MFA,” said Patrick McBride, Co-founder of Beyond Identity.