World Password Day is coming up on May 2, and this will provide the perfect excuse for media outlets—Connected World among them—to talk about authentication and device security. The same password best practices are often regurgitated over and over again when this subject arises, in part because people still aren’t following the most basic of these suggestions, like not using “password” as a password. For this reason, the industry still needs to push best practices out to the public. But are the traditional best practices good advice, really? What about the advice to change passwords frequently? What about conflicting counsel about using random passwords versus using a string of pronounceable words?
The idea that people should change their passwords frequently is controversial, but it’s often listed as one way to improve security. In April, Microsoft announced it’s dropping the password expiration policies as part of its draft release of the security configuration baseline for Windows 10 version 1903 and Windows Server version 1903. Why? Microsoft says it best: “When humans are forced to change their passwords, too often they’ll make a small and predictable alteration to their existing passwords, and/or forget their new passwords.” While changing passwords is still a defense, it’s only going to help if people are changing their passwords to be more secure, not less.
Unfortunately, more secure passwords are harder to remember. What should businesses and consumers make of the advice to create lengthy, random, impossible-to-memorize passwords, then? Perhaps the best reason to follow this advice is because these types of passwords practically force the use of password managers, software tools that help people create passwords and then retrieve them from an encrypted database automatically when needed. Password managers aren’t bulletproof, though, and many still prefer to use their memory.
Users can still take precautions to protect themselves without using password managers. For instance, one solid piece of advice on last year’s World Password Day came from Intel: #LayerUp. Layering up involves enabling multi-factor authentication for as many devices, websites, and apps as possible. Multi-factor authentication means the password is just the first line of defense. A user’s fingerprint, face scan, or a single-use code sent to a cellphone could serve as the second line of defense. There’s a helpful list of websites and whether or not they support two-factor authentication at https://twofactorauth.org.
Passwords are an important part of authentication in 2019. Will this be true forever, though? Biometrics will someday make passwords obsolete as a first line of defense. Grand View Research says the global biometrics technology market will reach $59.31 billion by 2025. Nabil Hannan, managing principal of financial services and software integrity at Synopsys, a provider of application security testing, suggests passwords will remain relevant for the short term but not the long term and points out that biometrics can be hacked too.
This World Password Day, organizations should take the opportunity to go over basic security hygiene with their employees as relates to both personal and professional activities. But don’t just tell them to change their passwords once a month. Instead, focus on leveraging two-factor authentication technologies, including biometrics, when possible, as well as tools like password managers, all of which can support good password practices and, hopefully, create fewer victims in 2019.
Want to tweet about this article? Use hashtags #IoT #M2M #WorldPasswordDay #encryption #passwords #biometrics #5G #digitaltransformation #AI #artificialintelligence #blockchain #machinelearning #cybersecurity