In an era where digital security is more important than ever, passwords remain the gatekeepers to an organization’s entire ecosystem. Despite the increased use of multi-factor authentication (MFA) and biometric scanning, passwords remain indispensable. Their importance is underscored by their simplicity and the immediate layer of security they provide to online accounts, which in turn protect organizational data and systems. Yet their effectiveness depends directly on the user – specifically, on their willingness to create unique passwords despite the inconvenience and how carefully they manage them.
VP Threat Intelligence, Egress.
Old is gold
The persistence of passwords as a primary security measure is a testament to their convenience. While biometrics, physical keys like YubiKey, and advanced authentication methods offer promising improvements, it is still passwords that are the foundation of security measures around the world; a fact highlighted by recurring themes in the Cybersecurity Awareness Months and echoed by cybersecurity experts.
Yet many people tend to create passwords that are both predictable and easy to remember, often at the expense of security. A National Cyber Security Center survey found that 23.2 million accounts worldwide used “123456” as their password, highlighting the common tendency toward simplicity and familiarity. Additionally, users often include personal information, such as birthdays or names, in their passwords, which attackers can easily guess or find through open source information or social engineering. The tendency to reuse passwords across multiple sites also remains widespread.
This behavior reflects a broader psychological tendency to prioritize convenience and cognitive ease over safety, underscoring the need for better user education.
Strong passwords are an important first line of defense
The emphasis then shifts to strengthening passwords as an organization’s first line of defense. That’s why recent research found that 58% of organizations experienced account takeover (ATO) incidents in the last 12 months, 79% of which resulted from a phishing attack that harvested an employee’s credentials. 51% also fell victim to phishing attacks sent from compromised email addresses in the supply chain. So organizations should not allow weak passwords to find their way into ATO and future email attacks.
An additional threat beyond email is that once an attacker gains access to a single password (be it through credential harvesting or social engineering tactics), he or she can unlock not just one account, but multiple accounts, especially if a person practices poor password hygiene by repeating passwords. on different platforms. This domino effect can exponentially increase the vulnerability of organizational data because it is akin to using a single key to unlock every door in an office building; if a malicious actor gets their hands on it, nothing inside is safe.
In line with this threat, the UK government’s recent Product Security and Telecommunications Infrastructure (PSTI) legislation is a very important development. The PSTI regulations require internet-connected smart devices, including personal mobile phones and laptops, to meet minimum security standards by preventing users from creating guessable passwords such as ‘admin’ or ‘12345’. This legislation in the UK represents a positive step forward as poor password hygiene practices are something that no organization can afford today.
How can organizations ensure strong passwords for employees?
First, a strict password protocol is a fundamental defense mechanism. It is wise to change passwords regularly, discourage repetition, and require high complexity (including numbers, symbols, and multiple characters) to increase security against unauthorized access. To support this, employees should be given access to a corporate password manager. By reducing the need to remember credentials, password managers provide employees with a unified and highly secure repository for distinctive passwords, making them extremely difficult for hackers to decipher.
Strong, unique passwords, managed by trusted password managers and reinforced by habits such as regular updates after breaches, provide a comprehensive strategy that can adapt to evolving credential collection efforts. This approach not only strengthens security, but also cultivates a culture of cybersecurity awareness and responsibility. While passwords may be an old guard in the digital world, they are essentially here to stay and are evolving alongside new security paradigms to protect our digital ecosystems.
We have listed the best free password managers.
This article was produced as part of Ny BreakingPro’s Expert Insights channel, where we profile the best and brightest minds in today’s technology industry. The views expressed here are those of the author and are not necessarily those of Ny BreakingPro or Future plc. If you are interested in contributing, you can read more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro