Have you ever forgotten a password? Of course! We’ve all been there. But what if I told you that in 2022, you shouldn’t even know your password? In fact, perhaps you don’t even need a password at all (at least, not in the traditional sense).
This October is Cybersecurity Awareness Month, and the theme is See Yourself in Cyber. According to the Cybersecurity and Infrastructure Security Agency (CISA), this year’s awareness campaign serves as a reminder that the vastly complex domain of cybersecurity is ultimately all about people. Our lives are increasingly digital, and this means that we all have a role to play in securing our online identities at home, at school, and on the job.
That said, it should come as no surprise that nearly all the security awareness tips offered by CISA this year revolve around safeguarding the humble password – a proxy for our digital identity. A lot has changed in terms of how users are now expected to authenticate to apps and services, and the pandemic has only hastened this digital transformation. It’s certainly worth calling attention to during Awareness month.
I invite you to forget everything you know about passwords as we take a few minutes to explore the latest trends in modern identity management.
“On a long enough timeline, the survival rate for everyone drops to zero.” Unfortunately, this Fight Club axiom also applies to breaches. Sooner or later, most companies will succumb to a cyberattack. If you’re a customer of a breached company, this is never pleasant. But the experience can substantially worsen if you reuse passwords! Cybercriminals routinely attempt to log in to accounts using leaked credentials. These credential-stuffing attacks are swift and automated. If you don’t use a unique password for every service, a single breach could cause multiple accounts to be compromised in short order.
Passwords must be complex enough to ward off brute-force attacks. If your password is under eight characters, it’s trivial for a modern computer to randomly guess. In the past, security standards used to require users to include a mix of upper- and lowercase characters, numbers, and special characters in their passwords. However, in the latest publication of National Institute of Standards and Technology (NIST) 800-63, the standards body has ditched this advice in favor of emphasizing length as the most important factor that drives password security. As it turns out, “correct horse battery staple” is a much harder password to crack than
“Tr0ub4dor&3” (an amusing but accurate comparison drawn by the popular cartoon strip xkcd).
Humans are not so great at remembering random strings of text. Thankfully, there are several free password managers available that can help greatly simplify the task of generating and storing all your login credentials. These include LastPass, KeePass, and 1Password, as well as the built-in utilities included with all mainstream browsers. It doesn’t particularly matter which one you choose. The important thing is that you use something that helps you conform to best practices instead of resorting to guessable passwords for ease of use.
Note: ALWAYS use a strong, unique password for accessing your password vault. This is your one password to rule them all; it should be the only password you have memorized. Be extra diligent here. If your password manager is compromised, an attacker could potentially access every other account that you log in to!
A strong password is still not enough to protect you against credential stuffing, keyloggers, or phishing. In each of these cases, your password can still be stolen in its entirety and used to log in as you. The answer to this threat is multi-factor authentication (MFA). MFA can take many different forms including hardware- and software-based tokens, authenticator apps, and one-time passcodes sent via text or email. Although there are pros and cons to each approach, the important thing is that with MFA, logging in now requires more than just a static password. This ensures that even if your password is stolen or leaked in a breach, the adversary will still have to take additional steps to gain access to your accounts.
Although MFA provides substantial security over just passwords alone, threat actors continue to adapt to new security controls. It is increasingly common for cybercriminals to now attempt to steal not just a user’s password but MFA codes as well. You should guard your MFA token exactly as you would a password and be on the lookout for social engineering attempts.
Large companies are already moving us toward a password-less future by enabling users to log in with just a hardware key and an authenticator app instead of a traditional password. This approach eases the burden on end users and makes them less likely to be victims of phishing attacks. It’s also a huge boon to productivity when teams don’t have to manage password policies and field credential reset requests.
It's no secret that passwords are one of the most disliked aspects of information security. Managing your credentials for a ballooning list of services can seem like an increasingly impossible task. However, there is hope. If we continue to raise awareness among our peers about new approaches to managing our digital identity, the password-less future may be closer than you think!
Stay up to date with the latest people-inspired innovation at Jack Henry.
Who We Serve
What We Offer
Who We Are