Thursday, May 6 is World Password Day, a day dedicated to promoting safer password practices.
Below, security executives share their insight and tips on how to create and promote safer password practices in the enterprise and among employees.
Chris Morales, Chief Information Security Officer at Netenrich:
Good password security is not relying on a password for security. It is concerning that the cybersecurity industry still gives a false sense of hope as an excuse to continue to force a poor user experience on everyone. Passwords are stolen in large files and databases from poorly configured apps by the millions, or auth tokens are compromised for account takeover. For that reason, all passwords are useless regardless of strength.
It is insane “what you know” is still the primary means of validating identity for online systems which then provide complete access to a broad set of resources with no further validation. That would be like giving my house keys to a random man on the street who claims to be my mom and can prove it by telling me the name of my dog when I was a kid. Even worse if my mom is standing right next to me but doesn’t remember that dog's name so I trust the stranger but not her. Password complexity is the equivalent of expecting the stranger to give me a whole list of random facts as proof. Does not matter how much he knows. Still not my mom.
Sounds ridiculous right? The cybersecurity industry has built an authentication system which can only be considered inhumane and with a singular value of infuriating everyone. People are the victims, not the cause of breaches.
User access should be adaptive based on level of need and risk. A person should be allowed the appropriate level of access to the appropriate resources at the appropriate time. Most importantly, access should be fluid and not require an incomprehensible amount of user input or predetermined knowledge.
For authentication, the number of variables is more important than the level of complexity of those variables. No reason a password is anything more than a 4-to-6-digit pin. Authentication can be based on who you are (biometrics) what you know (pin) what you have (device/token) and where you are authenticating from (geolocation). Even then, authentication is not trust. Trust is situational awareness. What do you need, why do you need it, when do you need it, and what is your current operating environment? The operating environment is a measure of the risk of providing that access even when the need is justified and the identity asking is authenticated.
There is a combination of local authentication methods combined with remote risk analytics here. Totally doable and the outcome is less intrusive on the end user so we can stop blaming people for human error as to why a breach occurred. To err is human.
Aaron Cockerill, Chief Strategy Officer at Lookout:
Passwords need to go. We should not be celebrating World Password Day, we should celebrate the day no one ever needs to remember a password ever again. And That day is coming. But in the meantime there is a lot of support to help us with systems that still require them. Password managers and even browsers now notify you when passwords are repeated or stolen, and they suggest longer and stronger passwords that they remember rather than you having to. And increasingly your password can be strengthened by things like second factors and biometrics. Increasingly identity will be established using intelligent devices like your smartphone, leveraging both encryption and biometric sensors, and passwords will become a thing of the past. The challenge then is to know that your smartphone is safe.
Tim Wade, Technical Director, CTO Team at Vectra:
While passwordless authentication is admirable and authentication systems solely based on passwords have been, and will continue to be, abused it’s important to consider that an effective authentication system must also account for effective credential revocation and replacement as much as credential strength – there are few things more trivially revoked and replaced than the knowledge inside someone’s head. At the risk of unpopularly defending the merits of passwords, they may continue to have a role to play in strong, robust, multi-factor authentication systems even as they’re replaced as the sole (or even most important) anchor of authentication.
Tyler Shields, CMO at JupiterOne:
Passwords are the most misused line of defense in cyber security. There are numerous war stories of post it notes with passwords appearing in television commercials and shows or on YouTube videos. People write them on white boards that you can see through open windows or that end up on a Zoom chat. Passwords complexity requirements are annoying and difficult to remember. Requiring people to change their password with a high frequency makes things even more difficult. All around…passwords simply stink!
The best way to use passwords is to not have to use them by hand! Get a password manager such as LastPass or 1Password and use very complex, difficult to guess, randomly generated passwords via those tools. Respectable password managers have integrations into your daily workflow and systems including browser plugins or command line tools. If you do it right, you can remove the pain of passwords while making your world much more secure. For any system of value, or ideally every system that offers it, you should also turn on two factor authentication (2FA) and have it connect to an authenticator on your phone. By incorporating these two protection techniques, password difficulties will become a thing of the past.
Finally, if you are an enterprise or business, keep track of and audit the permissions and access capabilities for all accounts in your environment. If you are too large to do this by hand, cyber asset management tools can help you automate the process.
Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows:
Passwords continue to be a major weak point across the internet. Most of the problems stem from password reuse, passwords that are not complex or otherwise easy to guess, or just other general bad security practices. One of the easiest ways to manage this is through the use of a password manager, many of which are free or low-cost, and can help users create complex passwords which they can then use exclusively for each site they visit. In addition, using multifactor authentication for sites that store important information, such as email, social media, banking websites, or other high-value sites can help deter attackers in the event a password is leaked or reused. Given the billions of passwords and other points of consumer data which are freely available now on the internet and deep and dark webs, it's now only a matter of time before any account could be breached. Adopting strong security practices early and proactively helps to delay, or even prevent, a future attack which could lead to exposure of sensitive or personal data, both from a business account or your own personal life. Plenty of criminals are willing to get that data or pay for it, so why make it easy for them to cash in on your information?
Monti Knode, Director of Customer & Partner Success at Horizon3.AI:
Attackers don't hack in...they log in. Annual security reports illustrate this trend across industries, exploding this past year. In more than 500 pentest operations in the last six months, we’ve seen this as well, with weak or default credentials topping our top-10 findings lists for the second quarter in a row, averaging over 90 credentials exploited per operation.
This topic is so top-of-mind in cybersecurity that it was the inspiration for our first Tech Talk webinar earlier this year. We can’t understate the value of password variance and length. Credential stuffing and reuse is a real problem; people will use the same password for their streaming service, their bank and their domain admin account.
In a recent operation, we found one password was in use by 152 accounts, ~20% of the enterprise. We also saw a steep decline in our ability to crack passwords as the password length increased from the 8-character minimum set by policy.
Credentials are the new perimeter, so if celebrating a World Password Day inspires people to reconsider their easily cracked P@$$w0rd, buy me a shiny hat and let’s have a party.
Simon Marchand, Chief Fraud Prevention Officer, Nuance Communications:
2020 and Covid-19 brought more than just rapid changes in the way we work. In a recent Opus survey, more than 88% of organizations across all industries saw the pandemic as the trigger of a significant acceleration in modernization of security and authentication methods. The rise in budgets for such projects finally gives security teams the means of their ambitions. Security teams can begin planning the roll out of high end biometrics technology to replace old authentication methods such as PINs and passwords. The need to do so has been recognized for years, but we now see the right resources being invested to make that shift. One of the main triggers for that is not only the more than double identity theft crimes in 2020 (compared to 2019), but also the very material advantage a complete biometrics platform represents. Not only does it increase security for customers across all channels, but it also helps protect WFH agents who are increasingly targeted by fraudsters exploiting their vulnerability for social engineering. And more, such a platform can also help secure WFH environments by removing PII from agents’ desktops and locking customer files behind the most secure lock possible: their biometric print. In 2021, we will finally see the change security professionals have been asking for, for more than a decade, and remove passwords to move to secure, frictionless, transparent biometrics authentication.”
When it comes to security, passwords are one of the weakest links in the security chain. Unfortunately, the old views on password complexity have been one of the things that has held people back. If it is difficult for technologists to get right, you can only imagine how difficult it is for the average consumer. When you couple that with websites that have outdated views, such as having a twelve character limit, or not allowing multi-factor authentication, it is no wonder that passwords are still a mess in 2021.”
Surya Varanasi, CTO of Nexsan, a StorCentric Company:
Few would argue that creating strong passwords must remain a priority. However, even after creating a seemingly impenetrable password using every best practice possible, undiscovered threats might still be able to penetrate them and expose your environment to unnecessary risk.
But if your organization has data that is too important to lose, too private to be seen and too critical to be tampered with then you must take the next step to thwart cyber-criminals. This can be accomplished by employing a strategy that enables you to unobtrusively offload data from what is likely expensive primary storage (cost savings is another bonus here) to a cost-effective storage solution that is engineered specifically to be regulatory compliant and tamper-proof from even the harshest ransomware attacks. And since backups have become the latest malware targets, the storage platform should include “unbreakable backup” meaning it includes an active data vault that creates an immutable copy, which makes recovery of unaltered files fast and easy - so there’s zero operations disruption and never any need to pay ransom.
JG Heithcock, GM of Retrospect, a StorCentric Company:
A global survey conducted by Gartner found that 88% of business organizations mandated or encouraged employees to work from home (WFH) as a result of the COVID-19 pandemic. With millions of workers around the world now having to access their organization’s data remotely, data protection was put under increased pressure. For many, the answer was to employ a strong password -- oftentimes, requesting that employees do so employing a random mix of no less than 15 characters. Undeniably, this was a step that could not be ignored. Unfortunately, many learned the hard way that this was not enough to stop today’s increasingly determined and aggressive cyber-criminals. And given that research, such as that from the Harvard Business School, shows that the WFH paradigm will likely endure, it is clear that stronger measures must also be taken.
