More than three-quarters (77%) of IT security professionals believe passwords are no longer fit for purpose, according to a new Lieberman Software poll which confirms what numerous data breaches have already told us over the past year.
Over half of those asked by the security firm at RSA Conference this year said they thought modern tools could brute force such credentials within organizations, allowing hackers to gain the privileged access they need to go after high-value IP or customer data.
That’s not even to mention the risk of attackers spear phishing credentials from unsuspecting IT staff and others with privileged access.
In fact, over one-third (36%) of respondents to the poll said IT staff shared passwords in their organization.
This kind of poor password management is endemic in organizations, especially in IT teams who should know better, yet is often overlooked by senior staff.
Jonathan Sander, VP of product strategy at Lieberman Software, said the first step towards good security is knowing what you need to secure.
“Why? Because security makes the assumption that you probably don’t have a good grasp on the basic question of: what’s in my IT domain?” he told Infosecurity.
“If you can’t trust that you know what you have, you certainly should not trust that the staff is made of people who are taking proactive leadership on common risks. The risks are common because so few are leading the way to changing them.”
To crack down effectively on this kind of behavior it would be useful if senior IT decision makers were more realistic about their staff.
“The skepticism that is needed to have a proper security posture doesn’t come naturally to the type of positive thinker that often makes themselves a leader in a healthy organization,” Sander argued.
“So it’s easy for them to think everything is going better than it may actually be. This over optimism is especially dangerous in security.”
As for what should replace passwords, he claimed that two factor authentication should be the bare minimum standard for privileged accounts.
“There will be many scenarios, though, where multi-factor is not supported by the underlying system or possible in the specific use case. A common example when multi-factor authentication is not possible is when allowing programmatic access to a system,” Sander explained.
“Often the application that needs to use a privileged password cannot handle multi-factor authentication. For the scenarios where you will need a password alone, and for all the scenarios you can’t predict where a password may be dangerous, constant rotation of the passwords is the best protection you can get.”