SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

81% of passwords are hacked: Time to step up the authentication game

Tue, 6th Jun 2017
FYI, this story is more than a year old

81% of data breaches are due to poor credential management and hacked passwords, in a case of what Centrify is dubbing 'deja vu'.

Citing statistics from Verizon's 2017 Data Breach Investigations report, hacked passwords have jumped from 50% to 81% in the last three years.

For Centrify's senior director of APAC sales Niall King, it's a case of deja vu - and security is still not working.

"For years, we've seen compromised credentials as a primary cause of data breaches," he said.

"Cyber criminals find the path of least resistance to their target and today that path leads straight from users with self-managed 'simple factor' passwords. Since most recent breaches leveraged privileged credentials to gain access to the organisation, securing privileged access in today's hybrid enterprise is mandatory in achieving a mature risk posture. Passwords alone are not enough," he explains.

He believes that a new approach is needed to password security that brings together identity brokering, multi-factor authentication enforcement and just-in-time privilege.

"While most privilege solutions traditionally vaulted the credentials for shared accounts on-premises, password vaults alone do not provide the level of privileged access security required to stop the breach. Organisations need is a truly integrated solution that combines password vaulting with brokering of identities, MFA enforcement and just-enough and just-in-time privilege, that secures remote access and monitors all privileged sessions.

The company has been pursuing this strategy, with a heavy concentration on risk-based multi-factor authentication for enterprise users.

The company has also embraced machine learning as part of its behaviour profiling technology.

"An office worker who follows a set routine by typically logging in from a known device is identified as low risk, allowing immediate access to resources without extra authentication. However, logins from another country, after hours or from an unfamiliar device is flagged as a high risk, so would be blocked or at least required to provide extra authentication factors," the company says in a statement.

King believes that better authentication is far more efficient that password-only security.

"Reducing the friction for users through more choices in authentication factors, fewer prompts and a more consistent user experience, will go a long way toward reducing reliance on passwords alone. The bottom line is that moving beyond password-only security pays off," he concludes.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X