Ever-evolving cyber threats: World Password Day 2024

On World Password Day, Electronic Specifier (ES) takes some time to consider the nature of passwords and cyber threats today. In talking to key individuals working in the security space, ES reflects that the landscape today has changed since 2005 and requires constant diligence.

In 2023, ahead of World Password Day, ES reported that an Uswitch.com broadband study reflected a worrying figure: in spite of one in five UK adults being informed their password has been leaked in a data breach, they don’t take steps to update it.

Much has changed since 2005, as the evolution of passwords has witnessed their role as a means of authorising users change to authenticating. The introduction of two-factor or multi-factor authentication has added an additional layer of security as it asks for information beyond a memorable password, bringing in personal phone numbers or email addresses to verify.

Against a backdrop of cyber attacks and increasingly sophisticated scams, users are no longer protected by just their passwords. Beyond the individual, consider the impact felt by major companies working in critical sectors like healthcare, manufacturing or food production when they are the recipient of a cyber attack.

Ravi Bindra, CISO at SoftwareOne, said that in this “cyber battleground”, neglecting “password hygiene” cannot be afforded.

"Passwords are the frontline guardians of our digital fortresses, yet complacency continues to invite breaches. In today's cyber battleground, businesses must realise their security is only as robust as their weakest password. As hackers improve their tactics, neglecting password hygiene is a luxury no one can afford,” he explained. "World Password Day serves as a crucial reminder: fortify your defences with strong password practices. It's not rocket science; it's diligence. 

“Embrace longer, diverse passphrases and bolster security with multi-factor authentication. As technology evolves, passwordless authentication is emerging as the future of tomorrow's security landscape, leveraging biometrics and hardware for a safer digital journey." 

The onus is evidently no longer on the individual to enforce their own security, as the Product Security and Telecommunications Infrastructure (PSTI) Act entered into law on the 29th April 2024, requiring Internet connected smart devices to meet minimum-security standards. This includes requiring passwords made for these devices to be more secure and preventing the creation of passwords that have historically been easy to exploit; such as following a sequence ‘123’.

“It’s important we stamp out weak passwords for good,” emphasised Steve Bradford, Senior Vice President EMEA at Sailpoint. ”Passwords are one of our most widely used security controls, but often they’re overlooked or abused. The common advice is to make these strong and unique – so we need to be encouraging these practices right from the start, and we need manufacturers to help set that precedent.”

Bradford went on to explain that setting strong passwords isn’t enough “to keep hackers at bay. Tools such as multifactor authentication (MFA) should be used, providing an additional layer of protection to all online accounts. Using free password management tools can also lend a hand in creating complex passwords for accounts and storing them securely, eliminating the need for user memory. Tools like these should be standard practice for businesses and users alike.”   

Matt Stanton, Global Vice President at BioCatch, echoed a similar sentiment: “Strong passwords, multifactor authentication, SMS-based OTPs: None are enough to keep our online lives secure in the age of Generative AI (GenAI).

“The password, born in 1961, has served as our digital gatekeeper for more than six decades. And yet, more than half a century later, it remains our go-to, frontline defence against all cyberattacks.”

Stanton said that GenAI was being exploited to circumvent password-based security, social engineering using tools such as deepfake videos and voice clones to access digital banking accounts.

“To combat this new threat, banks must also innovate. Behavioural biometric intelligence allows fraud-fighters to analyse physical behavior patterns (mouse movements and typing speed, for example) and cognitive signals (hesitation, segmented typing, etc.) to detect anomalies at both a user and a population level that might indicate fraudulent activity,” he stressed. “When a user strays from their normal behaviour in an online session in a known criminal pattern, that’s usually a very good indicator something fraudulent is going on.”

Bringing new solutions to the fore, he concluded, is “imperative” in continually protecting sensitive online data and digital interactions.