Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Why Better Password Hygiene Should Be Part of Your New Year’s Resolutions

Organizations Must Assume That Bad Actors Are Already in Their Networks

Organizations Must Assume That Bad Actors Are Already in Their Networks

The world has been faced with numerous life lessons in 2020, but it’s clear that millions of people still haven’t learned one of the most basic when it comes to security. A new report from NordPass has revealed that millions of people still haven’t broken the habit of using easy-to-remember, but easy-to-hack passwords. Of the 200 most common passwords, ‘123456’ took the number one spot again, but unfortunately for the more than two million people using it, it can be broken in less than a second. Other popular passwords included ‘iloveyou’ and the ever-so-creative ‘password’. When it comes to breaches, all roads still lead to identity. Hackers don’t hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s critical that everyone put password hygiene at the top of their New Year’s resolutions list. 

Despite all the new technologies, strategies, and artificial intelligence being employed by security experts and threat actors alike, one thing remains constant: the human element. As humans we’re fallible — a fact that threat actors frequently exploit when launching phishing and social engineering campaigns to establish a foothold in their victim’s IT environment.

The reality is that many breaches can be prevented by some of the most basic cyber hygiene practices. Yet most organizations continue to invest the largest chunk of their security budget on protecting the network perimeter rather than focusing on establishing key identity-related security controls. In fact, a recent study by the Identity Defined Security Alliance (IDSA) reveals credential-based data breaches are both ubiquitous (94% of survey respondents experienced an identity-related attack) and highly preventable (99%).

Today’s economic climate exacerbates these cyber risks and the impact of the COVID-19 epidemic has led to an acceleration in digital transformation and technical change that will further stress-test organizations’ identity and access management practices. This creates new challenges in minimizing access-related risks across traditional datacenters, cloud, and DevOps environments. So, what can be done to minimize credential-based data breaches

Consumers and businesses alike must abandon static passwords and recognize that multi-factor authentication (MFA) is the lowest hanging fruit for protecting against compromised credentials. This approach requires an extra step to verify an identity beyond a username and password using something the user knows (such as a text code), something they have (such as a smartphone), or something they are (such as a face or fingerprint scan).

Individuals should use password managers. A password manager is an easy way to ensure employees are using complex passwords. Some solutions will also advise the user if one of the passwords has potentially been compromised in a data breach and prompt them to change it immediately.

For enterprises, less is more. Instead of pouring more money into a shotgun approach to security, organizations should pursue a strategy oriented on purchasing the highest reward tools. Since privileged access is now a leading attack vector, that is where the smart money should be going. If we assume hackers are already in the network, does it make sense to spend more money hardening the perimeter, or rather on restricting movement inside the network?

The existence of privileged access carries significant risk, and even with privileged access management (PAM) tools in place, the residual risk of users with standing privileges remains high. In turn, organizations must adopt a “Zero Trust” approach. Zero Trust means trusting no one – not even known users or devices – until they have been verified and validated. An identity-centric security approach based on Zero Trust principles re-establishes trust, and then grants just-in-time least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.

Ultimately, organizations must assume that bad actors are already in their networks. And consumers must realize they’re constant targets. In 2021, companies across all industries should consider moving to a Zero Trust approach, powered by additional security measures such as MFA and zero standing privileges, to stay ahead of the security curve and leave passwords behind for good.

Related: The (Re-)Emergence of Zero Trust

RelatedNIST’s Zero Trust Taxonomy Introduces Components, Threats and Migration Routes

Written By

Torsten George is a cybersecurity evangelist at Absolute Software, which helps organizations establish resilient security controls on endpoints. He also serves as strategic advisory board member at vulnerability risk management software vendor, NopSec. He is an internationally recognized IT security expert, author, and speaker. Torsten has been part of the global IT security community for more than 27 years and regularly provides commentary and publishes articles on data breaches, insider threats, compliance frameworks, and IT security best practices. He is also the co-author of the Zero Trust Privilege For Dummies book. Torsten has held executive level positions with Centrify, RiskSense, RiskVision (acquired by Resolver, Inc.), ActivIdentity (acquired by HID® Global, an ASSA ABLOY™ Group brand), Digital Link, and Everdream Corporation (acquired by Dell).

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...