World PASSWORD DAY 2022: Are You Investing in Password Managers and Biometrics?
Today is World Password Day — an event dedicated to strengthening the cybersecurity frameworks, data privacy and compliance related to passwords and their management in personal and professional lives. Last year, we revealed how the pandemic affected password security trends in the industry.
In a year, a lot has changed.
For years, password analysts and security experts have been predicting the ominous extinction of passwords. But, no one can predict for sure, when that’s going to happen! The agents, companies and firewalls that we trust the most to protect our data, are realizing that biometrics and other passwordless technologies have enormous potential to prevent data breaches. But, sadly, users still stay afar from the basics of password management and assets protection. Even today, most business professionals use rudimentary methods to save their passwords. For instance, Uswitch.com had found these:
- 1 in 4 people write their passwords down on paper.
- Nearly 1 in 3 people have included their birth year in their password.
- Almost half of people use the same password across multiple platforms.
- More than a quarter of people don’t change their passwords regularly.
- More than 1 in 5 of people have had their passwords hacked
Quite astonishing, isn’t it considering we are now living in an era where everything else is automated and AI rocks the world.
The problem with passwords is that they are hard to retain. 1Password recently issued research that found workers – especially security pros – are really burned out and that’s putting companies at risk. More top points from their “State of Access Report.” It says:
- 84% of security professionals and 80% of other workers are feeling burned out, which has led to serious backsliding around security protocols.
- Employees experiencing burnout were three times as likely as others to acknowledge thinking security rules and policies “aren’t worth the hassle.
- 6 in 10 security professionals say their company encountered an emerging security threat last year, with social media spoofing, sophisticated phishing and DDoS attacks being the most common.
- Over half (57%) of employees say they’ve recently encountered an email that they weren’t sure was phishing or not.
Similarly, The Identity Theft Resource Center’s 2021 Annual Data Breach Report revealed a new record of attacks and vulnerabilities that left companies compromised in 2021.
And more specific to passwords… Research from Bitwarden, showed that while there seems to be a very high percentage of people that state they are ‘very’ or ‘somewhat’ familiar with password security best practices (98%). There remains doubt about whether those best practices are being used. Bitwarden’s research revealed that more than 8 in 10 (85%) of Americans reuse passwords across multiple sites, a number comparable to the rest of the globe (84%). And, almost half of U.S. respondents (49%) rely simply on their memory, to manage passwords. Not surprisingly, almost 1 in 4 (24%) said they need to reset their passwords every day or multiple times a week.
To understand how Password management helps organizations and individuals, we spoke to industry experts.
This article features insights from
- Surya Varanasi, CTO of StorCentric
- JG Heithcock, GM of Retrospect, a StorCentric Company
- Dirk Schrader, VP of Security Research at Netwrix
- Miles Hutchinson, Chief Information Security Officer of Jumio
- Entrust experts
- Neil Jones, director of cybersecurity evangelism, Egnyte
- Aaron Sandeen, CEO and co-founder, Cyber Security Works (CSW)
- Ricardo Amper, CEO of Incode
- Keith Neilson, Technical Evangelist at CloudSphere
- Chris Brooks, founder of CryptoAssetRecovery.com
- Jonas Karklys, the CEO of NordPass
- Manoj Srivastava, General Manager of ID Agent and Graphus
- Geoff Bibby, SVP, OpenText
Password Remains Ideal First Line of Data Protection Defense
Surya Varanasi, CTO of StorCentric
“Few would argue the fact that a strong password is an ideal first line of data protection defense. Without this basic security measure, you are leaving the door wide open to a multitude of cybercrime risks. Unfortunately however, while highly sophisticated password support tools are available, today’s cybercriminals also have extremely advanced password hacking technology at their fingertips. This means, an increased risk of your passwords being leapfrogged, and your data being compromised…
The ideal cybercrime defense is a layered defense that starts with a powerful password, and continues with Unbreakable Backup. As backup has become today’s cyber criminals’ first target via ransomware and other malware, an Unbreakable Backup solution can provide you with two of the most difficult hurdles for cyber criminals to overcome – immutable snapshots and object locking. Immutable snapshots are by default, write-once read-many (WORM) but now some vendors have added features like encryption where the encryption keys are located in an entirely different location than the data backup copy(ies). And then to further fortify the backup and thwart would be criminals, with object locking layered on top of that, data cannot be deleted or overwritten for a fixed time period, or even indefinitely.”
