Change Your Password Day: Adapting to a Future Without Passwords
January 2024 by Adam Marrè, Chief Information Security Officer at Arctic Wolf, Paul Anderson, VP UK & Ireland at Fortinet, Andy Thompson, Offensive Research Evangelist at CyberArk Labs, David Warburton, Director, F5 Labs
The expanse of our digital footprints has resulted in deep rooted concerns when it comes to identity security. The traditional password model is becoming increasingly obsolete, paving the way for sophisticated and successful cyber threats.
This Change Your Password Day should suffice as a call to action to not only change our passwords, but also investigate the essence of digital security. Not doing so will push us further behind the bad guys.
Securing users in today’s digital landscape
What should organisations be looking to do and what solutions do they need to implement to stay safe this Change Your Password Day? According to Adam Marrè, Chief Information Security Officer at Arctic Wolf, “passwords are the lifeblood of our online persona, but we need to take them seriously to protect ourselves from the threat of cybercrime.” He highly recommends organisations to have strong password management practices, including regular updates to passwords and ensuring they, “don’t consist of words or phrases that can be associated directly with you, your interests or family.”
Paul Anderson, VP UK & Ireland at Fortinet, agrees with this advice, “no single organisation can combat cybercrime alone. Having strong passwords is a way to prevent threats from entering networks, while regularly changing passwords to ensure data is protected demonstrates how everyone in a business has a part to play to maintain security.”
In addition to this, our present security practices conceal more danger than meets the eye according to Andy Thompson, Offensive Research Evangelist at CyberArk Labs. “Simply putting strong passwords in place is no longer good enough. In fact, no matter how strong your password is, if a threat actor gets a hold of a cookie, none of it matters,” he explains. "Instead, we need a mechanism that mandates users to frequently change their credentials. And, each time, this mechanism must require strong, unique passwords, not iterative Password1, Password2 changes,” is what the new security landscape demands.
Security is about more than just changing passwords though. David Warburton, Director, F5 Labs, reminds us of that, “while multi-factor authentication is still strongly recommended wherever possible, the vast number of tricks attackers have at their disposal means it is far from the unbreakable security control it was once was.” He states businesses need, “solutions that directly disrupt attacker ROI and can curate and analyse network, device, and environmental telemetry signals across data centres, clouds, and architectures. By modelling threat intelligence across similar attack profiles and risk surfaces, affected organisations can autonomously deploy appropriate countermeasures.”
At the same time Arctic Wolf’s Marrè observes that, while people should use unique passwords for every account, “we must turn on two-factor authentication if it’s available, as well as using a reputable and recognised password manager.” He adds, “with so many passwords to keep track of, password discipline is difficult.”
Navigating towards a password-free future
While protecting ourselves in the present is vital, organisations also need to look to the future. But what does that look like? According to Ping Identity’s General Manager, EMEA, Paul Inglis, with backing from industry giants like Google and Amazon, “the momentum behind passwordless authentication is undeniable and many enterprise organisations are already on this digital transformation journey”.
Frederik Mennes, Director Product Management & Business Strategy at OneSpan, adds, “traditional authentication solutions, like passwords, are no longer effective against modern threats, and upholding the integrity of your digital identity should be a top priority. This starts with passwordless protection which emerges as a viable alternative for securing critical systems that store sensitive data, providing defence against evolving threats by eliminating vulnerabilities associated with traditional passwords.”
A beacon of hope, according to Ping Identity’s Inglis, passwordless authentication is “a paradigm shift to enhance security and user convenience significantly.” With Ping Identity research revealing that 59% of UK consumers would switch to a different brand or service that offered them passwordless as a means of logging in, this change will fundamentally reduce fraud and give consumers more security to freely navigate the digital world without fear of scams.
The transition to passwordless then, is not just about throwing away passwords; rather it is a transformative step that will make secure, open-ended and low-friction digital identity possible.
This Change Your Password Day marks a critical juncture in digital security – it’s a call for systemic change. Critical to this change is the adoption of new technology solutions, as well as maintaining vigilant and robust organisational security practices. Doing so will not just be a small step, but a leap towards a future where our digital lives are as protected as they are connected.