The critical importance of robust password practices

Padlock against circuit board/cybersecurity background
(Image credit: Future)

In an era where digital security is more critical than ever, passwords continue to be the gatekeepers to an organization's entire ecosystem. Despite the increased use of multifactor authentication (MFA) and biometric scans, passwords remain indispensable. Their significance is underscored by their simplicity and the immediate layer of security they offer to online accounts, which in turn protects organizational data and systems. Yet, their effectiveness depends directly on the user – specifically, how willing they are to create unique passwords despite the inconvenience and how diligently they manage them.

Jack Chapman

VP of Threat Intelligence, Egress.

Old is gold

The persistence of passwords as a primary security measure is a testament to their convenience. Whilst biometrics, physical keys like YubiKey, and advanced authentication methods offer promising enhancements, it is still passwords that form the bedrock of security defenses across the globe; a fact highlighted by recurring themes in Cybersecurity Awareness Months and echoed by cybersecurity experts.

Yet many individuals tend to create passwords that are both predictable and easily memorable, often at the expense of security. A study by the National Cyber Security Centre found that 23.2 million accounts globally used "123456" as a password, highlighting a common tendency towards simplicity and familiarity. Furthermore, users frequently incorporate personal information, such as birthdays or names, into their passwords, which attackers can easily guess or find through open-source intelligence or social engineering. The inclination to reuse passwords across multiple sites also remains widespread.

These behaviors reflect a broader psychological tendency to prioritize convenience and cognitive ease over security, underscoring the need for better user education.

Strong passwords are a key first line of defense

The emphasis, then, shifts to strengthening passwords as an organization's first line of defense. The reason that recent research has revealed that 58% of organizations have experienced account takeover (ATO) incidents in the last 12 months, with 79% of these starting from a phishing attack that harvested an employee’s credentials. 51% also fell victim to phishing attacks sent from compromised supply chain email addresses. So, organizations must not let weak passwords spiral into ATO and future attacks over email.

An additional threat beyond email is that, once an attacker has gained access to one password - be it through credential harvesting or social engineering tactics—they might unlock not just a single account but several, especially if an individual practices poor password hygiene by repeating passwords across different platforms. This domino effect can exponentially increase the vulnerability of organizational data, as it is similar to using a single key to unlock every door in an office building; if a malicious actor gets hold of it, nothing inside is safe.

In line with this threat, the United Kingdom government's recent Product Security and Telecommunications Infrastructure (PSTI) legislation is a highly significant development. The PSTI regulation mandates that internet-connected smart devices, including personal mobile phones and laptops, meet minimum-security standards by preventing users from creating guessable passwords like 'admin' or '12345'. This legislation in the UK represents a positive stride forward, as poor password hygiene practices are not something any organization can risk today.

How can organizations ensure strong employee passwords?

Firstly, a stringent password protocol is a foundational defense mechanism. It is prudent to frequently modify passwords, discourage repetition, and necessitate high complexity - including numbers, symbols, and multiple characters - to boost safeguards against unauthorized access. To aid this, employees should be provided with access to a business password manager. By reducing the demand for memorizing credentials, password managers offer employees a unified and highly secured repository for distinctive passwords, making them extremely challenging for hackers to decipher.

Strong, unique passwords, managed through reliable password managers and fortified by habits such as regular updates following breaches, form a comprehensive strategy that can adapt to evolving credential harvesting attempts. This approach not only bolsters security but also cultivates a culture of cybersecurity awareness and responsibility. In essence, while passwords may be an old guard in the digital realm, they are here to stay, evolving alongside new security paradigms to safeguard our digital ecosystems.

We've listed the best free password managers.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Jack Chapman, VP of Threat Intelligence, Egress.