In this episode of ‘Expo Talks’, Quentyn Taylor and a panel of cybersecurity experts discuss learnings from two years of a world working from home.
Passwords are the keys to our online lives and there has never been a time when we haven’t used them to keep our information safe. However, since the invention of the computer password in the 1950s a lot has changed. Most obviously, we are now interconnected and the passwords that may have once unlocked an isolated terminal are now, potentially, the keys to the kingdom. Or are they? Quentyn Taylor, Canon EMEA’s Director of Information Security, dispels some myths around this most foundational element of online safety.
Myth #1: Passwords are disappearing
According to Per Thorsheim, password guru and founder of Norway’s Password Con, “passwords are not going away”. Means of authentication come and go, but passwords have stuck with us for decades. “We’ve been trying to get rid of them for a very long period of time, and where we can, we have – and should,” says Quentyn. “They are a very convenient way to authenticate, but that doesn’t mean to say that we shouldn’t try to get rid of passwords and /or supplement them with other authentication mechanisms.” Many of us are already using biometrics, such as fingerprint and facial recognition, which he agrees are also very convenient and offer enough security in many cases (“Is it sufficient to open a bank vault? No. Is it sufficient to control a credit card for which there is insurance? Yes, it’s probably good enough.”), but users should be aware of their limitations. If your face or fingerprint is successfully copied – and it has happened – what can you use then? “Biometrics are good, but they’re invasive and sometimes, depending on the device, the margin of error has to be set so wide, that it can be bypassed. Security tokens or keys offer more in the way of security at this point in time.”
Myth #2: A strong password, changed regularly, will completely protect you
“A lot of people say, ‘don’t share your password and change it often’. You know what? That’s not going to do the job alone. Multi-Factor Authentication is absolutely critical – as is having strong back-end analytics in place.” Analysing the context of user logins is substantially more powerful, he argues. “It’s working from the other side to be able to say, ‘Prakash is logging in from West London, and that’s his home DSL – so why is he also trying to log in from Vietnam?’” This kind of analysis can be swiftly put in place using suites of back-end products that are readily available from Microsoft and other providers. Quentyn also recommends that organisations put in place “federated logons”, that is, “you log on to a single system, which in turn grants you access to the services and networks you require.” This offers a way to quickly analyse and immediately flag unusual differences, such as location and IP address, but also the devices used and where users are headed. For even more individual security power, Quentyn also recommends hardware tokens – physical authentication devices – such as YubiKey or Google’s Titan Security Key. “They’re inconvenient, but they are extremely good because you don’t have a password that you can get stolen. Yes, the physical token can get stolen but for most people’s threat model the attacks are remote.”
Myth #3: Multi-Factor Authentication is unbeatable
MFA does a lot of heavy lifting in the world of Information Security, and, on the whole, it does an excellent job. But it can’t do everything. For example, it cannot prevent human error. “If you’re not using Multi-Factor Authentication on your personal social media accounts and your corporate main email account, then you are at serious disadvantage,” explains Quentyn. “But be very aware of the fact that it is not infallible.” He cites the abuse of push notifications as a significant risk, where attackers effectively spam their victims with push notifications. It works simply on the understanding that humans lose patience – and eventually will click ‘accept’, just to get rid of the barrage. “Push attacks are very common at the moment – and can be devastating,” he warns. “You may receive hundreds of notifications, but it only takes one to be accepted. And then they’re in”. So, while Multi-Factor Authentication is an absolutely essential and effective means of protection, it is somewhat inevitable that simple errors in judgement will therefore end up being the primary source of security breaches. In short, Multi-Factor Authentication cannot protect you against every risk, so you still need to exercise sound judgement when it comes to other kinds of attacks, such as push attacks and phishing.
Myth #4: Never ever write down your password
“I’m not saying that writing your passwords down on a Post-It Note and sticking them to your monitor is a good idea,” says Quentyn. “But, in some contexts, writing them down is probably safer than storing them online. Imagine trying to explain to elderly parents how to use an online password manager?” Ultimately, he explains, the way you treat your passwords depends on “the threat model – and people seem to think that the threat model is the same no matter where you are.” So, while writing passwords down is wrong in many contexts, not everyone’s threat models are alike. He gives the example of always locking your laptop. “Leaving your laptop open at coffee shop when you go to the bathroom is a very bad idea. But if you’re at home, the threat is different.” In the case of elderly parents, it is highly unlikely that someone will break into their house to steal their passwords. “They are more at threat by an attack over the internet, so by writing their passwords down, and not putting them in a password manager and not storing them online, they are more secure.”
Quentyn’s final message is one that bears repeating. For individuals: use Multi-Factor Authentication and a heavy measure of common sense. For organisations: do the due diligence and perform that protective ongoing analysis. Because even though passwords are not going anywhere anytime soon, right now they simply are not enough.