Editor’s note: World Password Day was observed earlier this month, and the ISACA Now blog gathered several expert comments related to password and authentication best practices. See our group of experts’ commentary below:
Steven Sim Kok Leong, CGEIT, CISA, CRISC, CISM, CDPSE, Member, ISACA Emerging Trends Working Group and Information Security Advisory Group; Adviser, ISACA Singapore Cybersecurity SIG; and Chair, OT-ISAC Executive Committee
Beyond complex passwords and multi-factor authentication, organizations can do more, including protecting against MFA-fatigue attacks with "less" by adopting password-"less" solutions. What still needs to be protected would be personal credentials, including your biometrics data (i.e. facial image, fingerprint, etc). It is imperative to elevate authentication methods as hackers step up their sophistication of attacks on passwords and less mature authentication methods
Divya Aradhya, Head of Cyber Architecture and member of the ISACA Emerging Trends Working Group
While the online world is slowly moving towards passwordless authentication, passwords aren't going away anytime soon. All of us struggle with creating unique passwords that are complex and long enough to be hack-proof, and yet simple enough to remember. A tip I give is to consider using full sentences as passwords. Capitalizations, spaces, punctuations, and length are organically woven in, and the natural construction of the sentence makes it easy to remember.
For example: "I eat 2 green apples everyday!," "My doggie's name is Biscuit :)," or "There are 7 days in 1 week.”
Find sentences that are specific to you, and if you can, weave in a website identifier to your sentence. It will help keep the "password" unique and also make it easy for you to recall.
Anima Pokharel (CA, CISA, ISO 27001 Lead Auditor, Forensic Auditor and Fraud Detection Professional), Senior Technology Auditor with Lululemon, Vancouver, Canada
In my experience, when it comes to password control practices, we often follow practices such as frequent password changes, typically within 90 days, and enforcing complex rules like mandatory use of special characters and numbers to boost security. However, recent research has shed light on some unintended consequences of these existing practices.
It can lead users to create predictable password patterns or reuse passwords across multiple accounts, making it easier for attackers to guess the password. This insight has led organizations like NIST to revise their guidelines, recommending against frequent mandatory changes and overly complex requirements and in favor of longer, memorable passphrases unless there is evidence of compromise.
Additionally, integrating MFA adds an extra layer of security, making it harder for attackers to gain access even if a password is compromised. Embracing these advanced methods and staying updated with evolving best practices can safeguard us from emerging threats.
Sabiha Hetavkar – Director, Risk Advisory, Deloitte India
Users quite often end up using the same password for their work and personal accounts, or store their password in a notepad to remember easily. The frustration of remembering so many passwords is what makes users resort to unsafe password practices, despite being aware of the risks. Adopting passwordless authentication will eliminate passwords from the equation and subsequently, the user fatigue of remembering the password. While adopting passwordless authentication, organizations should adopt solutions which offer a secure and frictionless experience. Some key points to remember are:
- Use native device biometrics for authentication so that the user’s biometric data is not transmitted or stored on servers.
- Allow the user multiple options to authenticate from the device – biometrics, PIN, or external USB device.
- Use passwordless authentication such as two-factor authentication by default, e.g. FIDO2.
- Design secure recovery processes in the event of a loss of device used for passwordless authentication.
- Plan for end user training and guidelines to increase adoption and stay updated on new attack vectors to mitigate them.