The next step in the data protection and business continuity process for virtually any organization (or personally, for that matter) is an effective backup strategy. And the good news is that there is no need to reinvent the wheel here. A simple 3-2-1 backup strategy will do the trick. This means that data should be saved in at least three locations -- one on the computer, one on easy-to-access local storage and another on offsite storage. The options range from local disk, to removable media, to the cloud and even tape. And, if at least one copy is “air-gapped” meaning completely unplugged from the network, all the better.
In 2021 and beyond, multi-layered data protection strategies - such as those employing strong passwords combined with thorough backup practices - will help to ensure you, your data and your organization remain protected in the event of a simple accident, cyber-attack or any other disaster.
Robert Haynes, SCA and Open Source Evangelist, Checkmarx:
On World Password Day, while the focus is traditionally on humans’ use of passwords, it’s important for organizations to think about how passwords and other credentials are stored in IT automation systems like Infrastructure as Code and container build files.
We have seen numerous compromises caused when credentials are exposed by machine, versus by man. The same level of attention, therefore, should apply to how passwords and secrets are managed by our processes, instead of just by our people. The risks are similar, and the results of exposure can be just as serious.
Organizations should use a secrets management tool, which is similar to how humans would use a password manager, while also performing routine scans of infrastructure as code templates and container builds for exposed passwords and credentials.
Lamont Orange, Chief Information Security Officer, Netskope:
This year, World Password Day comes at a time when business and life are conducted in a dramatically different virtual fashion due to the pandemic. As organizations suddenly shifted to remote work in 2020 and as they continue to rapidly increase cloud usage, they’re presented with new risks around user access and authentication, data security, and cloud threats. In order to embrace cloud apps and services while effectively managing them, the situation calls for dynamic access controls, for example, to ensure corporate data doesn’t leak to unmanaged devices. It also requires protecting sensitive data by governing the downloading of files by users accessing applications such as Microsoft Office 365 from personal devices or BYOD. To address these evolving challenges and enable collaboration and agility for a distributed workforce, IT and security teams need to modernize their data protection, with identity and access control of users being a critical first step.
Rick McElroy, Principal Cybersecurity Strategist, VMware Security Business Unit:
Using a password is as antiquated as using a standard key on your front door -- it's locked but someone can copy the key or pick the lock and still get access. For this reason, it’s important to prioritize multi-factor authentication, in the form of behavioral and continual authentication, and move away from a central store of identities, which can easily be hacked.
Moving forward, we’ll begin to witness hand and fingerprint biomarkers, two-factor authentication with a mobile device and facial recognition replace traditional password authentication processes. At some point in the future, DNA will probably be used to verify identity in the medical field. Long term, I could see a future where a combination of measurements like a heartbeat and brain waves could be used, making it more difficult than ever for cybercriminals to break the digital lock.
Stephen Cavey, co-founder and chief evangelist, Ground Labs:
Many data experts would argue that a ‘secure password’ is an oxymoron. Historically, passwords have been an extremely weak form of authentication and represented one of the greatest threats to an organization’s security posture.
The key to any successful security program is making security easy for an employee or user to follow. With less than 25% of Americans using a password manager to prevent password re-use across multiple applications and sites, data breaches caused by compromised credentials is unlikely to disappear anytime soon unless our dependency on passwords as a primary means to authenticate is eliminated. Modern security standards such as the PCI DSS compliance requirements now mandate the use of multi-factor authentication as part of achieving a comprehensive Identity and Access Management framework.
Furthermore, a modern Identity and Access Management framework that eliminates sole reliance on passwords will become a critical component of an organization's data security strategy, ensuring robust verification that a user is who they say they are, limiting their access to data to only what they need, and providing a comprehensive and reliable audit trail.
Kevin Breen, director of cyber threat research, Immersive Labs:
The average internet user has 100+ passwords. So when it comes to picking strong, memorable, unique passwords for every single service you use, I’m going to be harsh and simply say: don’t. Use a password manager instead. Password managers can either be your salvation or your biggest downfall – but they’re certainly better than trying to cram hundreds of strong passwords into your head. They’re great at creating very complex and long passwords that you don’t have to remember, and they integrate into your browser and mobile device. But they do place all your proverbial eggs into the same proverbial basket. If your master password is compromised, then everything else could be too.
Multi-factor authentication as an extra layer of security should also always be added. This can range from a simple SMS code to a physical security key. It’s always worth setting up MFA if you can; it means that if anyone has stolen your password, they’d need to invest a lot more time and effort into specifically targeting you before accessing any of your accounts.
A great service that both individuals and enterprises can benefit from using is haveibeenpwned. It’s free and will allow you to register your email address or the domain so that any time the email or domain is found in a public breach, you will receive a notification on where and when it took place, giving you the chance to change your password.
To all the developers out there creating authentication flows in applications, you can help by making sure you select algorithms that are difficult or time-consuming to brute-force like bcrypt or PKDF2. You should also salt your passwords, and please never store the cleartext versions in logs anywhere. You could also consider implementing the haveibeenpwned password API to stop users entering known compromised passwords, and allow your users to enroll an MFA provider like U2F or Google Authenticator.
Ian Pitt, CIO of LogMeIn:
This year's World Password Day serves as another reminder that passwords play a pivotal role in protecting business information and enhancing overall security efforts. While organizations and individuals understand the importance of strong passwords, many continue to neglect password best practices leaving their organizations vulnerable to cyberattacks. In fact, a large majority of people understand the risks associated with reusing the same password across multiple accounts, yet they still do it. As we approach a post-pandemic world and enterprises allow long-term remote work, cybercriminals will continue to target those with poor security behaviors. Given this, companies need to encourage employees to improve password behaviors to increase the organization's overall security. Below are some password best practices to ensure data is effectively protected.
· Give your passwords a safe home: Selecting the right password manager offers a safe, secure digital vault to store usernames and passwords.
· Generate unique passwords: Be sure to create strong and unique passwords for personal and business accounts, to decrease the chances of hackers compromising information.
· Implement multi-factor authentication: Turn on MFA when possible, to decrease hackers' chances of accessing important information such as email and bank accounts.
· Update Software: Be sure to keep all home devices such as computers, mobile devices, or routers updated with the latest software, so others cannot tap into your network.
Passwords have been around long before the internet. They are a nice call back to having to provide a secret word to get into your sibling’s club house, and while they’ll continue to evolve, they’ll never truly go away. Passwords are often a peek inside what is important to someone—albeit only the user (and a potential hacker) are aware—and when a complex password is needed, it is an exercise in creativity and a job best left to a handy password manager. While we now know the risks of using just a username and password, and understand people are creatures of habits and will reuse or recycle old passwords, they served us well for a time. Cheers to yesterday’s passwords and tomorrow's stronger security practices!
Many years ago, the security team I managed purchased a Jenga game. When project team members came to us for password resets, they were issued a single Jenga piece with a funny password joke written on it. At the end of the year, after buying many…many…many Jenga sets, we gave an award to the worst password offender who had the most Jenga pieces. This gentleman had amassed almost an entire Jenga game on his own. I salute you Jenga award winning, I can’t remember my password so I put it on a post-it note using, who knew “password” was on the exception list user.
When World Password Day was established in 2013, the world recognized that passwords were a necessary evil, despite being a flawed and insecure method of authentication. But the root of the problem goes back to the foundation of the ‘commercial internet’ in the mid-1990s, when Netscape and others enabled widespread access and consumer accounts, prompting a massive need and meteoric rise in password use, and beginning an era of consumer insecurity and exposure.
Fast forward to today and the problem has ballooned. Verizon’s 2020 Data Breach Investigations Report (DBIR) revealed that 80% of breaches use stolen credentials, collected either through database leaks or phishing attacks. And even if you follow recommendations for password hygiene, criminals can still get their hands on your password through a range of means – from fraudulent ‘phishing’ sites to insecure password databases and even commandeering your phone to intercept password reset messages.
The industry has responded by putting an even greater burden – not to mention blame – on consumers, to compensate for what can only be described as complete systemic failure and an unwillingness to upset the market apple cart by refusing to fix the foundational issue. Complexity and user frustration are ever-increasing with forced password resets, cumbersome password creation requirements, and extra steps for multi-factor authentication (MFA). In summary, consumers must expect and demand better of their internet security and end the ‘stupid user’ blame game. The industry itself is headed in this direction with corporations and groups advocating for the eradication of passwords – but the industry is not moving fast enough, and the technology exists to make change now.
James Carder, LogRhythm CSO:
World Password Day is a timely reminder of how important it is for enterprises to recognize the importance of secure sign-in credentials and its shifting landscape. An estimated 80% of hacking-related breaches can be attributed to lost or stolen credentials, which leads to millions of dollars in financial damages and creates a snowball effect of stolen data. Protecting passwords has become an industry-wide concern that continues to remain an ongoing problem. It is therefore imperative for organizations to prioritize password security by adding in multiple authentication layers, limit employee privileges and consider passwordless alternatives.
