In an era where digital security is more important than ever, passwords remain the gatekeepers of an organization’s entire ecosystem. Despite the rise in the use of multi-factor authentication (MFA) and biometric scans, passwords remain indispensable.
Their importance is underlined by their simplicity and the immediate layer of security they offer to online accounts, which in turn protects an organization’s data and systems. However, their effectiveness depends directly on the user: specifically, their willingness to create unique passwords despite the inconvenience and how diligently they manage them.
Vice President of Threat Intelligence, Egress.
Old is gold
The persistence of passwords as a primary security measure is a testament to their convenience. While biometrics, physical keys like YubiKey, and advanced authentication methods offer promising improvements, passwords remain the foundation of security defenses around the world—a fact highlighted by recurring themes throughout Cybersecurity Awareness Months and echoed by cybersecurity experts.
However, many people tend to create passwords that are predictable and easy to remember, often at the expense of security. A study by the National Cyber Security Center found that 23.2 million accounts worldwide used “123456” as a password, highlighting a common trend toward simplicity and familiarity. Additionally, users frequently incorporate personal information, such as birth dates or names, into their passwords, which attackers can easily guess or find through open source intelligence or social engineering. The tendency to reuse passwords across multiple sites also remains widespread.
These behaviors reflect a broader psychological tendency to prioritize convenience and cognitive ease over security, underscoring the need for better user education.
Strong passwords are a key first line of defense
The emphasis, then, shifts to strengthening passwords as an organization’s first line of defense. The reason is that recent research has revealed that 58% of organizations have experienced account takeover incidents (ATO) in the past 12 months, and 79% of these incidents started from a phishing attack that obtained an employee’s credentials. 51% also fell victim to phishing attacks sent from compromised supply chain email addresses. Therefore, organizations must not allow weak passwords to become ATO and future email attacks.
Another threat beyond email is that once an attacker gains access to a password (whether through credential harvesting or social engineering tactics), they can unlock not just one account, but multiple accounts—especially if a person misuses passwords and repeats them across different platforms. This domino effect can exponentially increase the vulnerability of an organization’s data, as it’s similar to using a single key to open all the doors in an office building: if a malicious actor gets hold of it, nothing inside is safe.
In line with this threat, the UK government’s recent legislation on security of telecommunications products and infrastructure (PSTI) is a very significant development. The PSTI regulation requires internet-connected smart devices, including mobile phones and laptops, to meet minimum security standards by preventing users from creating easily guessable passwords such as “admin” or “12345”. This legislation in the UK represents a positive step forward, as poor password hygiene practices are not something any organisation can afford today.
How can organizations ensure secure passwords for their employees?
First, a strict password protocol is a critical defense mechanism. It is prudent to change passwords frequently, discourage repetition, and require high complexity (including numbers, symbols, and multiple characters) to increase protections against unauthorized access. To facilitate this, employees should have access to a password manager. By reducing the need to memorize credentials, password managers offer employees a unified, highly secure repository for distinctive passwords, making it extremely difficult for hackers to crack them.
Strong and unique passwords, managed through trusted password managers and reinforced with habits like regular updates after breaches, form a comprehensive strategy that can adapt to ever-evolving credential harvesting attempts. This approach not only strengthens security, but also cultivates a culture of cybersecurity awareness and responsibility. In essence, while passwords may be an old guard in the digital realm, they are here to stay, evolving alongside new security paradigms to safeguard our digital ecosystems.
We list the best password generators.
This article was produced as part of TechRadarPro's Expert Insights channel, where we showcase the brightest and brightest minds in the tech industry today. The views expressed here are those of the author, and not necessarily those of TechRadarPro or Future plc. If you're interested in contributing, find out more here:
