When you think about data and account security, the first thing that usually comes to mind is passwords. In a culture with data-mining and account hacking, it’s now more important than ever to create a company-wide password management process to counteract these threats.
In 2017, the National Institute of Standards and Technology (NIST) changed its position on organizational password management. NIST is now against using a system of forced password complexity as well as a periodic password-change schedule. This may sound counter-productive, but NIST posits that most users tend to reuse their lengthy passwords on multiple domains. In other words, if one password is decrypted, then the others may easily follow.
There are still plenty of other options available, but which works best for you? We’ll break down the pros and cons of password management solutions so you don’t have to.
Is There a “Perfect Password”?
Two of the leading experts in password encryption – Kevin Mitnick, the chief hacking officer of KnowBe4 and security pundit Frank Abagnale – expect the concept of passwords to altogether fizzle out in the future, but they still have suggestions as to what your best options are until then. Mitnick first recommends using 25-character passphrases rather than complex character sequences.
“The 25-character password is for the initial login to the user workstation; then you should have another password for the password,” Mitnick said. “The user only has to remember two pass-sentences, and the manager will take those credentials.”
Mitnick’s idea hints at a concept agreed upon by both himself and Abagnale: multi-factor authentication. This process requires at least two different types of credentials to complete the login process.
Even with multi-factor authentication, Mitnick still strongly suggests implementing the First IDentity Online (FIDO) Alliance’s Universal Second Factor (U2F) protocol to prevent security breaches through web-based platforms.
Are Password Managers Worth It?
Abagnale, already disillusioned by the concept of passwords as a whole, sees password managers as a weak attempt at masking the issue.
“Some of the password vaults have been breached already, which emphasizes my former point about why passwords are bad for our security,” he said. “I think that we should move beyond static passwords and not succumb to password vaults as our solution. It makes me nervous to store all my passwords in one place and protect that with…a password.”
Password managers may be the best opportunity to test out a multifactor authentication system, where the login for the password manager might be a fingerprint scan, while the passwords within the manager consist of Mitnick’s suggested 25-character passphrases. Mitnick warns that, even with this method, the most important thing is to protect your computer from malware.
The Passwordless Future is on Its Way
While a world without passwords may seem like a far-off dream, there are companies already at the forefront of this development. One such company called Trusona prides itself on its focus on the user experience. Abagnale is one of the firm’s advisers and expects the full switch to come in the next five years.
“The technology is already here, and now needs to be implemented,” he said. “There is a reason to think that passwords may remain in legacy systems for years to come, as the cost of ripping them out is too high. Nonetheless, passwordless logins are the way of the future, and companies would adopt this method once they realize the benefits.”
Passwords won’t be going away anytime soon, and there are several options to help protect yourself and your business as best you can in the meantime. Combining password managers, the passphrase method, and multifactor identification, you can create as strong of a data-barrier as possible.
Here at GAGE, our InSite program allows us to take care of problems even before you notice them. We’re available 24/7 to support you and your business.