iot health

IoT Evolution Health News

IoT Evolution Health Home

Celebrating World (No) Password Day

By Special Guest
Jackson Shaw, VP, Product Management, One Identity
May 03, 2018

It’s World Password Day, where we recognize the ubiquitous, troublesome, and most-often-hacked step in any security process. Most people suffer from a love-hate relationship with passwords, which stems from the fact that we know we need them, but we hate the effort required to use them correctly. This results in us not following best practices, creating more vulnerability in our network and to our data. Therefore, I propose we switch to World “No” Password Day.

If we did passwords correctly – and everyone followed the rules – risk would be minimized, but the sheer volume and diversity of systems that need logging into makes it virtually impossible to consistently use strong hack-proof passwords.

According to research, 63 percent of data breaches are linked to weak, reused, or stolen passwords. I would argue that passwords have worn out their welcome and it’s time to look for more secure, manageable, and user-friendly options. We can see it slowly starting to happen in pockets throughout the corporate and consumer worlds. For example, the requirement for smart card authentication in U.S. Federal Government agencies, and fingerprint or facial recognition technologies used on smartphones, it can even be seen in the way that many newer applications have built-in support for stronger authentication methods beyond the standard username/password. These are all great ways we can see progress and where authentication methods are heading.

Even with these new security processes being integrated, from a practical standpoint, we are still far away from the end of passwords. However, it is relatively easy to augment existing password authentication with second factors that integrate a second, more progressive security step. As I noted above, many government agencies are being required to enable legacy applications with Common Access Card (CAC) login. While making this update, the agencies have found that rather than re-architect the application to support CAC, fronting applications with a modern single sign-on solution (SSO) can add the required integration quickly and easily. Similarly, most modern web SSO solutions include support for many multi-factor authentication options.

SSOs not only reduce the number of passwords a person must manage, remember, and reset, but SSOs can also replace the password with a stronger and more convenient authentication method.

Privileged access management (PAM) is perhaps the most troublesome password scenario. There is incredibly high power and risk associated with administrator access since they are the ones with the keys to the kingdom. While it is possible to add multi-factor authentication to legacy privileged password management, any new implementation should include built-in multifactor as well as newer methods such as “push to authenticate”. Push authentication involves sending a notification (via a secure network) to a user's device when accessing a protected resource. Both “push to authenticate” and multifactor are security measures that are virtually impossible for bad actors to steal or fake.

And finally, since passwords will unfortunately remain in use for foreseeable future, let’s look at ways to streamline using them, and ultimately make them irrelevant. . Look for ways to manage passwords through SSO and self-service password reset. Ask yourself how additional security measures (such as adding multi-factor authentication) are affecting users. Are users more likely to follow the rules because security made their lives easier? Or, are they going to look for ways around the rules to facilitate convenience? If your well-intentioned security measures are not going to be followed, you are worse off than if you had not implemented any type of security at all.

So, let’s get in the mindset of celebrating the password as a quaint nostalgic security measure of days gone by and turn our focus on moving on to more progressive and better security authentication methods. Now that would be cause for celebration.

For more on IoT Security solutions, register now for the Industrial IoT Conference and The Smart City Event




SHARE THIS ARTICLE
Related Articles

AT&T and Aira Leverage IoT for Accessibility

By: Ken Briodagh    5/18/2018

Assistive Technology Platform Announces Global Expansion on Global Accessibility Awareness Day

Read More

IoT Time Podcast S.3 Ep.16 ClearSky Data

By: Ken Briodagh    5/15/2018

On this episode of IoT Time Podcast, Ken Briodagh sits down with Laz Vekiarides, CTO and co-founder of ClearSky Data, to talk about the Edge, the Fog,…

Read More

Black Book Survey Says Healthcare IoT Security is Maturing Too Slowly

By: Ken Briodagh    5/14/2018

The industry is deluged with new applications, challenging systems, new devices and innovative approaches to handling and sharing data.

Read More

Verizon Announces ThingSpace Ready to Speed Time-to-Market

By: Ken Briodagh    5/14/2018

Partners include leading module makers Quectel, Sequans and u-blox, cellular design houses Bittium and Mobilogix and SIM provider G+D Mobile Security

Read More

Finnish Health Technology Company Secures investment for Medical Robots

By: Ken Briodagh    5/9/2018

According to a recent announcement, Highlight Health Investment Limited, a Chinese investment company, has invested 4.5 million euros into Finnish hea…

Read More