Two-factor authentication has been one popular way companies are addressing password and login security. While it’s a helpful and beneficial security step to incorporate, it isn’t without its flaws. Building in an additional security feature does thwart more attacks, but two-factor is also becoming more and more vulnerable to advanced hacking techniques that can steal phone numbers or redirect codes to access accounts.
Passphrases that are much lengthier and more effective than passwords are also another option security teams have been implementing. These 20 – 30-character phrases drastically limit brute force attacks, but also have similar pitfalls to passwords. A more interesting future might be a world without passwords or passphrases altogether. Passwordless authentication is picking up steam, with over 150M people currently using passwordless login methods each month. The passwordless option doesn’t necessarily solve this entire security problem, but it would force attackers to extract and replay tokens, a much more difficult process than using brute force for weak passwords, password reuse, phishing, or credential stuffing.
Adopting a Zero Trust security model can further help limit password exposure in on-premises or cloud environments, while also ensuring that proper network access is strictly granted to authorized individuals. It’s intended to use several factors to authenticate users (to establish trust) other than a username, password, and overall user profile. And should a compromise occur to user credentials, it’s mostly limited to an isolated, single threaded incident and won’t compromise the network’s system, data, or applications.
Anurag Kahol, Bitglass CTO:
The dark web contains over 15 billion stolen account logins, including credentials, usernames and password pairs, a massive amount of data that is mostly being offered for free. With most breaches resulting in the distribution of duplicate files that are shared amongst cybercriminals, it makes it incredibly difficult to track down stolen data and find the source of stolen information. While hackers have access to a substantial amount of data that can lead to unauthorized organizational access and data breaches, multi-factor authentication is an effective means of thwarting attacks while bolstering and improving password protections.
Multi-factor authentication requires knowledge (password or pin), a possession (one-time code, ID card or digital key) and inherents (fingerprint or scan) to verify user identity. While digital codes or tokens to a device can potentially end up in the wrong hands, adding another blanket of security like inherents alleviates the risk should a smartphone fall into the wrong hands. Another approach is to use multi-factor authentication paired with contextual access policies (e.g. device, geography) in a step-up fashion. This uses a tiered security system, allowing access to different types of resources that then require additional, stronger verification methods for more sensitive information. By utilizing multi-factor and step-up authentication, enterprises are strategically prepared to protect the high-priority organizational data and user passwords across platforms.
While a lot of the coverage about passwords focuses on business users, it’s really important not to overlook children and teens in this discussion. They will typically make some of the same types of common mistakes as adults when creating and using online passwords, but there are several that stand out the most for this age group.
One of the worst is sharing credentials with friends, boyfriends/girlfriends, etc. At that age, relationships tend to be shorter in duration and some kids end up using the shared access against each other such as posting inappropriate messages on social media accounts or conducting surveillance over account activity. This type of password-sharing behavior may even stem from early childhood when parents would share their credentials with their kids for accessing devices or online sites. This should be avoided at all costs.
Secondly, kids and teens are exposed to devices everywhere they go from the library, to school, to over a friend’s house etc. It’s important to avoid entering your credentials on untrusted devices that you do not own, control, or completely trust. Devices in public places should only be used for anonymous web browsing and not for logging into any of your online accounts since passwords can be easily stolen from these types of computers.
Finally, it’s important to avoid using personal information when creating any of your passwords. Young kids, and even adults for that matter, want to generate a password that is easy enough to remember. So they’ll use their name, birthdate, address, phone number, etc. These are all details that can be either easily guessed or end up further exposing you if a website is ever compromised.
Tyler Reese, Senior Product Manager at One Identity:
World Password Day this year is a reminder for organizations to acknowledge the gaps created by passwords and consider alternatives and the concept of a passwordless future. The most notorious breaches of the last year have all involved weak or compromised credentials, showcasing that passwords are still the easiest way for cybercriminals to access a network. Stolen passwords are now more difficult than ever for IT teams to flag as a threat and can allow an unauthorized user to access a system undetected for a long period of time. Best practices such as enforcing the principle of least privilege, implementing multi-factor authentication, and educating employees on strong password hygiene will strengthen enterprises’ cybersecurity posture.
However, as long as the concept of requiring a person to remember multiple passwords is a major part of an organization's security strategy, the risk still remains. Instead of solely relying on passwords, enterprises should implement multi-factor authentication to protect accounts from password compromises.
Organizations should also investigate behavioral biometrics technologies for identity access and authentication purposes. Using machine learning to identify a baseline of user behavior, systems can flag when users deviate from their typical behavior and take immediate action, shortening the time it takes to detect and remediate an incident. Combining consistent messaging to employees, access and authentication practices, auditing and behavioral biometrics creates a strong cybersecurity defense for enterprises, and will be fundamental to the industry’s step towards a passwordless future.
