According to a recent article in the Wall Street Journal, the man who literally wrote the book on password management, Bill Burr, admitted that the password as primary protection is no longer a valid risk management strategy. Burr was the author of a 2003 report that recommended using numbers, obscure characters, and capital letters, along with regular updating, for inreased security. Now, according to The Journal story, he says he “blew it” and regrets the error.
Thanks, Bill. Yet, despite his confession, passwords still play an important role in security today—but they are not enough alone.
If you are on the board of a company, or several companies, for instance, you are no doubt more than a little busy. Perhaps too busy to closely manage the various passwords you use for favorite Web sites and your myriad apps. If you tend to use the same, or similar, passwords for more than one site, or if a password is your only tool for credentials and authentication, you could be putting your organization—and yourself—at risk for identity theft and/or a significant data breach.
Clearly, the notion of the password as the first, and sometimes only, line of defense has become limited. Passwords have a place, but should not be used in isolation. If you think about it, passwords came into vogue more than 20 years ago as the Internet started to become more ubiquitous and email took over the primary mode of interpersonal and business communications. Impressive, considering there aren’t too many technology solutions developed 20 years ago that are still relevant. However, cybercrime is now an industry that’s becoming more sophisticated and pernicious every day. Why would we expect a 20-year old solution to still be effective in 2018?
As a board member, you are at particular risk for credential-based attacks. You have access to valuable company data and attackers may assume—often with uncanny accuracy—that you may not have adequate levels of security in place. And if you are attacked through a password theft and you use the same password for multiple Web sites, watch out. Your most intimate personal records—bank accounts, investment portfolios and the like—could all be at risk.
So, what to do?
First off, you don’t want to rely on passwords as your only line of defense. You should have at least two-factor authentication and, realistically, multi-factor authentication. This kind of authentication can be thought of as three levels: Something you know, something you are, something you have. The password fits into the category of “something you know,” and, because you are likely to continue using passwords as one method of security protection, you should take the time and care to manage them closely and not keep using the same word and character patterns over and over again.
Beyond that, biometrics have become a widely used method of authentication in the category of “something you are.” If you have an iPhone, you are probably using Face ID or Touch ID, so you are aware of how simple it is to use and how commonplace it has become. Often two-factor authentication—password and biometrics—might be enough, but industry best practices are moving towards multi-factor authentication. This would also include “something you own,” such as a security token.
As a senior-level executive or board member, it is important that you remain vigilant. If your organization only requires passwords, press the issue and, if necessary, refuse to use platforms that you think could be vulnerable. If someone at your level makes cybersecurity protection an issue, it is quite likely that the security teams will be keen to make the proper adjustments.
Cybersecurity is only as strong as its weakest link—and you don’t want that weakest link to be you. Make sure you have authentication protections that go beyond passwords—and make sure two-factor or multi-factor authentication become standard practice at your companies. The risks are far too great to ignore.
PassWord123$$ doesn’t cut it anymore.