In an era where digital security is more important than ever, passwords remain the gatekeepers to an organization’s entire ecosystem. Despite the increased use of multi-factor authentication (MFA) and biometric scanning, passwords remain indispensable.
Their significance is underscored by their simplicity and the immediate layer of security they provide to online accounts, which in turn protects organizational data and systems. Yet their effectiveness depends directly on the user – specifically, how willing they are to create unique passwords despite the inconvenience and how diligently they manage them.
VP of Threat Intelligence, Egress.
Old is gold
The fact that passwords remain a primary security measure is a testament to their convenience. While biometrics, physical keys like YubiKey, and advanced authentication methods offer promising improvements, passwords are still the foundation of security defenses around the world; a fact highlighted by recurring themes throughout Cybersecurity Awareness Month and echoed by cybersecurity experts.
Yet many people tend to create passwords that are both predictable and memorable, often at the expense of security. A study by the National Cyber Security Center found that 23.2 million accounts worldwide used “123456” as a password, indicating a general tendency toward simplicity and familiarity. Additionally, users often include personal information, such as birthdays or names, in their passwords, which attackers can easily guess or discover through open-source intelligence or social engineering. The tendency to reuse passwords across multiple sites also remains widespread.
This behavior reflects a broader psychological tendency to value convenience and cognitive ease over safety, underscoring the need for better user education.
Strong passwords are an important first line of defense
The emphasis then shifts to strengthening passwords as an organization’s first line of defense. This is because recent research has shown that 58% of organizations have experienced account takeover (ATO) incidents in the past 12 months, 79% of which started with a phishing attack that harvested an employee’s credentials. 51% also fell victim to phishing attacks sent from compromised supply chain email addresses. Organizations must not allow weak passwords to lead to ATO and future email-based attacks.
An additional threat that goes beyond email is that once an attacker gains access to a single password – through credential harvesting or social engineering tactics – they can unlock not just one account, but multiple accounts, especially if someone practices poor password hygiene by repeating passwords across platforms. This domino effect can increase the vulnerability of organizational data exponentially, as it’s like using a single key to unlock every door in an office building; if a bad actor gets hold of that key, nothing is safe.
In line with this threat, the UK government’s recent Product Security and Telecommunications Infrastructure (PSTI) legislation is a very significant development. The PSTI regulation requires internet-connected smart devices, including mobile phones and laptops, to meet minimum security standards by preventing users from creating passwords that can be guessed, such as ‘admin’ or ‘12345’. This legislation in the UK represents a positive step forward, as poor password hygiene practices are something that no organisation can afford in this day and age.
How can organizations ensure that their employees use strong passwords?
First, a strict password protocol is a fundamental defense mechanism. It is wise to change passwords frequently, discourage repetition, and require high complexity—including numbers, symbols, and multiple characters—to enhance security against unauthorized access. To support this, employees should be given access to a password manager. By reducing the need to remember login credentials, password managers provide employees with a uniform and highly secure repository of distinctive passwords, making them extremely difficult for hackers to crack.
Strong, unique passwords, managed through trusted password managers and reinforced by practices like regular updates following breaches, are a comprehensive strategy that can adapt to changing credential harvesting efforts. This approach not only strengthens security, but also cultivates a culture of cybersecurity awareness and responsibility. At its core, passwords may be an old guard in the digital realm, but they’re here to stay, evolving alongside new security paradigms to protect our digital ecosystems.
We provide an overview of the best password generators.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of Ny BreakingPro or Future plc. If you’re interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro