Are passwords still fit for purpose?

Amidst the rise in cybersecurity issues that have accompanied the coronavirus pandemic, the foremost means of hacking into a system remains the result of weak password security. The humble password has been at the forefront of cybersecurity since the earliest digital devices, and it remains the bulwark of our defenses today.

This is largely because passwords are very easy to use, and even if they're compromised, they can be easily replaced. What's more, they don't suffer from compatibility issues, and you don't need any additional hardware to use them. They're also incredibly cheap to implement, so organizations across the world love using them. The problem is, passwords can be compromised in a panapole of different ways, rendering them a fairly porous first line of defense against hackers.

This doesn’t appear to be dissuading us from using them, however, as data from the 2020 Thales Access Management Index reveals. Their study of around 400 senior IT decision-makers from across Europe and the Middle East, revealed that nearly 1 in 3 organizations still see the humble username and password as one of their most effective security tools.

Wedded to a failing method

What’s more, despite the late Fernando Corbato, the creator of the static password, regularly stating in recent years that passwords are a poor approach to security, the Thales data found that 67% of organizations are likely to grow their use of usernames and passwords in the years ahead. For many IT managers, this is because the username and password combination is very well known at board level, which makes it a much easier sell than any more complex, yet effective, methods.

The survey goes on to reveal that security concerns are growing across the EMEA region, with the majority of IT managers highlighting that unprotected infrastructure was their main concern. As a result, Thales believe that any organization relying on passwords to keep such important infrastructure secure are leaving themselves extremely vulnerable.

“As more and more businesses move to adopt cloud-based services for CRM, email, employee collaboration, and IT infrastructure as part of their digital transformation strategies, the struggle to extend old solutions, designed to protect internal resources, to the outside world becomes very problematic,” Francois Lasnier, Vice President for Access Management at Thales, says. “Often, in an effort to adapt to the new working habits of users connecting from anywhere, which is increasingly pertinent right now and will become standard moving forward, businesses tend to revert back to old password-based logins for cloud services in despair. This is knowingly increasing their security exposure to credential stuffing and phishing attacks.”

Security versus convenience

With the coronavirus forcing so many of us to work from home, often with quite ad hoc systems, there is a clear desire among many organizations to plump for convenience over security to ensure that their workforce can remain plugged in. This is reflected in the Thales data, with nearly 70% of IT managers revealing they had been put under pressure to ensure that convenient access to applications and cloud services was provided to employees. That they were also being pressured to ensure this access was given in a secure way underlines the challenges faced.

A common solution to this conundrum appears to be strong authentication and access management solutions, which nearly all respondents revealed they were using to facilitate cloud adoption in a secure manner. Over three-quarters of IT managers also thought that employee authentication needed to do more to support secure access to a wide range of services, whether in the cloud or on virtual private networks.

The strong support for passwords had prompted many IT managers to try and make them more robust. For instance, nearly all had updated their security policies around access management in the past year, with around half providing staff with specific training on access management. While this has roots in better security, there is also a strong compliance angle, with nearly all European IT managers citing GDPR compliance as a key factor in their attempts to bolster access management procedures.

It’s likely to be an ongoing battle, however, and IT managers hope that greater awareness of cybersecurity, and indeed the presence of IT executives on company boards, will encourage greater investment into things such as biometric authentication and smart SSO. Despite general optimism towards these technologies, many still believe the use of usernames and passwords will continue in the years ahead.

“For a long time, the biggest battle IT leaders have faced is increasing board awareness around taking the threat of security seriously,” Lasnier concludes. “Now that they have that buy-in, the focus should be on highlighting the importance access management plays in implementing a zero-trust security policy to their executive management. With this in place, risk management professionals will be able to put in place a ‘Protect Everywhere - Trust Nobody’ approach as they expand in the cloud.”