Duane Nicol, cybersecurity expert at Mimecast:
Our recently released State of Email Security Report found increases in all attack types over the past year, as the pandemic and switch to remote work created new vulnerabilities that cybercriminals are working hard to exploit. In response, organizations should build greater cyber resilience by implementing updated security controls and prioritizing regular cybersecurity awareness training to protect employees – and the business – from attack.
Effective training is engaging, interesting, frequent and, among other things, encouraging users to regularly update their passwords. Users should always use passphrases, as these are far harder to crack, make use of IT-approved password managers, and ensure they aren’t using the same password across multiple platforms. Having unique passwords across personal and company platforms will ensure that if a person’s social media profile is phished, for example, they aren’t at risk of having a corporate account compromised. Effective cybersecurity awareness training should be the bedrock of any modern organization’s cybersecurity efforts.
Mathew Newfield, Chief Security and Infrastructure Officer for Unisys:
It is important to change default password and to start using passphrases of significant strength – greater than eight characters – with at least three of the following four characteristics: uppercase, lowercase, number, special character. Do not use words or deviations of words as passwords.
Multi-factor authentication, or MFA, is not just for businesses. If you've ever had to use a verification code, texted to your cell phone, to log into a personal bank or credit card account, you're at least vaguely familiar with the concept of two-factor or multi-factor authentication. Today, consumers can choose from additional authentication choices, as many apps offer MFA options. In this instance, consumers have the option of setting up voice or facial recognition-based access or to receive push notifications if a new or unauthorized login is detected.
Passwords are the keys to our lives in an increasingly digital world. A typical knowledge worker uses over eighty work-related passwords on a regular basis -- in addition to all of the passwords they use at home. It’s customary to secure our house keys, car keys, payment cards, driver’s licenses and other sensitive documents. Too often, people don’t realize that they should treat their passwords with even greater care and protection.
In February, Keeper Security surveyed 1,000 remote workers for its Workplace Password Malpractice Report. The results were astounding. For example, 44% of respondents admitted to reusing passwords across personal and work-related accounts, which significantly increases the likelihood of a data breach. Further, many employees are using weak passwords that contain personal details, which are easy for cybercriminals to find on social media. Thirty-seven percent used their employer’s name in a work-related password, 34% used their significant other’s name or birthday and 31% used their child’s name or birthday.
In addition to not realizing that recycling weak passwords is problematic, many people aren’t aware that the technology exists to help them keep their passwords secure. Password management and security solutions generate and store complex, unique passwords and automatically fill login credentials thereby taking the pain out of passwords. On the business side, these same platforms also enable IT administrators to develop and enforce password security policies company-wide. The technology is there. It’s cost-effective, easy to manage and easy to use. Everyday, more individuals, families and organizations of all sizes and across every industry sector are adopting password management and related security. Since password security issues account for more than 80% of all data breaches globally, a password management and security solution is one of the most effective ways to mitigate the risk of a data breach. Digital technology is evolving exponentially and with it, the related cyberthreats are as well. Passwords and sensitive digital assets command the acknowledgement, respect, and security of a broad ecosystem - for World Password Day and further, every day.
Tim Sadler, CEO and co-founder, Tessian:
World Password Day is a great reminder to take inventory of our passwords, including where they are stored, whether you reuse them for multiple accounts and their complexity. Tessian’s recent report found that 77% of people reuse passwords, and 21% use predictable cues like their favorite football team, their pet’s name, or birthdays when crafting passwords. The problem? These personal details are likely to be found on people’s social media channels, making it easy for hackers to scan publicly available information to try to crack passwords or even answer the security questions.
To prevent account takeover and business email compromise, CISOs and their teams should help educate employees about their social media footprint, cybersecurity best practices and how to spot impersonation attacks. They should also reinforce the need for strong passwords that don’t include names or names of pets, birth dates, location, or other information that’s easy to find online. Even better, use a password manager like 1Password to randomly generate impossible-to-hack passwords. And while it can be tempting to reuse passwords that are easy to remember, never reuse or duplicate any passwords for personal or professional accounts. A bad actor could guess just one password and gain access to multiple accounts.
Joseph Carson, chief security scientist & advisory CISO, Delinea:
It is World Password Day, which means it is time to reflect on your current password hygiene and determine if your password choices are putting you at serious risk of becoming a victim of cybercrime. According to the UK National Cyber Security Centre (NCSC), 15% of the population uses pets' names, 14% uses a family member's name, and 13% picks a notable date. In fact, the weak password problem is so severe that the UK recently proposed new internet and IoT reforms that would make using “password” as your password illegal.
