We all like to assume that IT security professionals practice what they preach when it comes to good practices. Wariness when clicking on links or downloading attachments from unknown senders – obviously. Keeping software up-to-date and deploying the latest versions of antivirus and other protections – sure thing. Regularly changing passwords – um, not so much.
A recent survey of almost 300 IT security professionals at the RSA Conference in San Francisco found that 33% had not changed their social network passwords in over a year, while another 20% claimed never to have changed these passwords.
OK, but surely these cybersecurity pros were at least constructing strong, hard-to-guess passwords? Again, not so. Nearly 30% of the same survey participants confessed to relying on easily guessable information such as their children’s names, birthdays and addresses for their social network passwords.
It’s easy to see why these practices are so problematic. Rarely (or never) changed passwords, and those that are easy to guess in the first place, are an open invitation to malicious cybercriminals, who often specifically target popular services like social media sites for harvesting login credentials. If any of those stolen credentials are then duplicated across other services – and, let’s face it, with password practices as weak as this, it seems likely that they will be – then those malicious hackers could potentially walk straight into sensitive areas of corporate infrastructures, online banking sites, and the list goes on…
Yet it’s also easy to see why the security pros who certainly know better are failing to practice what they preach. Username/password combinations are still an integral part of how much online security works – which means that the average user has to remember dozens, if not hundreds of them. The fundamental building blocks of good password practice – setting strong, unique passwords and changing them regularly – are increasingly difficult to manage when individual users have so many to remember. Password vaults, which help users to manage hundreds of different passwords, are one option, but the article above suggests that these simply aren’t being used among security professionals, let alone average users.
Happily, there is another alternative. Rather than trying to make it easier for users to work with an out-of-date mechanism – that is, the use of a single username/password combination to authenticate access to a site or service – we need to shift to a whole new mechanism, one that is more in keeping with today’s dynamic cyber risk landscape.
This is where multi-factor authentication (MFA) comes in. It’s an area we’ve written widely on – you can read one such article on here. Essentially, MFA works by introducing an additional layer of verification after the initial password request. This might be through biometric information such as fingerprints or iris scanners – though in certain contexts this is complex and cost-prohibitive. Far more cost-effective and realistic for many organizations is verification via a time-sensitive or single-use token that is texted to the user after the initial password is entered.
To intercept such a token is dramatically more difficult for a malicious hacker than cracking a password, or even stealing thousands of passwords in a mass credentials theft. Such cybercriminals would have to either steal an individual user’s phone, or somehow intercept the SMS at the precise moment of logging in. Given that cybercriminals largely target low-hanging fruit, introducing MFA is a remarkably simple and cost-effective way of shoring up your cybersecurity posture.
The cybersecurity professionals at your business may not be practising what they preach in terms of password practice, but this isn’t a reason to berate them – they are not alone! Instead, why not take a more forward-thinking approach to your password protections across your organization?