Ali Baba overheard a Master Thief using the words Open Sesame! to open the mouth of a cave with a mighty treasure. Isn’t it amazing how a pass phrase could open up a world of treasures.

What sounds like a great folk tale — Ali Baba and the Forty Thieves — is still our reality. How many of us protect our information by a single password? Weak or stolen passwords cause 81% of all data breaches and the number seems growing every day.

According to Identity Theft Resource Source, we’ve already seen over 47 million stolen records in 932 breaches in 2018. A large part of these breaches contains passwords. For years these passwords dumps have been sold on criminal forums and the volume of stolen passwords have decreased the value of these dumps to a level that someone even published a password collection containing 1.4 billion entries — for free.

The problem with passwords

Essentially a password is a secret used to gain admission to a place. I’m pretty well convinced that passwords are a horrible system. Third party websites don’t protect our information properly and become victims of Cyber attacks. Also, people share their passwords among colleagues or can be a victim of credential phishing.

Apart from theft, passwords are cracked easily if they are not complex. We have the habit of creating secrets that are close by, like personal identifiable information, children, birthdays, favorite places and teams. Looking through social media like Facebook can quickly tell many of those things. The truth, of course, is that these we have made it easy for hackers. The re-use of passwords and the fact that breached passwords don’t get changed very often — it’s like taking candy from a kid!

In order to get everyone on the same page, we have to accomplish two things.

Lock your valuables

Here we go again — the password manager evangelist. Lucky for you, I’m not going to write why you should make use it. You can read it in one of thousand blogs about the benefits of complex passwords generated by a password manager. So let’s focus on the reason why it’s not commonly used in enterprises.

The lack of adoption is caused by the complexity to use it. We have to compete against the procedure where you type in 123456 in the password field. The challenge is to change the way your people are used to filling in passwords. Instead, we want them to paste passwords that are stored in the manager.

  1. Get leadership buy-in and technology rock stars. Experienced and senior staff are given time to master the tool and are involved in the implementation. They are our key to success and understand the reason why we are doing this and can inform other accordingly.
  2. Tell me and I forget. Teach me and I remember. Discuss the tool in your User Awareness programs. Show them the way!
  3. Monitor and audit if the software is being used properly. Be prepared to adjust procedures and technology to your users needs.

So, the first step is done. Are we there yet?

Check — Double Check

Complex passwords make the difference between something that is easy to crack and harder to crack. You are still at risk of being a victim of credential phishing or third party data breaches! That’s why it is so important not only to rely on something we know, but something that confirms the users claimed identity: multi-factor authentication (MFA). The technology is here, why not embrace it?

A good example of two-factor authentication (2FA) is withdrawing money. The only correct combination of a bank card — something you posses — and your PIN number — something you know — result in a successful transaction.

So, why aren’t we using this yet? Unfortunately we can not integrate MFA in everything yet. Third party solutions and core systems are not compatible with the technology that helps us authenticating more securely. That doesn’t mean we should not use this everywhere else we can.

Enabling MFA is a real game changer in terms of Cyber security. You should adopting this technology yesterday – if you haven’t already, of course.

The Dreamy Factors

You are right to think integrating these can be challenging, will the near future make it easier for us? I’m no Nostradamus, but there might have been a few technology developments that are here to stay.

Remember how Ali Baba hit the jackpot by saying the pass phrase Sesame Open? What if one of the Forty Thieves came up with a clever system that validates the voice of speaker? The combination of a secret and voice pattern accepts the users identity and opens the mouth of the cave. That’s biometric security.

Biometrics are human body characteristics that should not change over a lifetime and should be considered a higher form of authentication. You probably are already using this unlocking your phone.

There are also many reason why we don’t want to use passwords at all. Technology allows us to authenticate without the use of them. Passwordless authentication is uprising — magic links and tokens validate the authenticator. No password needed!

That was a long read — thanks for sticking with me. The challenges and struggles the journey exist for a reason: They help you and your business grow. Now it is up to you. Can you make the difference?

Sven Mik
Author

What drives me the most is helping companies and individuals to the next step in their cyber security maturity level. This drive, my technical knowledge and my passion for cyber security is why customers often see me as a trusted advisor.