Authlogics Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

Authlogics

Why your organisation needs the password police

 960 640 Stuart O'Brien
By:
0
0

By Steven Hope, CEO of Authlogics

We live in a world full of policy, etiquette, regulation, and law, that provides a written and sometimes unwritten framework for codes of conduct that are deemed acceptable or unacceptable in our society.

However, having rules in place does not guarantee compliance. It is for this reason that we have police forces, armies, industry watchdogs, regulators, peer pressure, and more to help ensure the rules are followed, and in the main, as a society, we are very good at obeying orders. Consider how most of us adhered to strict lockdown rules during the pandemic, and despite queues stretching for many miles, people took their place in line and waited to pay their respects to Her Majesty Queen Elizabeth during her lying-in-state.

However, there are instances where we may be more willing to bend the rules, especially if we perceive a victimless crime.  Passwords are a good example. A lot of organisations have a password policy, but many employees do not adhere to the rules, with passwords not being changed as frequently as required, the necessary format not being followed, the same passwords being used for multiple accounts, and the sharing of login credentials.

Yet, for those who diligently do the right thing, there can still be a problem if the policy itself is not fit for purpose. Earlier in the Summer, it was reported that Shopify required a password to be of at least five characters. However, research of breached passwords revealed that 99.7% of the passwords met Shopify’s requirements.

This case is far from surprising, given that many password policies in use today can be as much as 25 years old, despite guidance from bodies such as NIST. The world has moved on and the threat landscape has changed.  Phishing attacks were not around when many of these policies were created, but today they pose one of the single largest cybersecurity risks.

Part of the problem is what has long been a ‘strong’ and ‘secure’ password is no longer the case.  A combination of upper and lowercase and special characters only makes passwords harder to remember and not stronger. No matter how complex a password is, if a bad guy has the password, they have access. With this in mind, the foundation of any password policy must be to ensure that breached passwords are not in use with an organisation. The use of multi-factor authentication (a username, password, and another credential such as a pattern, PIN, or biometric for example) also has an important role to play, however, the first step is to have a password management solution in place that automatically detects breached passwords and ensures that it is immediately changed with a new password that conforms to the latest NIST recommendations.

Think of it as password policing rather than policy, a method for both prevention and enforcement. Passwords are far from the ideal authentication solution and the policies that have long governed them have done little to improve the situation. Organisations are beginning their journeys towards passwordless alternatives, but it will take time for this to be the norm. Until then it is vital that we create an environment in which they can be used with the highest level of assurance.

We need higher factor protection in the sun AND in the workplace 

 960 640 Guest Post
By:
0
0

By Steven Hope, CEO of Authlogics

When I was growing up, we didn’t have sunscreen per se, it was more referred to as suntan lotion. It wasn’t part of the summertime ritual it is for many people today and getting repeatedly burned was part of the holiday experience – a price to pay for the tan that announced to everyone you had been on holiday. Even if you did apply it, the level of protection on offer was very low compared to nowadays.

If you are a parent of young children, chances are you make sure that they have sun cream on before they head off to nursery or school for the day (encouraged by regular email reminders). But when it comes to ourselves, many of us are probably a little more lax in our routine, preferring to balance the risk and the chances of getting burnt.

So, if we treat our own safety in this way, it is unsurprising that a risk-based approach filters into other areas of our lives. We all know the five second rule for food that falls on the floor (it isn’t true, just in case you didn’t know), going a few miles an hour over the speed limit, use a password like 123456, or a variation of it, for every account. They are things most people know they probably shouldn’t do, but on balance think ‘what harm will it do?’.

The problem is that these seemingly minor transgressions can and do cause harm, and the more times people ‘offend’ the greater the risk becomes. Of course, with risk comes the potential for ramification and in the case of passwords this means an over exposure to data breaches. Did you know that one in 250 corporate accounts are breached every month? And 80% of data breaches are caused by weak, stolen, or reused passwords! Reducing the risk of getting burned by a breach is similar to protection from the sun – more factors (if applied correctly) combined will increase protection.

The use of multi-factor authentication (MFA) may not be the first thing sunseekers and holiday makers think of when, for example, lounging on the deck of a cruise liner, but for one of the world’s largest operators – Carnival, it is certainly front and centre. This follows widespread reports this week that it has been fined $5 million by New York’s Department of Financial Services for cyber security violations including failing to implement MFA. It was a similar story a few months back when the Information Commissioner’s Office in the UK issued a fine to a company for (amongst other reasons) the lack of MFA.

Yet even for those who do implement MFA, they may well be doing the right thing, but are not doing things right. This is because many MFA solutions only provide a second factor (the first being a legacy password), so knowing that the password is a weak point it really doesn’t amount to true MFA. With this in mind, many consider the use of three factors – something you know (password, PIN or pattern), something you have (laptop or mobile device), and something you are (a biometric) – to be the optimal combination, balancing high levels of security with usability.

Security solutions like sunscreen have evolved in recent years, taking advantage of new technologies to offer far greater protection. However, whilst factor 50 might be perfect for your person, it may be somewhat excessive for your perimeter. Whether your employees are back working in the office, from home or the garden this summer, ensure that they have the right factors for protection.