Connect with us

Hi, what are you looking for?


Identity & Access

The Enduring Password Conundrum

Earlier this month, the State of California made headlines by passing legislation that will require hardware manufacturers to implement unique hardcoded passwords for every connected device they produce and force users to change it upon first use.

Earlier this month, the State of California made headlines by passing legislation that will require hardware manufacturers to implement unique hardcoded passwords for every connected device they produce and force users to change it upon first use. The bill, which takes effect in January 2020, renewed the debate surrounding our continued reliance on passwords as the primary method for access control and authentication. 

Since the introduction of username and password authentication, the threatscape has changed dramatically. Today’s infrastructures are borderless, sensitive data often resides in the cloud, and workers are accessing enterprise resources from anywhere and everywhere. This evolution has made many legacy controls obsolete, particularly passwords, whose effectiveness has been questioned for years. 

Since 81 percent of hacking-related breaches leverage either stolen, default, or weak passwords, the California ban on default passwords for connected devices (a.k.a. Internet of Things) is a step in the right direction. Eliminating the same easy-to-guess password from millions of devices will remove a common attack vector and reduce the risk of Denial of Service attacks, spam campaigns, and other malicious assaults that exploit hijacked devices. However, the use of weak default passwords extends beyond connected devices. As a result, this legislation is only addressing a small subset of use cases. 

Password Security

In addition, default password exploits make up just a small percentage of the overall number of identity-based cyber-attacks. A more common tactic used by cyber criminals and state-sponsored attackers is credential harvesting. Instead of using software programs that guess weak passwords, bad actors actively target individual users using social engineering techniques, malware, digital scammers, or any combination of these to steal credentials. Account compromise attacks can bypass the most hardened security perimeters by exploiting the weakest link in an organization’s defenses — users.

Instead of relying solely on passwords, security professionals should consider implementing a Zero Trust approach to identity and access management based on the following best practices:

• Use Multi-Factor Authentication

Since multi-factor authentication requires several elements for identity verification (something you know, something you have, and something you are), it’s one of the best ways to prevent unauthorized users from accessing sensitive data and moving laterally within the network. It should be standard practice for all organizations.

Advertisement. Scroll to continue reading.

• Vault Passwords 

The first step toward protecting access to critical account passwords is bringing them under management of a password vault, where an organization’s server, cloud, DevOps, and network device passwords and/or secrets are securely stored and managed. Passwords are rotated after each use, preventing bad actors from reusing them if they become compromised.

• Grant Access to Resources, Not Networks

Unlike a Virtual Private Network that gives users global access to the entire network, privileged access management solutions can be used to limit access to assets on a per-resource basis. These proxy-based technologies give an organization’s privileged internal IT admins access to as much of infrastructure as necessary, while limiting access for other users to only the servers and network hardware their role requires. In combination with access zones, this security practice significantly reduces the risk of lateral attacks.

• Grant Least Privilege

According to Forrester, 80 percent of hacking-related breaches involve the misuse of privileged credentials. Zero Trust measures should be used to establish granular, role-based access controls via access zones to limit lateral movement and provide just-in-time privilege to applications and resources. For example, if an outsourced IT provider is contracted to maintain an Oracle database, their access should be limited to this single resource. For advanced security, controls can be placed on the range of commands they can perform. Should additional privileges be required, these can be requested via a workflow ticket. The approval of the ticket would grant immediate, but temporary privilege to run additional commands on the database.

• Risk-Based Access Control

Risk-based access uses machine learning to define and enforce access policy, based on user behavior. Through a combination of analytics, machine learning, user profiles, and policy enforcement, access decisions can be made in real time, to ease low-risk access, step up authentication when risk is higher, or block access entirely. Risk-based access control is often used in combination with multi-factor authentication. The use of artificial intelligence offers the most promise for helping the industry move away from usernames and passwords. 

• Audit Everything

Capturing and documenting a record of all actions performed is not only essential for forensic analysis and root cause detection but can also be used for threat hunting via SIEM or even CASB integrations.

Usernames and passwords are here to stay for the foreseeable future. While the new California legislation is a good first step in addressing identity-based cyber-attacks, organizations should supplement their existing security practices to reduce the risk of account compromise attacks that exploit harvested credentials to breach enterprise resources.

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

NSA publishes recommendations on maturing identity, credential, and access management capabilities to improve cyberthreat protections.