World Password Day highlights vulnerabilities

“Passwords need to be put to rest” – industry weighs in on the passwords debate

Posted 5 May 2022 by Christine Horton

A staggering 99 percent of people in the UK cite familiarity with password security best practices – but are not putting that knowledge to use. Fifty-nine percent still rely on memory to manage passwords, with 35 percent having to reset their passwords every day or multiple times a week, according to a Bitwarden Global Password Survey.

The stats coincide with World Password Day today.

The survey also reports that while Brits believe they are knowledgeable of password best practices, 86 percent still reuse passwords across multiple sites.

Despite well-documented geopolitical tumult and an increased attack surface from remote work practices, password managers in the workplace have yet to truly take off. Only 34 percent of Brits are required to use a password manager at work. Globally, that number (25 percent) is even lower. In both cases, a majority (69 percent in the UK and 64 percent globally) of respondents believe workplaces should provide employees with a password manager to protect credentials.

“Despite the documented effectiveness and low cost of password managers, workplaces surprisingly often leave employees to figure password management out themselves,” said Bitwarden CEO Michael Crandell.

“Cybersecurity risks are only increasing, so the time to make these changes is now.”

Password “should be put to rest”

Meanwhile, Sanjay Gupta, SVP and MD of HooYu at Mitek argues that this World Password Day should be the last one.

“Passwords need to be put to rest,” he said. “What once was a string of characters believed to be top secret has become every cybercriminal’s haven. World Password Day is one that needs to evolve given passwords’ vulnerability.

“Instead, we should move towards a password-less future – one that relies on our unique features such as voice, face, and fingerprints to gain digital access conveniently and securely. Besides physical biometrics, there now exist newer tools like behavioural biometrics which verifies identities by assessing their behaviour to create a unique digital fingerprint.”

However, he noted too that passwords have also become too ingrained in society, making it hard to convince people to change their habits.

“The key to a password-less future starts with education,” he said. “We need to help people understand how biometrics work and why it can never be stolen or misused. Passwords alone are not enough and as our youths of today demand security and speed, we need to introduce a quicker, seamless authentication option that promises protection against fraudsters.”

Elsewhere, Karim Toubba, CEO at LastPass said World Password Day is “an important moment to take stock of your online habits and ensure you take the necessary steps to keep your online information safe – especially passwords, which are your first line of defence.”

Toubba says LastPass research shows that consumers average nearly 18 passwords for their online accounts, with nearly three quarters of consumers noting they’ve reset their password at least once in a month because they forgot them.

Verification factors

Oliver Cronk, chief architect, EMEA at Tanium points out that the fact that most people choose passwords comprising multiple numbers, special characters and various letters that are randomised. However, this can cause users to forget their passwords or to write them down in a place that others can see.

“Whilst the National Cyber Security Centre advised using the three random words logic when creating passwords, predictable pet names and birth dates are still widely used which shows that there is still work to be done on IT hygiene to help protect both businesses and the public,” he said. “Establishing robust cyber defences has never been more essential, especially as cyber-attackers are becoming increasingly sophisticated.

“For businesses, that means examining how to instil a secure approach to passwords within the organisation. One way to approach this task is via encouraging employees, including senior leadership, to stick with one good, unique password and supporting this by requiring the user to provide two or more verification factors. This gives the user less reason to change their password regularly and can be more effective than simply forcing users to change their password every 90 days.”