Regularly perform password audits Ideally, your organization should use an authentication system that allows for password audits, says Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center (CyRC). “Look for things like password reuse across employees or use of common words or common words with simple character replacements. If you uncover a weak password, use the event as a learning opportunity for users.”
Don’t villainize mistakes Create an environment in which employees feel comfortable raising questions or concerns about security, especially if they suspect they may have slipped up, suggests 1Password’s Davey. “Don’t villainize people,” he says, because they may be afraid to tell you when they’ve made a mistake. “If you know about security issues as they arise, you can act quickly to address the initial threat and take steps to prevent it from happening in the future.”
Require users to generate passwords with all of the character types This includes upper- and lowercase letters, numbers and symbols, advises Shayne Sherman, CEO of online technology knowledgebase TechLoris. “Use an algorithm that compares passwords to users’ previous passwords to prevent incrementing.”
The passwordless future is imminent — or is it?
In the near future, will concerns about weak and strong passwords become irrelevant, thanks to alternative forms of authentication such as biometric facial and fingerprint scans? Some cybersecurity experts don’t buy the passwordless dream. “I don’t think we’ll ever be completely free of passwords,” says Mackey of Synopsis CyRC. “Even when single sign-on or social media authentication paradigms are used, there remains a need to identify a user. While biometric solutions offer promise, such solutions are best employed as an additional factor in a multi-factor strategy.”
Biometric authentication has its drawbacks, adds Juniper Networks’ Global Security Strategy Director Laurence Pitt. “One drawback to biometrics is that they can be stolen just as easily as someone can steal your credit card,” he says. “Another drawback is that there are other environments in which these authentication methods just aren’t feasible. This can lead people to default on password-only authentication, which isn’t enough.”
Internet of Things (IoT) devices add yet more complexity to the hope of a passwordless future, says Assaf Harel, chief scientist and co-founder at Karamba Security. “These devices usually come with easy-to-guess or search default passwords. So, they can become a playground for many botnets, such as Mirai, that look for a passive fleet of devices to serve their distributed denial of service campaigns. IoT devices require a fresh look into how to integrate multifactor authentication into single-purpose devices to make botnet recruitment efforts much more difficult.”
Yet, some experts predict we’re on our way to a passwordless future. “Change takes time, but I wouldn’t be surprised if we eventually live in a passwordless world,” says Peter Purcell, co-founder of EVAN360, a remote technology support platform. In the meantime, Purcell says security measures such as face and fingerprint scans, USB security keys and voice biometrics will increasingly give enterprises more advanced user authentication.
For example, Purcell points out that in 2017, Google began requiring all employees to use physical security keys in place of passwords and one-time codes. The company reported one year later that none of its employees had been successfully phished as a result.
Biometrics “will certainly free us from passwords and make authentication easier and more reliable,” adds McAfee CIO Scott Howitt. “In the past, the problem with biometrics, such as facial recognition, was the amount of computer horsepower needed to run systems like that. Today, these systems run in the cloud and are fast and efficient. The key is that biometrics must be easy to use as well as reliable. Users have to be able to trust that whatever biometrics they setup actually work to make their lives easier rather than more difficult.”
Ultimately, the transition to “truly passwordless authentication is going to be a journey,” says Jim Ducharme, RSA’s vice president of identity and fraud and risk intelligence products. “Today, all passwordless authentication is rooted and reliant on a password and username for account enrollment and recovery. While passwordless authentication such as face and fingerprint ID is common on many devices, accounts are still established with a password, and if your device is lost or stolen, the account is recovered using a password.”
To achieve a passwordless world, then, we need an approach that considers credential enrollment, recovery and ways for users to securely authenticate on devices that don’t support biometrics or Fast Identity Online (FIDO) capabilities.
“These new methods of authentication, combined with more secure enrollment and recovery mechanisms, and layered with risk-based authentication, are the keys to eliminating the use of passwords completely,” Ducharme says. “Or at least, they’ll allow us to dramatically reduce the complexity of a password to look more like a simple four-digit PIN.”