By Rob Pocock, below, Technology Director, Red Helix
Passwords were once the stalwart guardians of digital security, but are now showing their age in the face of modern cyber threats. Once sufficient for protecting sensitive information, they have become increasingly outdated and vulnerable as the threat landscape evolves.
A global surge in brute force attacks—where hackers use powerful algorithms to crack passwords by systematically guessing combinations—has further exposed the fragility of password-based security.
While their demise was predicted way back in 2004, they continue to persist due to familiarity and entrenched systems. But with more sophisticated attacks on the rise, businesses must ensure that they are as protected as possible and explore alternative authentication methods that will resist these modern threats.
The enduring reliance on passwords
Despite the fact that weak passwords continue to be a prevalent issue, with 80% of confirmed breaches being related to stolen, weak or reused passwords, they are still the most used authentication method by companies worldwide.
Passwords endure for several reasons. Firstly, they are familiar and easy to use, both for end-users and IT departments. This familiarity means that users are more likely to comply with password policies and less likely to require extensive training or support.
Secondly, many existing systems and infrastructures were designed with password-based authentication at their core. Transitioning to more advanced methods would require significant changes to these legacy systems, which can be both costly and complex. Companies often find themselves weighing the immediate costs and potential disruptions against the long-term benefits of enhanced security, leading to a reluctance to move away from passwords.
There is also a misconception that adding complexity, such as requiring longer passwords with a mix of characters, numbers, and symbols, can sufficiently mitigate risks. However, this approach often leads to users finding ways to circumvent this inconvenience, by doing things such as writing passwords down or reusing the same password across multiple accounts, thus undermining your organisation’s security.
Another issue revolves around companies that manufacture internet connected devices. In the past, these devices would come with an easily guessable, default password. Many consumers would leave these default passwords, making their devices much more vulnerable to a breach. Thankfully, the UK government is cracking down on this, banning such passwords and requiring all manufacturers to implement minimum security measures.
However, exacerbating the issue are devices like the Flipper Zero, which make it easier for attackers to exploit weak passwords. These tools can quickly crack even complex password sequences, highlighting the urgent need for organisations to rethink their security strategies.
Embracing secure alternatives
The good news is that there are more secure alternatives available that can significantly reduce the reliance on passwords alone. Zero Trust Network Access (ZTNA) and two-factor authentication (2FA) both offer more robust security frameworks.
ZTNA is a security model that requires continuous verification of every user and device attempting to access resources, regardless of whether they are inside or outside the network perimeter. By assuming that no user or device is trustworthy by default, ZTNA significantly reduces the risk of unauthorised access. It continuously monitors and verifies access requests, ensuring that only authenticated and authorised users can access sensitive information.
2FA adds an additional layer of security by requiring something you know (a password) and something you have (a security token). This dual-layer approach makes it much harder for attackers to gain access, as they would need to compromise both factors. Although 2FA it is not without its vulnerabilities – for instance, methods like SMS-based 2FA can be intercepted, and sophisticated attackers can still find ways to bypass these protections.
Additionally, businesses who still use passwords as their primary method of authentication can hire companies that specialise in dark web investigations. These companies can determine if a business’s passwords, usernames, or both have been sold to nefarious parties.
Some services go even deeper and can alert organisations within 20 minutes if their data is currently up for auction. This rapid detection capability is crucial in mitigating most attacks, as it gives businesses time to rapidly change their passwords, but targeted attacks remain a significant challenge. A comprehensive security strategy should, therefore, include continuous monitoring for vulnerabilities and prompt responses to any detected threats.
Businesses shouldn’t solely rely on passwords. Implementing multi-factor authentication (MFA), which combines something you know (a password), something you have (a security key), and something you are (biometric data), is essential. This layered security approach ensures that even if one factor is compromised, unauthorised access is still prevented.
Ultimately, very few security measures will stop a targeted attack, but adopting these advanced security measures can act as a deterrent. In the same way a home without broken windows is less likely to be targeted by burglars, a well-secured system is less likely to be targeted by threat attackers.
Combining authentication methods
The era of relying solely on passwords is coming to an end. Embracing a multi-layered security approach will not only safeguard data but also ensure that businesses are better prepared for the future of cyber security.
By understanding the limitations of passwords and actively seeking out and implementing more secure alternatives, companies can significantly enhance their security posture and protect against the growing array of cyber threats.