Connect with us

Hi, what are you looking for?


Identity & Access

Another World Password Day Has Passed and Little Has Changed

Six weeks ago, we celebrated World Password Day. Yet, unfortunately, not much has changed since last year. Cyber breaches are bigger and worse than ever. Hardly a week goes by without headlines about some new devastating cyber-attack. In fact, a CyberEdge report (PDF) found that a stunning 77 percent of surveyed organizations had suffered a breach over the past year. 

Six weeks ago, we celebrated World Password Day. Yet, unfortunately, not much has changed since last year. Cyber breaches are bigger and worse than ever. Hardly a week goes by without headlines about some new devastating cyber-attack. In fact, a CyberEdge report (PDF) found that a stunning 77 percent of surveyed organizations had suffered a breach over the past year. 

And, when it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore—they log in using weak, default, stolen, or otherwise compromised credentials. Several studies have found that privileged credential abuse is involved in the majority of breaches, and many organizations are not taking basic steps to prevent it. 

Shockingly, 52% of respondents to a Centrify survey said they do not have a password vault, and 21% still have not implemented multi-factor authentication (MFA) for privileged administrative access. Privileged credentials provide cyber adversaries with the “keys to the kingdom” and perfect cover for their data exfiltration efforts.

The reality is that many breaches can be prevented by some of the most basic privileged access management (PAM) tactics and solutions, coupled with a Zero Trust approach. Yet most organization are investing the largest chunk of their security budget on protecting the network perimeter rather than focusing on security controls which can address the leading attack vector: privileged access abuse.

This is a big mistake. Organizations need to make privileged access management a top priority. Gartner has listed PAM on its Top 10 Security Projects for the past two years for good reason. 

Here are three best practices for preventing identity-based compromises:

Go Beyond Passwords

Advertisement. Scroll to continue reading.

Static passwords are no longer enough, especially for sensitive enterprise systems and data. There is no way to determine if the user accessing data is the valid user or just someone who bought a compromised password from the 21 million that were revealed in the recent Collections #1 breach. Thus, static passwords can no longer be trusted. Organizations need to realize that MFA is the lowest hanging fruit for protecting against compromised credentials.

Less is More

Gartner estimates that global spending on cyber security will hit $137 million annually in 2019, yet the breaches keep on coming. That’s probably because a large percentage of that money is being funneled into solutions that don’t address high priority security threats and the expanding attack surface of digital enterprises. Hackers, for their part, are shifting their tactics and targeting the path of least resistance: namely, identity. They realize that it only takes one person still using “123456” as their password to ransack an organization. 

Companies of all sizes, across all industries must get more strategic about how and where they allocate their security dollars. Instead of pouring more money into a shotgun approach to security, organizations need a more focused strategy oriented on purchasing the highest reward tools. Since privileged access is now a leading attack vector, that is where the smart money should be going. If we assume hackers are already in the network, does it make sense to spend more money hardening the perimeter, or rather on restricting movement inside the network?

Trust Zero Trust

Zero Trust means trusting no one – not even known users or devices – until they have been verified and validated. Zero Trust Privilege helps enterprises grant least privilege access based on verifying who is requesting access, the context of the request, and the risk level of the access environment. Accounts with access to sensitive data should be given the ‘least amount of privilege’ and only for the period of time it is needed, then it should be revoked. A Zero Trust Privilege model ensures all access to services must be authenticated, authorized, and encrypted. This approach can help companies avoid becoming the next breach poster child, as well as the brand damage, customer loss, and value degradation that typically comes with it.

Organizations must assume that bad actors are in their networks already. Before next year’s World Password Day anniversary, companies across all industries should consider moving to a Zero Trust approach, powered by additional security measures such as multi-factor authentication (MFA), to stay ahead of the security curve and leave passwords behind for good.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.