You might think that you’re safe with your eight character password, shielded from attack by including that mandatory special character, but it all seems rather futile upon learning that your credentials are probably for sale on the dark web. In fact, it’s a well-established market.

A login for a remote desktop protocol session can be bought for less than $10, and with a stack of passwords in hand, it’s pretty easy for any attacker to launch a credential stuffing or brute force attack. If that doesn’t work, a little persistence using the latest phishing techniques will likely get results instead. While it’s a pessimistic outlook, knowing that passwords and IT training simply aren’t enough enables IT teams to better prepare for those inevitable breaches.

Over the course of our lives, we’ve been taught that a strong password is crucial to keeping us protected, so it feels counter-intuitive to hear the contrary. But it’s time to address the facts: strong passwords simply aren’t enough.

Password omnipresence voids their utility

The benefits of modern technology are undeniable, and as such businesses are run almost wholly digitally. But with each smart tool comes the need for a secure password: the average staff member needs to access more than 30 applications and accounts at work and approximately 55 others at home. However, remembering a unique, secure password for each one is simply unrealistic. Let’s face it, we’ve all been guilty of ‘updating’ our password from Password! to Password@ just to satisfy the mandate from IT. Those who do manage some variety among their passwords often manage them by storing them in their browser, leaving them equally at risk without even knowing it.

Traditionally, IT teams were the ideal target for a hacker, as they held the keys to all of the privileged company files. But as more workflows shifted to being digital, the reality now is that 52% of an organisation’s workforce has direct access to sensitive corporate data. The result is that anyone can be a ‘privileged user’ – while likely being less security-oriented than someone in the IT department.

A ghostly credential presence

A quick peek behind the tech scenes of any organisation will reveal far more identities than expected. Ghost workers? Not quite. Machine and bot identities are essential to the complex digital landscapes many businesses run ,outnumbering human identities by a factor of 45x. So, a company of 1000 workers likely many times more machine identities to protect. Notably, 68% of these machine identities have access to sensitive corporate data and assets. As organisations build up and out into hybrid or multi-cloud environments, they create even more ghostly gaps – that is, human and machine identities – that offer a welcoming entry point to an attacker.

A dangerous weight on IT professionals’ shoulders

The relatively rapid acceleration towards all-digital practices has put IT teams under the gun. When you add in the rising threat of ransomware and business pressures from the ongoing digital transformation, the weight on their shoulders only grows. This has led to an increase in IT teams taking on risky practices, like embedding credentials or overprovisioning cloud permissions, forced into place through necessity. Every time excessive cloud permissions pile up with a new IT or transformation initiative, risk exposure grows and cybersecurity debt accumulates.

Additionally, when powerful credentials for enterprise security systems are embedded into scripts, the result can be disastrous, as demonstrated in the Uber breach late last year.

A holding pattern for a passwordless future

It’s clear that passwords are no longer fit for purpose, but we lack the tech and ability to go completely passwordless just yet. There are promising advances being made, such as switching to decentralised identity on the blockchain. The tech we currently rely on, like password managers, simply weren’t built to manage the tens of thousands of identities that many enterprises have, nor designed to manage them cross environment in the way we need.

So, how to combat identity based attacks while we’re stuck with the humble password? Creating a strong defence-in-depth identity security framework can offer protection until the tech solutions we need are ready. Of course, as just discussed moving towards a password less world should be in focus, but this isn’t enough on it’s own. This is firstly because we cannot move away entirely from passwords, and secondly it doesn’t solve the problem of excessive permissions or abnormal user behaviour. So, organisations should embrace Adaptive MFA, to leverage context around the user to help strengthen the authentication. Simultaneously, a Zero Trust ideology should also be incorporated to deploy enterprise grade password management capabilities for those scenarios where we can’t escape the password.