What’s in a password? Everything, say security experts
UNTIL passwordless technologies are more mainstream, it is important to keep following the password complexity best practices and adopt a zero-trust approach to securing systems and data.
This is according to experts as the globe marked World Password Day on Thursday last week. World Password Day was created by cybersecurity professionals in 2013 to encourage good password habits for a safe and secure online environment.
According to Francois Scheün, systems engineer at Fortinet South Africa, passwords are one of the weakest links in the cybersecurity chain.
Despite awareness campaigns around the risks of weak passwords, many users still rely on simple and predictable passwords such as “admin”, “qwerty”, “12345”, and “password”. These passwords can be easily guessed or cracked by hackers using brute force or dictionary attacks, he said.
Scheün noted that one of the reasons users choose weak passwords is that they have difficulty remembering the long and complex combinations of letters, numbers and symbols that make passwords stronger.
“Humans have cognitive limitations when it comes to memorising random strings of characters for every account and site they use. Worse, they tend to reuse the same passwords across multiple sites and accounts,” he said.
Scheün believes that the need for convenience will drive the demand for passwordless authentication.
Passwordless authentication is a method that allows a user to log into a digital resource such as a banking website, without entering a password. Instead, they are verified and granted access using tools such as biometrics, facial recognition hardware, or digital tokens.
“The ease of use around using passwordless technologies will accelerate their adoption. Users will connect to digital resources with less frustration and more peace of mind, knowing that they are secure,” he added.
“Passwordless authentication is a promising solution to overcome the limitations and risks of passwords. However, passwordless authentication is not yet widely adopted and supported, and it may have its own challenges and drawbacks. Also, not all digital resources and platforms have the capability to support passwordless authentication methods currently, but as adoption grows, this will change.”
He encouraged a zero-trust approach to securing systems and data.
Zero Trust Access is a concept that requires constant authentication and validation of users, devices, and access and is highlighted by least privileged access to resources. The first stage in the Zero Trust Access ecosystem is to authenticate and validate the user’s identity and the device from which the user is connected.
MFA (multi-factor authentication) can also help to secure online accounts, adding an extra layer of protection by requiring additional credentials such as an OTP (one-time passcode) that hackers cannot obtain even if they have the username and password.