Recently we asked our Operations Director (Cybersecurity) whether the traditional password can still provide adequate security. We also wanted to know if there are potential alternatives to the standard security we currently have. His response is detailed below…
Passwords are still fundamentally core to the user experience in relation to authentication controls. For the most part, technically speaking, there is no reason that the usage of passwords cannot be considered to be secure. A user that utilizes a password manager tool to set strong 64+ character randomized passwords is realistically never going to be compromised from a direct brute-force guessing attack; unless of course poor practices are being followed, such as the re-use of passwords, not changing passwords following a known data breach, and so forth.
However, as the vast majority of users are likely to re-use a password or password pattern between websites and software applications, along with user’s continuing to use passwords that would be considered to be weak due to length, complexity and based on a word or phrase, it is imperative that additional factors are made available or ideally enforced on to users. The use of a One-Time Password or something like a physical smart-card, when used in conjunction with strong passwords would significantly increase the barrier to entry if an attacker is performing a credential stuffing attack. There are methods and tools available for attackers to conduct phishing attacks that can bypass two-factor authentication methods, which ultimately is only really ever going to be mitigated by user security awareness training and improvement.
In the seemingly ever-increasing number of data breaches from both low and high profile organizations, it is not just the end users that require a focus on security via authentication controls. In some breaches, there is evidence that password re-use between staff members with different privileged user accounts was found to be the cause. Internal password policies are also crucial to implement, such as using a password manager application per user.
A password policy should not only define the technical requirements for user account password criteria, but it should also present these additional factor controls as a requirement for all services.
Luke Potter oversees SureCloud Cybersecurity Solutions. He also manages our Secure Private Cloud. Luke is a recognized cybersecurity expert. He is a CHECK team leader, Tiger Scheme senior security tester, ISO 27001 lead auditor and Microsoft Certified enterprise administrator. Previously, Luke managed the IT team at a large UK insurance brokerage.
SureCloud also offers a wide range of Cybersecurity testing and assurance services, where we stay with you throughout the entire test life-cycle from scoping through to vulnerability discovery and remediation. Certified by the National Cyber Security Centre (NCSC) & CREST and delivered using the innovative Pentest-as-a-Service (underpinned by a highly configurable technology platform), SureCloud acts as an extension of your in-house security team and ensures you have everything you need to improve your risk posture.