Close this search box.

Passwords are not going away

It is a classic case of poacher turned gamekeeper. In his previous guise Jonathan Bennun was a hacker, now he is fighting against cyberattack as product strategy manager at access management provider OneLogin.

When he was attempting to breach systems, he found vulnerabilities like easy-to-guess passwords made his work much easier. “If that attack vector didn’t pan out, I could usually get around the authentication flow, or gain basic privileges and escalate them for admin access. We must accept that these vulnerabilities – imperfect authentication and passwords – are not going away anytime soon, and businesses must take steps to strengthen their security posture.”

A key challenge in eliminating passwords is that too many software as a service (SaaS) providers still don’t offer token-based sign-in such as with security assertion mark-up language (SAML) or authentication layers such as OpenID Connect. On top of that, many enterprises still have dozens – if not hundreds – of legacy applications that require passwords. “It will take some enterprises a long while to migrate off these legacy apps which use application-specific passwords, and do not support requirements such as password complexity or password expiration,” Bennun adds. “In addition, passwords make for only a small part of a strong security posture. Security is only as strong as its weakest link, and on some systems, passwords may be a good attack vector. Real-world attackers are more likely to use alternate attack vectors to get around passwords. Three of the most common are application vulnerabilities, spear-phishing and social engineering.”

Bennun explains that being a true password champion means applying password best practices while having a modern approach to access management that is more holistic than a password management tool or a password education campaign.

To explain what businesses are doing wrong and how they can fix it, Bennun uses the classic security triangle: people, process, and technology. “When it comes to people, enterprises invest in education like training for compliance reasons, but often overlook enabling people with self-service for password reset and self-registration of multi-factor authentication (MFA),” he explains. “In addition, companies combat shadow IT, but don’t offer an alternative such as faster onboarding of business apps. For example, your employees need to use LinkedIn and Twitter for business, so provide them with a safe way to manage passwords for those personal apps.”

When it comes to process, it is important to think marathon, not sprint. “Some SaaS providers still don’t offer token-based sign-in such as SAML-enabled login,” he says “Enterprises need to gradually consolidate passwords, ideally to a single set of corporate credentials for apps, networks, and devices. Similarly, access management should be unified and holistic across the entire organisation with user information and privileges.”

The final piece of the puzzle is technology. Password best practices are not hard to follow and apply, and they are an important part of any security practice. “Having said that, don’t stop there, and don’t look for a silver bullet,” Bennun concludes. “Look for a platform, not a tool, for the wide variety of use cases and for supporting complete authentication and access management scenarios across the enterprise. For example, a single platform can make it much easier to provide password reset self-service to your entire user base.”

In summary, being a true password champion goes well beyond password best practices. Enterprises that fail to deploy today’s front-line access management solutions across their organisation – enabling people, planning for a continuous effort, and seeking a full platform solution – are at serious risk and will lose out.

CTS The industrialisation of IT
CTS - Industrialisation of IT
Related Posts
CTS The industrialisation of IT
Others have also viewed

Germany Energy Efficiency Act demonstrates importance of data centre supply chain collaboration

Following the signing into law of Germany’s Energy Efficiency Act (EnEfG), energy solutions specialist Aggreko ...
Data Centre

Vertiv collaborates with Intel on liquid cooled solution

Vertiv is collaborating with Intel to provide a liquid cooling solution that will support the ...

Generative AI at work: Creating a transparent company culture

The power of generative AI has risen to prominence in the past year. Even for ...

AI-powered computer vision enhances safety in industrial workplaces

RoboK, a startup applying AI-powered computer vision to logistics and industrial workplaces, has announced $2.1 ...