Passwords remain one of the biggest challenges for both consumers and businesses around the world. Thanks to the SolarWinds security incident in late 2020, we were all reminded that a poor password choice can not only impact your own organization but all connected organizations as well. This was likely one of the biggest supply chain cyberattacks in history -- all stemming from poorly-created passwords.
If you are a consumer, start by using a password manager today. If you are a business leader, you should move beyond password managers straight into privileged access security. Rotating and choosing passwords is one of the biggest causes of cyber fatigue, so organizations can reward employees with privileged access security solutions that will eliminate one of their biggest work headaches and introduce security solutions that they will want to use. Privileged access security is one of the few security solutions that will transform your employee password experience into one that will make them more productive -- and you’ll never need to create unique, complex passphrases for every account as privileged access management (PAM) will do that for them. It’s time to increase security and ease stress by moving passwords into the background with a modern PAM solution.
Neil Jones, cybersecurity evangelist, Egnyte:
Recently, one of the largest data dumps in history, referred to as COMB (Compilation of Many Breaches), exposed an astronomical 3.2 billion passwords linked to 2.18 billion unique email addresses. This is frightening news for all of us, but it’s particularly worrisome for IT leaders. So many of them are kept up at night with a gnawing concern: How do I manage the growing risk of data breaches, with a large proportion of my employees working remotely?
Remote work can lead to employees accessing unsanctioned devices, apps and networks, particularly when they experience issues with work-related IT resources. This broadens the attack surface for bad actors and leaves few checks in place for careless behavior that can result in data leaks.
To commemorate World Password Day, we’d like to remind you about practical steps that you can take to protect your valuable information, while embracing today’s work-from-home environment:
- Educate your employees on password safety – Teach your users that commonplace passwords such as “123456,” “password” and their pets’ names can put your data and their personal reputations at risk. Remind users that passwords should never be shared with anyone.
- Institute two-factor authentication – IT administrators should require additional login credentials during the users’ authentication process, to prevent potential account breaches. This can be as simple as a user providing their password, then entering an accompanying numeric code from an SMS text.
- Set passwords for personal devices – Personal devices are on the rise in a remote-work environment and are particularly vulnerable to data theft, so encourage your employees to password-protect them.
- Change your Wi-Fi password regularly – Remember that potential hackers are often working from home, just like us. If you haven’t updated your Wi-Fi password recently, do it immediately.
- Establish mandatory password rotations – Greatly reduce exploitation of default and easily-guessable employee credentials by making your employees change their passwords regularly.
- Update your account lockout requirements – Prevent brute force password attacks by immediately locking out access points after several failed login attempts.
Jon Clemenson, director, Information Security, TokenEx:
Despite technology trends moving toward risk-based authentication, passwords are likely to remain in play for some time. Considering this, World Password Day provides the perfect opportunity to reiterate strong password policies that are vital to both personal and business security. Cybercriminals often reuse credentials from password dumps found online, commonly referred to as credential stuffing, to access sensitive data. That tactic combined with using simple passwords does not provide appropriate data protection. We ask users not to repurpose passwords across websites, and instead, institute lengthy and unique complex passwords whenever possible in conjunction with two-factor authentication.
Further, malware and other attack methods can completely bypass passwords, which is especially concerning during remote work. Before cyber thieves can advance on your credentials, we recommend using password managers to auto generate strong passwords, or moving to biometric or physical keys for authentication, which are more secure than using passwords. For sensitive data like credit card numbers or other personal info, businesses can remove that data from systems entirely using tokenization. That way, if a hacker does access company systems, they won't steal any useful information.
Finally, to rise above being a ‘low hanging fruit’ target for a malicious actor, good password hygiene practices like not sharing or reusing passwords are vital. Investing the time to take one extra step to secure your data is invaluable when compared to the fallout of a data breach.
Glenn Veil, VP, engineering, Wisetail:
Passwords play a critical, ongoing role in different aspects of our lives. In our personal lives, they provide a layer of defense against fraud and identity theft. In the workplace, they defend us against a breach of sensitive company or customer data.
Here are some tips we recommend to protect yourself and your business from cyberattacks:
1. Educate your people on the importance of credential security and provide them with the tools to protect credentials
2. Create an environment where your people are comfortable highlighting security issues or cases where practices are not being followed so you can continue to improve your credential security
3. Utilize multi-factor authentication to reduce the damage that can be done by weak or exploited passwords
4. According to NIST's 2021 security recommendations, it's important to keep your passwords long but not too complex. Theoretically, if the password is long enough, the chance of a hacker figuring out the correct sequence is low.
