Rajesh Ganesan, Vice President, ManageEngine, spoke with TECHx Editor Rabab Zehra on the occasion of World Password Day. Rajesh spoke about password-less technologies, risks to an organization’s IT protection, and how password security can be maintained.
TECHx: Do you think traditional passwords will become extinct in the face of new password-free advances?
Rajesh: I definitely do not believe that traditional passwords will become a thing of the past anytime soon, not unless alternate forms of authentication become more reliable and free from biases. Passwords are a versatile method of authentication owing to their sheer ease of use, and binary nature. They are also device-, context-, and user-agnostic by nature, which makes them more reliable.
While FIDO-based authentication controls like biometrics—voice and facial recognition, iris scanners, and fingerprints—have gained prominence over the years, there is still a certain margin of error involved. Biometric data, unlike passwords, cannot be changed or replaced, and if compromised, can put global enterprises in a difficult position. Enterprises that process biometrics will need to employ advanced hashing techniques or blockchain technology to secure this data, which involves additional operational and maintenance costs.
Aside from biometrics, alternate controls such as multi-factor authentication (MFA) and one-time passwords only add an additional layer of security to the primary form of authentication: passwords. While there is room for improvement, things like effective management, secure storage, and periodic rotation of passwords backed by stringent policies can ensure that privileged accounts are safeguarded from abuse.
TECHx: With billions of stolen passwords on the Dark Web, we need to be mindful of the risks. How can you figure out what’s behind these dangers? What mistakes do organizations make when it comes to IT security?
Rajesh: The Dark Web is a business hub for compromised data. With the recent Zoom breach resulting in the sale of more than half a million login details, and the LinkedIn attack exposing over 500 million user profiles on the Dark Web, it’s tricky to fathom the full severity and risks associated with a breach.
Because people increasingly reuse passwords across multiple platforms, attackers can easily unlock multiple accounts through credential stuffing or brute-force attacks using the billions of stolen records on the Dark Web, which can lead them to a privileged account with elevated access to critical systems.
Many organizations today still don’t enforce strong password management practices or have complete IT security strategies in place. Some don’t consider cybersecurity until after experiencing a breach, getting hit with an expensive compliance penalty, or failing a forensic audit, while others introduce it as a discrete strategy to close only a specific security gap. There’s no standard plan that suits all organisations; enterprises must adopt a custom approach based on their business, the data they process, and the risks involved if a breach was to occur. When it comes to IT security, what you get out of it depends on how you perceive and approach it.
TECHx: World Password Day is the ideal time to revamp your passwords. What advice do you have for businesses and individuals who want to keep their passwords secure?
Rajesh: Poor password security has plagued businesses for ages. Simple practices like reusing business passwords for personal accounts, sharing passwords without context, and storing passwords without encryption can threaten a company’s overall security stature. Here’s a quick checklist that can help businesses reinforce their password security:
- Implement company-wide policies for password generation, storage, and randomization.
- Enforce secure password sharing backed with fine-grained access control mechanisms.
- Know when users log in using their passwords, and send timely alerts to warn users of soon-to-expire passwords.
Fostering a culture of password security with sufficient awareness, training, tools, and protocols among employees is critical for organizations to prevent unauthorized access of their privileged assets and reinforce the security of their business-critical information.
For individuals, some of the most common password management mistakes are reusing the same passwords for multiple accounts, storing passwords in plain-text documents that are easily accessible, and turning a blind eye to complexity. Leveraging a password management tool can help users overcome a lot of these issues. Here are a few things to keep in mind when it comes to personal password management:
- Rely on technology to secure all your passwords in a central location.
- Avoid bad password practices like keeping a physical, plain-text copy near your device.
- Never use weak passwords.
- Enable MFA at the very least for your important accounts.