The cyber risks posed to organisations from password-based authentication are increasingly well-known, but there are a variety of approaches that businesses can take to address the problem. To navigate the threat landscape posed by password-use and the risk posed by brute force attacks, credential-stuffing and phishing, CISOs have an array of solutions available of varying efficacy.
Some approaches to preventing data breaches by mitigating the problems of password-based authentication focus on password strength, requiring users to adhere to increasingly onerous restrictions on minimum length and requiring numbers and special characters for credentials.
However, the problem for many organisations is that focusing solely on password strength is a failure
to accurately direct user time and resources to where they are most required - performing their role.
Risk-based approaches to cybersecurity require organisations to focus on where data breaches are most likely to occur. According to the UK Government’s 2022 Cyber Security Breaches Survey, of all businesses that suffered a data breach, phishing was involved in 83% of them. A focus on password strength, however, fails to offer any preventative measure against phishing at all. Even a password which would take billions of years to crack is worthless if the attacker knows what it is.
Why many defences against phishing are flawed
Many organisations attempt to address this issue by investing in mail filters and cybersecurity training for employees, although these are far from foolproof. The sheer volume of phishing emails sent out each day – around 3.4 billion, or almost half of all total email traffic – means that some will inevitably slip past mail filters.
Cybersecurity training, meanwhile, has been shown to have a limited effect on mitigating cyber risk. Research from Vanderbilt and Dartmouth found that employees had done little to change their behaviour when tested three months after receiving extensive training on avoiding phishing attacks. My1Login’s own research also found that for many insecure practices with passwords, such as reusing them or writing them down, cybersecurity training had little to no impact on their prevalence among employees.
How hiding passwords solves the phishing problem
Ultimately, as long as employees are responsible for memorising and entering passwords, organisations will always be vulnerable to phishing attacks. The only way to prevent phishing, therefore, is to find a technological solution which takes the burden of managing passwords out of the hands of end users and places a system in control of managing passwords on their behalf.
In order to achieve this, many organisations are turning to solutions such as Single Sign-On and enterprise password managers, which can automatically generate strong, unique passwords for users and enter them into login forms. If a user then clicks on a phishing link and is asked to enter their credentials into a spoofed site, the password manager will recognise the site is not legitimate and the attack will be avoided.
While these solutions can be effective at preventing phishing attacks, organisations should also ensure any enterprise password management solution can be configured to hide passwords from the users. Solutions with this feature can prevent the user simply typing credentials or copying and pasting them into a spoofed URL allowing an attack to take place.
If employees are not responsible for creating and entering passwords, and are prevented from doing so by having their credentials hidden on the enterprise password manager, they cannot fall victim to a phishing attack. By making use of a technological solution to store and enter passwords, organisations can focus their efforts on eradicating the biggest threat to their defences and the most common form of cyberattack, making it an extremely cost-effective, risk-based solution to preventing data breaches.
Find out more by reading our white paper on how IAM offers the best defence against phishing attacks.