We all use them on a daily basis, we depend on them to protect our online identities and data, and yet, passwords still can be a pain to manage. Due to this fact, and because multi-factor authentication (MFA) is still not as widely adopted as is should be –particularly outside of the enterprise– password-less technology has become a hot topic recently. In this month’s newsletter, we look into the current state of password security and promising developments that may help improve it.
The problem with passwords
Given the plethora of online services that we use, it is not out of the ordinary to have 100 passwords or more these days. Faced with this many secrets to remember, people tend to reuse them, which is dangerous, because once a single service is compromised, other accounts with the same password might soon be as well. Such compromises are all but a hypothetical risk: A recent report found that there are more than 24 billion username and password combinations circulating online currently.
Enforcing password policies is not everything
Of course, security guidelines and regulations say that secure password should be hard to guess, made up of sufficiently many characters, and should never be reused. But password policies only go so far. A comparison of established security regulation shows that it is still possible to create fairly insecure passwords while “ticking the box” and being compliant.
MFA is great - if being used
One of the best ways to improve the security of password logins is to add to them additional authentication factors, such as one-time passcodes or biometric features. Unfortunately, unless enforced by the organization managing logins, MFA adoption remains comparatively low. How MFA adoption could be improved was the subject of a study presented at the 2021 Usenix Security Symposium.
Tech giants collaborating on password-less
A different approach recently promoted by Apple, Google, and Microsoft does away with passwords altogether and, instead, relies on the user’s mobile device. Rather than letting the user input passwords, the device creates and manages so called “passkeys” that can be used across browsers and operating systems, simply by the phone’s usual unlock procedure. Because passkeys build on asymmetric cryptography and there are no shared secrets, the risk of phishing and the impact of breaches at the login/service provider is greatly reduced.
Certain operations don’t even need your password
But while we are stuck with passwords, we all should minimize their exposure wherever possible. One way to avoid sending passwords over the wire, which has been in the works for decades, is Homomorphic Encryption (HE). In a recent Cybersecurity Magazine, KU Leuven’s Nigel Smart shares with us his insights into some of the latest development in HE and outlines potential applications of this technology.
Cybersecurity Magazine Editorial Team
International Cyber Expo is where great cybersecurity minds come together to explore the issues of tomorrow's interconnected world.
Held at Olympia London on the 27th - 28th September 2022, International Cyber Expo endeavours to be the go-to meeting place for industry collaboration, where everyone from vetted senior cybersecurity buyers, government officials and entrepreneurs, to software developers and venture capitalists, are welcome to share their experiences, knowledge and resources with peers. Equally, the Expo will focus on connecting cybersecurity vendors with decision-makers such as CISOs, CIOs, and Head of Information Security from mid-large sized enterprises, government, critical national infrastructure, and public sector organisations.
As one of the must attend annual cybersecurity expos, the inclusive event is made for the community, by the community, hosts a world-class Global Cyber Summit, an exhibition space, live immersive demonstrations and informal networking in partnership with Beer Farmers.
For our latest video discussion on the security and production systems please see the River Publishers YouTube.
The latest journal articles from River Publishers in all areas of cyber security can be found on the River Publishers website.