In 2013, Intel launched World Password Day to raise general awareness of the relevance of secure username/password combinations in everyday digital life – with limited success.
Detlev Riecke, Regional Vice President, Central Europe at Ping Identity:
Most IT users still choose combinations that are too insecure, use the same passwords for different user accounts, do not regularly replace old passwords with new ones and generally fail to systematically implement password security. According to a Bitkom survey conducted last year, only 18 percent of German IT users have password generators and password safes to create and store their credentials.
All these weaknesses play into the hands of cyber criminals. In recent years, they have continued to refine their phishing, spear phishing and social engineering methods. According to Verizon’s ‘2022 Data Breach Investigations Report‘, over 80 percent of all successful attacks on Internet applications are now linked to the compromise of login data – usually the username/password combinations of their victims.
It is therefore only understandable that merely every second user – according to the Ping Identity survey ‘Brand Loyalty In the Age of the Digital Economy‘ from last year – believes that they have their own passwords in view and under control. The consequence for companies: More and more of their customers are looking for providers with passwordless login options.
The corresponding technologies – from passkeys and tokens to biometric methods such as face, eye, fingerprint, or voice scans – are now sufficiently advanced, more secure, and user-friendly than username/password combinations and relatively easy to integrate into existing IT systems.
No wonder that more and more companies in Germany – large, medium, and small ones – are working on converting their IT systems to passwordless login procedures. In last year’s Ping Identity survey ‘Our Passwordless Future: A New Era of Security‘, the vast majority of German IT decision-makers stated that their company would be switching to passwordless login procedures in the near future. And as many as 57 percent of respondents believed passwordless login procedures to become the new standard in Germany in less than ten years.
Only time will tell whether it will happen that quickly in the end. However, we can already say today: With the growing spread of passwordless login procedures, phishing, spear phishing and social engineering attacks will become less and less interesting for cyber criminals, and therefore the risk of falling victim to a successful cyber-attack will decrease noticeably for companies and end users alike.
The solution to many of today’s most serious IT risks will ultimately lie – therefore – not in increased password security, but in a general move away from username/password combinations.
Egnyte’s Director of Cybersecurity Evangelism Neil Jones’ commentary on World Password Day, May 2, 2024.
This is a pivotal World Password Day because password protection is diverging into a “Tale of Two Approaches.”
Companies that are at the forefront of password security have incorporated passkey protection and biometric authentication into their authentication processes. As such, they have vastly reduced the risk of password theft and smishing attacks that can be perpetrated on mobile devices.
Password security leaders also cultivate a security culture that embraces best practices like these:
- Utilization of Multi-Factor Authentication (MFA).
- Establishment of mandatory password rotation and requirements that encourage employees to change their passwords and passphrases on a regular basis.
- Account lockout requirements to immediately disable users’ access after multiple failed login attempts.
For password security leaders, a growing area of concern is how biometric data needs to be stored within their organizations, and who should have access to it. With the growing availability of Artificial Intelligence (AI) technology and the expanding volume of biometric data, there is a growing risk that users’ identities could be “cloned.” As such, password leadership requires a company’s ongoing attention and significant investment.
On the flip side, companies that aren’t on the password security forefront generally adopt a wait-and-see approach, until a password compromise results in an unfortunate data breach. For password security followers, we see commonplace utilization of weak passwords, including perennial weak passwords like 123456, password, and qwerty. And, such companies frequently over-rely on email or text-based confirmation codes, which can easily be compromised.
The good news is that any company can progress from a password security follower to a leader, by taking several essential steps. In addition to adopting the best practices above, you need to educate users about the significance of password safety and remind users that passwords should never be shared with anyone, including their most trusted business colleagues. Lastly, users should never allow family members to access their business devices, because doing so dramatically increases cyber risk.