Follow these best practices beyond World Password Day, and your entire team will play a part in creating obstacles for digital adversaries and protecting your data.
Josh Odom, CTO, Pathwire:
As we reflect on cyber hygiene practices for World Password Day, we recognize that for many years users were encouraged to create strong passwords using random combinations of characters that are difficult for humans to remember, but easy for computers to guess. This is the opposite of the intended purpose and often leads to inherently poor habits such as writing down passwords or reusing ones that are easier to remember. Some websites utilize a password strength meter, but this can also be tricky and lead users to making weaker passwords instead of stronger ones. While we’ve engineered these meters to score the passwords we create, they are better used against ones that a computer can create because humans are too predictable, even when we try our best not to be.
To overcome these persistent password weaknesses, utilizing a password manager that generates passwords from a large set of characters to achieve a desired level of entropy is one of the best options currently for creating strong and unique passwords. Still, other options available such as security keys, authenticator apps, or any available multi-factor authentication methods beyond using just a password should be considered for security. Finally, resources like haveibeenpwned.com which check for exposed passwords, are reliable compared to inventing and using your own strength-checking algorithms.
Wes Spencer, CISO, Perch Security, a ConnectWise Solution:
Here’s a riddle for you: what’s the one thing we all have, all hate and never remember? Yep, a password. Isn’t it ironic that in 2021, we’re still using one of the most broken systems for authentication ever? Even Julius Caesar hated passwords and preferred his own cipher to communicate instead.
Why is this? Well, passwords are like underwear. You see, you should never share them, never hang them on your monitor, and honestly, no one should ever see them. So how do we go about living in a password-required world? First, remember that long passwords are always better than complex ones. This is because the human brain is hardwired to be extremely poor at creating and remembering complex passwords. In fact, a long 16-digit password is far more secure than a short 8-character complex password.
Second, never reuse a password. Ever. Most successful breaches occur when a stolen password from one platform is leveraged against another system that shares the same password. At Perch Security, we’ve dealt with many breaches that occurred this way. It’s a true shame. The best way to avoid this is by using a reputable password manager and keeping it locked down. The password manager can handle the creation, storage and security of every password you use.
Lastly, never rely on your password alone. All reputable platforms today should support multi-factor authentication. We should be religious about this.
If you’ll follow these three things, your life with passwords will be much better. And perhaps one day, we’ll get rid of this pesky, broken system for good.
Ralph Pisani, president, Exabeam:
World Password Day 2021 is more important than ever as organizations grapple with the new reality of ‘work from anywhere’ and the fast adoption of the hybrid workplace trend. Cybercriminals will capitalize on any opportunity to collect credentials from unsuspecting victims. Just recently, scammers began preying on people eagerly awaiting vaccinations or plans to return to the office as a means to swipe their personal data and logins, for instance.
The most common attack technique that I often see in the breach reports that I read is stolen credentials. This is a never ending battle between the security industry and cybercriminals, but there are ways organizations can protect themselves against credential theft.
Through a mix of educating staff on complex password best practices, security awareness training and investing in machine learning-based security analytics tools, organizations can make it much more difficult for digital adversaries to utilize their employees’ usernames and passwords for personal gain. Behavioral analytics tools can swiftly flag when a legitimate user is exhibiting anomalous behavior indicative of compromised credentials. This approach provides greater insights to SOC analysts about both the impacted and malicious user, which results in a faster response incident time and the ability to stop adversaries in their tracks, before they can do damage.
The pandemic increased the velocity of digital transformation, and cybercriminals are clearly becoming more advanced in parallel. Thus, we must stay hyper vigilant in protecting credentials this World Password Day and beyond.
Kurt Baumgartner, Kaspersky security researcher:
It’s a real problem when any one of your passwords is a part of a breach. A lot of the time what happens is all the stolen credentials end up in underground marketplaces. Criminal groups end up with huge lists that they’ve built up over the years of usernames and passwords. In turn, they can take that one password that they found of yours and they will reuse it across all of your user accounts at the companies where you work at the websites you use. They also will try the most common passwords that they find in these databases and see if those work.
A lot of sophisticated criminal groups have shifted away from spear phishing or using 0-day exploits and instead they’ve moved on to this method. They’re just spraying servers with passwords until one works. This is made possible by password reuse across many accounts. It can also be because people are using pretty simple passwords, they just don’t change them, or because they’re not using two-factor authentication to supplement password protection. So it’s incredibly important to do these things, so you’re not giving attackers free access to your private accounts.