It’s often said, but worth repeating: In cybersecurity, we simply cannot afford to neglect the basics. Focus has increasingly shifted to the ‘scarier’ threats posed by Artificial Intelligence (AI) and other disruptive technologies, and many have been overlooking the basics when it comes to fundamental cybersecurity practices.
There is no denying that cyber threats are becoming more sophisticated, with AI playing a significant role. Recent research reveals that 92% of security leaders have seen a year-over-year increase in cyber attacks, and 95% report that these threats have become more sophisticated. This parallels the principle that attackers will exploit the most accessible vulnerabilities. If credentials are compromised, attackers don’t need to resort to complex methods; they can simply exploit the weak points. Time and energy are valuable resources to cyber criminals, just as they are to IT teams.
The Modern Confidence Paradox
Password awareness and education efforts are nothing new, so it’s not surprising that many view themselves as password pros. New research shows that 64% of people worldwide are confident in their understanding of cybersecurity best practices. A striking 85% believe their passwords are secure, and 83% think they manage their passwords well.
Yet, poor password practices continue to plague IT teams across many organizations. The same research found that 41% of respondents admitted to reusing passwords across multiple accounts despite widespread advice against this dangerous habit, and 61% admitted to sharing passwords verbally, via text, or even written down.
This unveils a paradox for cybersecurity professionals: While a large portion of the population feels confident in their knowledge, they continue to make reckless mistakes, leading to successful scams and cyber attacks. So, why do people get passwords so wrong?
Too Many Accounts, Too Many Passwords
Blaming indifference alone is too simple. The reality is that most people have far too many accounts to manage. In 2024, it’s estimated that the average person has over 255 personal and work accounts requiring passwords, with 87 of those being work-related. It’s no wonder that nearly two-thirds (62%) of people worry about managing the sheer number of passwords, accounts, and logins that they have. That’s a lot of unique passwords to first create securely – and then remember.
Many organizations have implemented password complexity requirements, which is a good step. Complex passwords are harder for hackers to guess. However, even the most complex password is rendered useless if it’s breached. With hundreds of complex passwords to remember, people might be tempted to write them down somewhere or reuse them to avoid this bad practice.
If one password is breached, an account can be secured again by changing that password. But if that password is used across multiple accounts, cybercriminals can exploit leaked credentials in credential stuffing and brute force attacks across various sites. Bad password habits are interchangeable, yet none are worth the risk.
This begs the question: How can people manage the rising tide of accounts and passwords safely?
Reimagining Password Security to Keep Up
IT and security teams must guide individuals toward smarter password and security decisions. While password education may feel passé, people are still getting it dangerously wrong.
Education must evolve to address the increasing number of accounts and the evolving threat landscape, including AI-driven attacks. Constant reinforcement of security practices is crucial.
Similarly, organizations around the world should provide clear guidelines on password security and promote the use of a password manager. Password managers alleviate the pressure of remembering too many passwords while facilitating the creation of strong, unique passwords.
This circumvents the risk of password reuse, the need to remember multiple complex passwords, and the worry of insecure credentials. Fortunately, individuals and organizations are beginning to move in the right direction, with 12% of people worldwide currently using password managers to create passwords.
Easing the Burden on Users
For IT teams, adding an extra layer of defense, like Multi-Factor Authentication (MFA), is another way to ease the burden on end users who might make password mistakes. MFA significantly lowers unauthorized access risks – WorldMetrics’ 2024 report highlights a 92% reduction in unauthorized access and a 76% decrease in fraud cases by preventing account takeovers and identity theft when MFA is enabled.
MFA strengthens security by requiring multiple forms of verification, protecting against phishing attacks and credential theft, and supporting compliance with regulations like GDPR and HIPAA. However, it may face user resistance due to perceived inconvenience, integration challenges with legacy systems, and costs associated with solutions and training. Device dependency and the risks of weaker, SMS-based MFA vulnerabilities also need careful consideration. Balancing security with usability is critical to ensure effective protection while maintaining a smooth user experience.
Securing Privileged Credentials
Similarly, Privileged Access Management (PAM) tools enhance cybersecurity by safeguarding an organization’s most sensitive accounts. PAM focuses on securing, controlling, and monitoring access to critical systems and privileged accounts. By securing privileged credentials in a digital vault, enforcing strong authentication, and enabling automated password rotation, PAM mitigates credential theft. It limits privileged access to only those who need it, minimizing the organization’s attack surface and detecting anomalous behavior in real time. It also can integrate MFA, ensuring that even if passwords are compromised, attackers cannot easily gain access to accounts.
Furthermore, PAM helps organizations meet compliance standards by logging all privileged access activities and providing audit trails for security reviews. In essence, PAM shifts the focus from just managing passwords to controlling privileged access, improving overall security, and reducing the risks associated with high-level accounts.
Confidence is Important
Confidence and awareness are key in the fight against neglecting the basics, so it’s good that people feel confident in their practices. However, it’s vital to ensure they’re confident in the right practices. By working together to understand password security as an essential link in the security chain, we can collectively bolster protection against the escalating threats of cyber attacks and online scams in both our personal and work lives.
Emphasizing modern password security holistically, encompassing both age-old and new knowledge, is key to enhancing overall cybersecurity resilience and making the digital world a safer place.
Darren Guccione is the CEO and co-founder of Keeper Security, a leading provider of cloud- based zero-trust and zero-knowledge cybersecurity software designed to protect passwords, passkeys, secrets, connections and privileged access. Darren holds a master’s degree from the Kellstadt Graduate School of Business at DePaul University and a Bachelor of Science in Industrial and Mechanical Engineering from the University of Illinois.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.