Passwords may be one of the oldest forms of guaranteeing information and system integrity and security, yet often overlooked in favour of more advanced methods like facial recognition or finger print scanning. Despite this, the humble password is still a powerful tool for maintaining information and system security, but it needs to be done effectively, explains Mark Sinclair, ANZ director of WatchGuard Technologies.
Start a conversation about IT security and it won’t be long before the subject of passwords is raised.
A cornerstone of security infrastructures for years, passwords when used as the sole authentication method have become a real security challenge for businesses. This is mainly due to the inherently insecure nature of passwords. Lax practices such as writing them down and never changing them can make them a relatively easy gateway into centralised IT resources.
As a result, some envision a password-less future where other security measures will take their place. If replaced by just biometrics or a hardware token then it is still only offering a single factor of authentication. While probably better than a password, these still fall well short of strong authentication.
To secure business assets, strong authentication should feature multiple factors of authentication:
- Something you know (a password or a PIN);
- Something you have (a security token or smartphone);
- Something you are (a biometric); and
- Somewhere you are (geolocation).
A layered approach
Passwords are destined to remain key when creating secure infrastructures, but will represent just one component of a more sophisticated authentication process.
For this reason, ensuring passwords remain secure is important. Some of the steps that can be taken to ensure this include:
- Use long passwords of more than 16 characters to improve their security against brute-force attacks;
- Consider using non-English words to help guard against so-called ‘dictionary attacks’; and
- Adopt a password manager to avoid having to remember large numbers of individual passwords for different applications.
The importance of multi-factor authentication
An effective layered approach to security uses multi-factor authentication (MFA). Passwords are one element of MFA, which also requires other factors such as a generated PIN or fingerprints and facial scans.
It’s important to note, however, that not all MFA platforms are created equally, and some are more secure than others. For example, the most common approach – where a user receives a text message containing a generated code that must be entered to gain access to a system – has a weakness because it is possible for a hacker to intercept the message and gain access.
A much better approach is to adopt a push notification-based solution. This approach makes use of an encrypted channel to send authentication request verifications to a user’s smartphone. Because of the way in which this notification is sent, it is significantly more secure than a text message-based equivalent. It is also just as convenient.
To make things even more secure, organisations can require users to use a third type of authentication when requesting access. For example, users may need to enter a password, a secure push notification, and offer a biometric factor such as fingerprint. All three must be provided before any access is granted.
While there many initially be pushback from users when required to take these extra steps, the additional security they provide is well worth the effort. Take the time to explain to your IT users why the new requirements are being put in place and the benefits that they deliver.
Maintaining passwords as part of an MFA-based authentication system makes sense and is likely to remain the best approach for organisations for some time to come. If you are still relying on passwords alone, now is the time for change.
Mark Sinclair is the ANZ regional director of WatchGuard Technologies.
For over 20 years, WatchGuard has pioneered cutting-edge cyber security technology and delivered it as easy-to-deploy and easy-to-manage solutions. With industry-leading network and endpoint security, secure Wi-Fi, multi-factor authentication, and network intelligence products and services, WatchGuard enables more than 80,000 small and midsize enterprises from around the globe to protect their most important assets, including over 10 million endpoints.
In a world where the cyber security landscape is constantly evolving, and new threats emerge each day, WatchGuard makes enterprise-grade cyber security technology accessible for every company. WatchGuard is headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia-Pacific, and Latin America.