Vendor View: Juliette Rizkallah, Chief Marketing Officer at SailPoint offers advice on how to tackle the "weak password" conundrum
If previously loose lips sank ships, today it is successful phishing attacks that are capable of sinking companies and individuals. Weak passwords, like weak front doors, are the first ones to give in when cyber-criminals knock via phishing. For the media, it is the gift that keeps on giving. Stories about poor password hygiene are a veritable fixture in the news – a strange state of affairs for an industry that is reluctant to rehash the same old stories in the pursuit of the new.
These stories traditionally take one of two forms: they either report a piece of research showing that the most popular password is “Password1” or “123456”, or they highlight a new incidence of poor password practice resulting in a major breach. But we should be glad that the media has not moved on from this venerable story, even if the words barely change from one month to the next.
Our most recent survey conducted in April confirmed that even UK IT decision makers are not practising what they preach, leaving the door open for hackers. More than half of respondents (49%) admitted they were guilty of violating this simple password rule. Nearly a third of UK IT decision-makers surveyed (20%) had used things like a family member’s name in a password.
Other common themes included a pet’s name (11%), a memorable location (15%) and a favourite sports team or player (12%). Some of the most common password fails – including “password” or “qwerty” – both made the list at 7% and 6% respectively, demonstrating that even UK IT leaders are not using password best practices. This is testament to how password fatigue opens major opportunities for hackers. These passwords may be easy to remember, but they are easy to guess too.
It is clear that hackers do not have to be too clever or work too hard to crack enough passwords for the attempt to be economically worthwhile. One such story came to light in April, when train operator Great Western Railway (GWR) announced that its customers had fallen victim to an automated attack. If this is, as it seems, a brute-force attack, then it highlights how poor password hygiene leaves users and businesses vulnerable to unskilled attacks.
Consider this: while it may be incredibly easy for a hacker to use social engineering to trick someone into clicking on a link or giving up their login credentials, it is just as easy, if not easier for a hacker to use AI to their advantage. A recent study found that when deploying a phishing scheme against humans, it was not the human hacker who had the higher click-through rate but the artificial hacker who succeeded more often in converting those malicious click-throughs into successful phishing attacks.
Humans, as we all know, will always be fallible. Even with training, employees may continue sharing passwords across multiple accounts and systems, not regularly updating or changing their password or not adhering to password management policies as they should be doing. Organisations can combat this poor password hygiene with practices that help them ‘see through’ the incredible amount of identity data that is circulating their systems and policies that enforce good user behaviour.
While more advanced authentication methods such as biometrics and two-factor authentication can provide many benefits, they suffer from their own problems: they are often expensive to deploy (especially across large, multi-site businesses); they are sometimes unreliable, and they continue to suffer from issues such as employees forgetting to bring their token to work. For these reasons, passwords will remain the standard for user authentication for the foreseeable future. What, then, can we do to ensure that they remain fit for purpose?
There is plenty that businesses can do to transform their approach to password policies in order to help minimise the most egregious breaches. Identity management can help simplify access to applications while forcing users to keep their passwords long, varied and unique, making it harder for attackers to gain access to enterprise data. And with identity governance, organisations can take this a step further with password management by enforcing strong password policies and reducing the helpdesk burden. And while we can debate the longevity of passwords, the fact is they are the most widely used and accepted means of authentication.
At the end of the day, the risk of unauthorised access cannot be completely eradicated, which is where identity governance comes in. It helps organisations compare who has access to what to who should have access to what, allowing IT teams to identify application and data access and usage behaviours that are outside of what is normal. Identity governance can also help IT teams identify orphaned accounts, which are an easy way for hackers in infiltrate organisations with valid credentials and wreak havoc undetected.
We must be diligent in protecting ourselves and our organisations as hackers become ever more remorseful and ‘less human’ with more malicious AI bots representing the ‘dark side’. Just like we will not leave the front door unlocked as we leave the house, it is well within our power to stop using overly-simplistic passwords once and for all to keep our digital identities safe.
About Juliette Rizkallah:
A marketing veteran with more than 20 years of experience, Juliette Rizkallah brings a wealth of expertise and pragmatism to SailPoint in her role as Chief Marketing Officer. No stranger to the world of enterprise security, Juliette leads the company’s worldwide marketing efforts, and is responsible for articulating the company vision, product solutions, technology innovations and business purpose to customers, partners and media around the globe.
Juliette has held executive positions and was an agent of growth at some of the world’s largest technology companies, including Oracle, CA, Business Objects-SAP and Check Point Software. She started her career as a strategy consultant at Bain & Company and Arthur Andersen France where she acquired her business impact focus.
Juliette holds an MBA from Harvard Business School and a BA from Ecole Superieure de Commerce de Paris (E.S.C.P.) in Paris, France.
Lori MacVittie, Principal Threat Evangelist, F5 Networks, discusses why, despite education and a constant litany of reminders that security is everyone's responsibility, not only is the corporate-consumer barrier being breached …