Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Saturday, 28 January, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Authentication is imperfect, but passwords are not going away

by The Gurus
May 3, 2018
in This Week's Gurus
Hacker
Share on FacebookShare on Twitter

As a hacker, I found vulnerabilities like easy-to-guess passwords made my work much easier. If that attack vector didn’t pan out, I could usually get around the authentication flow, or gain basic privileges and escalate them for admin access. We must accept that these vulnerabilities – imperfect authentication and passwords – are not going away anytime soon, and businesses must take steps to strengthen their security posture with this in mind.

A key challenge in eliminating passwords is that too many SaaS providers still don’t offer token-based sign-in such as with SAML or OpenID Connect. On top of that, many enterprises still have dozens – if not hundreds – of legacy applications that require passwords. It will take some enterprises a long while to migrate off these legacy apps which use application-specific passwords, and do not support requirements such as password complexity or password expiration.

In addition, passwords make for only a small part of a strong security posture. Security is only as strong as its weakest link, and on some systems, passwords may be a good attack vector. Real-world attackers are more likely to use alternate attack vectors to get around passwords. Some common ones are:

 

  • Application vulnerabilities
  • Spearphishing
  • Social engineering

Being a true password champion means applying password best practices while having a modern approach to access management that is more holistic than a password management tool or a password education campaign.

Here’s what businesses are doing wrong and how they can fix it. To illustrate, let’s use the classic security triangle: People, Process, and Technology.

People

Enterprises invest in education like training for compliance reasons, but often overlook enabling people with self-service for password reset and self-registration of MFA. In addition, companies combat shadow IT, but don’t offer an alternative such as faster onboarding of business apps. For example, your employees need to use LinkedIn and Twitter for business, so provide them with a safe way to manage passwords for those personal apps.

Process

Think marathon, not sprint. Some SaaS providers still don’t offer token-based sign-in such as SAML-enabled login. Enterprises need to gradually consolidate passwords, ideally to a single set of corporate credentials for apps, networks, and devices. Similarly, access management should be unified and holistic across the entire organization with user information and privileges.

Technology

Password best practices are not hard to follow and apply, and they are an important part of your security practice. Having said that, don’t stop there, and don’t look for a silver bullet. Look for a platform, not a tool, for the wide variety of use cases and for supporting complete authentication and access management scenarios across the enterprise. For example, a single platform can make it much easier to provide password reset self-service to your entire user base.

In summary, being a true password champion goes well beyond password best practices. Enterprises that fail to deploy today’s front-line access management solutions across their orgs – enabling people, planning for a continuous effort, and seeking a full platform solution – are at serious risk and will lose out.

 

FacebookTweetLinkedIn
Tags: CybersecurityTechnology
ShareTweetShare
Previous Post

The Software Economy’s unquenchable thirst for data

Next Post

Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin

Recent News

Data Privacy Day: Securing your data with a password manager

Data Privacy Day: Securing your data with a password manager

January 27, 2023
#MIWIC2022: Carole Embling, Metro Bank

#MIWIC2022: Carole Embling, Metro Bank

January 26, 2023
Lupovis eliminates false positive security alerts for security analysts and MSSPs

Lupovis eliminates false positive security alerts for security analysts and MSSPs

January 26, 2023
Threat actors launch one malicious attack every minute

Threat actors launch one malicious attack every minute

January 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information