Citrix is just the latest in a long line of companies to have fallen victim to a data breach, after users’ passwords were compromised following a ‘sophisticated data breach’. The news should act as a reminder for organisations and individuals to move beyond passwords, according to Dave Worrall, CTO at Secure Cloudlink, who argues the weaknesses presented by passwords are consistently being ignored.
Worrall explains: “Given the severity and regularity of data breaches, it’s clear that the current approach to passwords still presents major vulnerabilities. A strong password alone is not enough to protect an individual or an organisation from a malicious attack. This has been demonstrated time and time again by the rise in breaches across web platforms such as LinkedIn, MySpace and Tumblr that resulted in email credentials for sale online. There is now an enormous market for stolen data, which means good security hygiene is more crucial than ever. Despite IT departments and security experts urging users to be more diligent when it comes to password management, hacks and breaches continue to occur.
“Complex and hard to guess passwords alone are not enough as they still present risks. If a site is hacked or passwords are not stored in an encrypted formatted, high-risk data still has the potential to be compromised. What’s more, passwords can still be stolen and the encryption broken.
“The password usability problem has worsened in recent years. Complex passwords are inconvenient, meaning users often avoid them in the first place. And the fact that a simple graphics card can crack a strong password only exacerbates the password problem. Recent developments to mitigate the issue include single sign-on and password managers. Also, while biometrics and hashing passwords may improve the user experience by adding a new level of security user credentials, this doesn’t remove the use and transmission of passwords and credentials in the background.
“The Citrix data breach should serve as a wake up call to the vulnerabilities presented by the password security system. Although this approach was suitable some time ago, we’ve progressed into an increasingly digital environment, which means passwords have evolved into an indefensible means of authentication. What’s needed is a change in mind-set towards security and to completely revise the entire concept of the password, as it’s simply a vulnerable protocol. The faster we embrace solutions that tackle this problem the better chance we have of mitigating data breaches,” concludes Worrall.