While Change Your Password Day, falling on February 1, is a good reminder that passwords should be changed on a regular basis, security and IT experts agree that the day presents an opportunity to reinforce the importance of proper cyber hygiene throughout an organization and suggest using the day as a springboard to create a business case for implementing additional solutions that strengthen the cyber resilience of businesses and critical infrastructures.
In addition to following the standard practices of good password hygiene, including using a unique password for each account and system; creating a long password consisting of random words, phrases, numbers, symbols and a mix of upper- and lower-case letters; and considering employing a password manager, security experts say more than a new password is needed to ensure cybersecurity in the current attack climate.
“As passwords proliferate across networks and systems that users must access, it increases the risk of password reuse and the risk to a company’s data,” says Dylan Owen, Associate Director, Cyber Protection Services, with Raytheon Intelligence & Space. “Because of the increased deployment and support cost for alternative security initiatives, organizations are likely to continue to use passwords, despite the argument that decreasing risk exposure would pay for itself in the long run.
“Instead, organizations should utilize multi-factor authentication with a physical device/token to simplify the problems that arise with passwords for authentication, while reducing the amount of ‘friction’ for a user,” he continues. “That said, if an organization can’t afford to do this and has to use passwords, providing a password manager to users would be a step in the right direction. This would cut down on password reuse by generating complex, unique passwords for each system, which would be stored securely in the password manager.”
Glenn Mulvaney, VP of Cloud Operations, Clumio, agrees that more steps are needed: “Implementing enforceable password practices is just one critical component of what should make up an organization’s security hygiene. Businesses must implement a series of technical mitigations to effectively bolster their arsenal of cybersecurity and data protection with continuous engagement and education for employees.”
He continues: “While multiple layers of security are a must, organizations must prioritize training employees on security hygiene such as proper password management, as well as the ability to identify and report malverts, spear phishing, trojans and malware. CISOs themselves need to think about security hygiene holistically in response to expanding threats. This should include engaging employee training alongside limiting permissions to the principle of least privilege, multi-factor authentication, credential rotation, encryption of sensitive data, periodic decoy tests and interactive communications.”
And, Theresa Lanowitz, Head of Cybersecurity Evangelism with AT&T Business, adds that newer security technologies need to be employed to ensure the security of modern systems. “Security hygiene is one of the biggest steps anyone can take to protect themselves, their business and their data. As we move to more types of edge devices that are not keyboard driven, we should expect multi-factor authentication (MFA) to come via biometrics. While the use of biometrics to authenticate identity is not new, advancements in digital twins and deepfakes mean there is a need to secure our own physical identities as well,” says Lanowitz.
She provides an example: “Consider autonomous vehicles that have built-in MFA in key fobs. Internet of Things (IoT) devices are frequently ‘set and forget’ with a default password that may be as simple as ‘1234,’” she explains. “It is easy for attackers to guess or have knowledge of the default password. This means the adversary can execute distributed denial of service (DDoS) attacks or gain access to the network by moving laterally via an IoT device with a default password. It makes sense that passwords, MFA and device authentication are utilized in new endpoints such as autonomous vehicles since there are no direct inputs into vehicle networks; however, it also means endpoint detection and response (EDR), managed detection and response (MDR) and extended detection and response (XDR) are seen more often as a requirement.”
In addition, because passwords have proliferated in critical infrastructure — guarding industrial control systems, remote access connections and workstation and jumpbox accounts — sectors including energy, utilities, defense, transportation and manufacturing rely on a patchwork of passwords, says Duncan Greatwood, CEO at Xage Security. “This ‘Change Your Password Day,’ the message to cybersecurity leaders should be that it’s time to transition from unmanaged identities, static passwords, inconsistent access control, single points of cybersecurity failure and no-factor or single-factor authentication to consistent, managed, multi-factor authentication and resilient multi-layer access protection.”
Because attacks on real-world operations can cause major system shutdowns, impacting crucial services and community safety, as well as the operators’ bottom lines, Greatwood stresses the importance of beefing up cybersecurity beyond traditional password strengthening. “These complex environments, filled with distributed, legacy technologies are hard to secure,” he says. “The unfortunate truth is that operators may be unable to enforce even single-factor password-based authentication consistently. Common practices of credential re-usage, password weakness and lack of password management and role-based access control are major pitfalls, leaving industrial organizations open to attacks.
“This creates an urgent need for security solutions that can keep critical infrastructure systems secure and online. The answer is not as simple as changing a password or upgrading to multi-factor authentication (MFA). There is an escalating trend of MFA fatigue attacks, not to mention that some of the industrial systems are not inherently equipped to support MFA,” continues Greatwood. “To bring the password patchwork under control, critical infrastructure needs identity-based, multi-layer MFA and access control designed specifically for real-world operations. They need identity and managed access control that combines zero trust approaches with non-disruptive deployment options such as an overlay mesh to protect a mix of new and legacy assets. With this approach, compromise of an individual authentication factor doesn’t allow the hacker to infiltrate further assets, systems or applications. Instead, operators can enforce granular access control down to an individual operational site or even a singular OT asset, allowing user and app access solely to specified authorized devices. Layered MFA and access enforcement empower organizations with critical infrastructure to deploy defense-in-depth, keeping crucial systems online by blocking or containing breaches.”
Despite the need to do more than change a password to secure businesses and critical infrastructure, Change Your Password Day can and should still serve as a springboard for reminding employees and the C-suite of the importance of strong passwords and the necessity of further security measures.
“While cybersecurity tools have gotten more sophisticated, security hygiene hasn’t kept up,” says Mulvaney. “At the very least Change Your Password Day should serve as a reminder to refocus practices surrounding security hygiene and reinforce cyber policies that include enforcing strong password practices."