Although the world is slowly going back to normal, remote work is still prevalent and cybercriminals are a huge risk to organizations now more than ever. World Password Day, is celebrated annually on May 6th and serves as a reminder of the importance password security brings to organizations across the globe. Use this day to focus on what password practices your organization is utilizing and to explore possible alternatives such as PKI.
Happy World Password Day!
Originally created by Intel Security in 2013, World Password Day is celebrated annually on May 6. The day serves as an important reminder to organizations across the globe that password security must remain a high priority for IT and cybersecurity teams. This year is no exception—even with the world beginning to emerge from the COVID-19 pandemic, remote work is still the norm for many organizations, and cybercriminals have used the situation to their advantage. Credential theft, spear phishing, business email compromise (BEC), and other credential-focused attack tactics are on the rise, driving home the need for strong protections and effective cyber hygiene practices. World Password Day represents a perfect opportunity for businesses to reconsider their password practices—and explore potential alternatives.
The Vulnerability of Passwords
For many organizations, username and password combinations remain an important element of authentication. Unfortunately, employees get careless with password security all the time. They reuse passwords across multiple accounts, they share their credentials with colleagues, and they fall victim to social engineering scams. Savvy attackers understand this tendency toward lax security and stand ready to exploit it. Verizon’s 2020 Data Breach Investigations Report indicated that over 80%of hacking-related breaches involved either brute force password cracking (signifying weak or commonly used passwords) or lost or stolen credentials (indicating poor password security). Even the SolarWinds CEO recently pinned the company’s major breach on an intern using the easily guessed password “solarwinds123”.
When it comes to passwords, much remains outside of the enterprise’s control. IT teams can mandate the use of more complex passwords and force employees to change them regularly, but even these measures come with their own drawbacks. After all, if a password is too complex or short-lived to commit to memory, the employee will likely write it down or store it in an easy-to-remember location. Furthermore, an enterprise ultimately has no way of knowing whether the password an employee chooses is the same password used for a dozen different sites. If a password belonging to that employee was compromised during an unrelated breach, and it is the same password used as a corporate login, the enterprise is at serious risk—and doesn’t even know it.
Today’s Password Alternatives
Although passwords have become increasingly vulnerable, the ability to recognize and authenticate identities is more important than ever for IT security teams. Many enterprises have turned to multi-factor authentication (MFA), which uses extra phone- or token-based steps to secure the sign-in process. Unfortunately, MFA still requires the use of passwords—which means users are still dependent on the technology that MFA is designed to replace. Worse still, both NIST and the FBI have warned the public about MFA’s vulnerabilities, noting that security professionals have discovered exploits to SMS-based authentication methods that make defeating them both easy and scalable for attackers. Service outages to both Microsoft and Google over the past year have also exposed the danger in relying on authentication apps whose uptime cannot be guaranteed.
What, then, is the solution? Ultimately, Public Key Infrastructure (PKI) is the most secure and comprehensive way for today’s organizations to replace passwords. Digital identities need to be strong to prevent theft, and they also need to be future proof to keep the enterprise ahead of attackers. PKI-based certificates not only offer the strongest form of identity authentication. They also make it simpler than ever for employees to connect. Because employee’s identity certificate keys are stored directly in their computer or mobile devices, they can enjoy “no-touch” authentication—allowing them to access applications and start working with zero friction.
This is not only great for users but for IT teams as well. They no longer have to worry about employees being locked out of the network because they lost the device needed for MFA. And because they key is stored directly on the device, PKI is highly resilient against phishing, key theft, and man-in-the-middle (MITM) attacks. There is no secret seed value that can be stolen from the server, no password-related support calls, and the technology is easy for IT teams to deploy and maintain. No-touch PKI represents the ideal solution for enterprises looking to move away from traditional username and password credentials to both better secure the networks and reduce their total cost of ownership.
Ready to make the switch to PKI? Learn more about how you can secure networked and mobile devices with Sectigo’s private PKI solution.