May 1, 2019 by Jason Contant
Brokers advising their clients on cyber security should inform them that re-using passwords – or using passwords in the first place – is not the best practice.
“Passwords still have their use, but not as a way to uniquely verify a person,” Don Duncan, security engineer at NuData Security, told Canadian Underwriter Wednesday. “They are a part of a process where the user shares relevant information on their device, such as their behavioural patterns – and this is the key for a password or verification process.”
A report issued Monday by cyber security company Kaspersky Lab found nearly one-third (30%) of the more than 2,700 people polled in Canada and the United States use the same passwords for all or most of their online accounts. This can put users at risk for “credential stuffing” attacks, where attackers use username and password combinations that have previously been leaked in a breach to try and hack into accounts that may use the same credentials.
Many cyber security professionals recommend using a password manager to keep track of different username/password combinations.
To create strong passwords, Duncan offers the following tips:
“Passwords continue to be a weak link for both customers and online retailers, as users reuse passwords across accounts or create weak combinations,” Duncan said. “This reuse allows hackers to break into all accounts for a particular user.”
The best way to develop good password hygiene is to use password managers. “However, with the amount of personal information that has flooded the dark web, a password can’t be trusted to authenticate a user,” Duncan warns. “Companies require new authentication frameworks that secure accounts by looking at other user data that can’t be replicated by a third party.”
Multi-layered solutions such as passive biometrics (which passively collect user data like face, voice and iris recognition) and behavioural analytics allow companies to verify customers by their unique behaviour through “hundreds of inherent identifiers that can’t be stolen, instead of relying on static data such as passwords,” Duncan said. “This way, even if a password has been compromised, the company can still verify the user behind the device and protect the account from fraud.”