On World Password Day, Irina Zinovkina, Head of Information Security Analytical Research at Positive Technologies, emphasises that traditional passwords are outdated and advocates for multi-factor authentication (MFA), biometrics, and passwordless solutions to counter the rising number of credential-based attacks, particularly in remote and hybrid work environments.
What are the biggest password-related security risks organisations face today, especially in light of growing remote work and hybrid environments?
Remote work and hybrid environments pose significant risks to the organisation’s cybersecurity. The biggest password-related security risks are:
- Using a single password for all accounts and weak passwords. If an attacker gains access to this password, they will gain automatic control over all accounts.
- Outdated passwords. Outdated passwords pose a significant business security risk, as they can be compromised, allowing attackers to infiltrate corporate accounts.
- Using a confidential device. Personal work devices are more susceptible to cyberattacks compared to company-issued ones. In addition, many employees use personal devices for non-work-related tasks that can compromise the device and put the organisation’s sensitive data at risk.
How effective are traditional passwords in the current threat landscape, and what alternatives or enhancements does Positive Technologies recommend?
Traditional passwords that rely on length, complexity, and a variety of characters are no longer sufficient to protect against today’s threats. New technologies have enabled hackers to successfully use brute-force methods, including dictionary attacks and the use of compromised databases. In addition, users often forget complex passwords, leading to the practice of writing them down or reusing them — actions that only increase the risks. Some alternatives and improvements we can recommend include using unique phrases instead of traditional passwords, multi-factor authentication (MFA), and utilising hardware tokens, security keys, and one-time keys. One-time keys are used only once and have a limited validity period, making them useless to intruders even if intercepted.
Could you share any recent findings or threat intelligence from Positive Technologies regarding password-based attacks or trends in credential theft?
In 2024, organisations worldwide experienced a sharp and unprecedented rise in credential breaches. For example, total growth in H1 was 9% compared to the same period last year, reaching 21%. Successful cyberattacks led to the theft of various types of credentials, including web service logins and passwords, authentication data for remote access protocols (SSH, RDP, and others), local and domain accounts of operating system, passwords saved in users’ browsers, and email credentials. In Q1 2025, we see the same situation – according to our data, every fourth information leak during attacks on organisations contained credentials, including those of employees.
How can businesses balance user convenience with strong authentication measures, particularly in industries handling sensitive data?
To balance user convenience with strong authentication measures, especially in industries that handle sensitive data, companies can utilise solutions such as SSO and password managers. SSO solutions centrally store all user credentials and automatically enter them into the system without human intervention. Users don’t need to remember complex and lengthy passwords, nor manually enter them when authenticating. Password managers, in turn, simplify the authentication process by providing a portable interface in which all credentials and authentication codes are stored in one place.
Of course, companies must simultaneously control and regularly monitor access to confidential information, implement multi-factor authentication (MFA), and train staff in the basics of cybersecurity and cyber hygiene. Any changes to information must be made by authorised personnel based on official instructions and only in accordance with the access policy.
Looking ahead, what role will technologies like biometrics, passwordless authentication, and MFA play in shaping the future of digital security?
Biometric authentication is expected to play a key role in the future of digital security, revolutionising traditional methods. For example, creating a system with increased height and resistance to counterfeiting. Moreover, artificial intelligence and machine learning can be used to adapt biometric systems to changing user characteristics. This will significantly reduce the number of false technologies and improve usability. The development of quantum technologies and equipment will also play a significant role in the advancement of biometric blockchain, which can provide decentralised storage of biometric data, eliminate the need to trust third parties, and quantum cryptography will provide data protection at a fundamentally new level. Finally, behavioural authentication analyses how a person enters text on a keyboard, uses a mouse, or interacts with a touchscreen. These unique models provide continuous confirmation of the user’s identity without the need for constant authentication.
How is Positive Technologies helping organisations detect, prevent, and respond to password-related threats, and what solutions or services do you offer to strengthen identity security?
Our team of security experts can help detect weaknesses in the security system and prevent possible attacks on the infrastructure. The attack team imitates hackers’ actions, and the defence team counters attacks and studies the ever-changing cyber threat landscape. Moreover, PT Expert Security Centre experts can help organise a proactive response, identify breaches, and mitigate their consequences in collaboration with the organisation’s cybersecurity team.