Many People Now Personally Know a Colleague Whose Business Was Attacked
JG Heithcock, GM of Retrospect, a StorCentric Company
“Ransomware is a huge global threat to businesses around the world. Beyond the high-profile attacks, including Colonial Pipeline, JBS, Garmin, and Acer, many people now personally know a colleague whose business was attacked. In fact, a Coveware research study revealed that most corporate targets are small and medium businesses (SMBs), with 72% of targeted businesses having fewer than 1,000 employees, and 37% fewer than 100.
There are likely a few reasons for this continuing trend. Certainly one is that today’s ransomware is attacking widely, rapidly, aggressively and randomly – especially with ransomware as a service (RaaS) becoming increasingly prevalent – looking for any possible weakness in defense. The second is that SMBs do not typically have the technology or manpower budget as their enterprise counterparts.
It is therefore critical that in addition to powerful passwords, which anyone would agree is an indispensable first line of defense, there must be additional measures taken. The first is that all organizations regardless of size must be able to detect anomalies as early as possible in order to remediate affected resources. The next is SMBs and large enterprises alike need a backup target that allows them to lock backups for a designated time period. Many of the major cloud providers now support object locking, also referred to as Write-Once-Read-Many (WORM) storage or immutable storage. Users can mark objects as locked for a designated period of time, preventing them from being deleted or altered by any user – including internal bad actors.”
Watch out for the Cybersecurity Fatigue
Phishing Attacks Growing Complex in Digital Era
Entrust, a leading provider of trusted identities, payments, and data protection solutions, outlines the growing need for passwordless technologies to secure personal data. Previous reports have highlighted the issues around passwords and security that include:
- Successful phishing attacks on organizations increased 46% between 2020 and 2021
- The number of stolen usernames and passwords increased 300% from 2018 to 2020
- 81% of hacking-related breaches use stolen or leaked passwords
- The average cost of a data breach in 2021 was $4.24 million, up 10% from 2020
According to Dirk Schrader, VP of Security Research at Netwrix, there are many means of authentication today and there is one for every use case:
“We often hear about so-called ‘strong’ passwords and how difficult it is for cybercriminals to discover them or brute force them, based on their length and complexity. In the meantime, the prevailing sentiment in the cybersecurity space is that passwords are becoming a thing of the past due to the spread of multi-factor authentication (MFA) and the implementation of biometrics as an access code.
The truth is somewhere in between. MFA and the requirement of a secondary verification method through a separate communication channel, are significant security enhancements for important data. However, this approach adds another level of complexity not only to the attacker but to the user. One-time password via SMS is easily tolerated when it comes to a user’s personal bank account but becomes annoying if they need to verify their access rights this way 30 times a day. This is what we call cybersecurity fatigue. Security administrators should not overlook this and should consider it as a threat vector.
Passwords will therefore not disappear because of the human factor. They are here to stay for non-sensitive or, let’s say, not-that-sensitive accounts. IT teams shouldn’t neglect employee training to nurture the proper cyber hygiene among their fellow colleagues. Every user has to take the same precaution with passwords as with the keys to their home: do not share them, keep an eye on them, and change the lock in case of loss.
The National Institute for Standards and Technology (NIST) suggests that companies use a password manager to help their employees and stakeholders encrypt and generate strong passwords. NIST password guidelines say you should focus on length, as opposed to complexity when designing a password. Paradoxically, using complex passwords (adding special characters, capitalization, and numbers) may make it easier to hack your code, and this mostly has to do with user behavior. Complex passwords are harder to remember, which means users may need to update their passwords more often, making minor changes, which makes them easier prey for cyber attacks. NIST requires an 8-character minimum for passwords.
Password Protection Goes Beyond Just Fixing Passwords
Miles Hutchinson, Chief Information Security Officer of Jumio
“When it comes to protecting business data and enhancing overall security, passwords play a critical role — but not the one you might think. World Password Day highlights the importance for enterprises to use more robust, secure and reliable authentication methods that go far beyond passwords.
Passwords are one of the top vulnerabilities for organizations, especially those that deliver privileged access to organizational systems or networks. Sixty-one percent of data breaches in 2021 were attributed to leveraged credentials, according to Verizon. Traditional authentication methods are no longer reliable and secure, therefore it is crucial for organizations to adopt new authentication methods by leveraging AI coupled with biometrics.
Traditional authentication measures like knowledge based authentication (KBA) and SMS out-of-band authentication can be vulnerable to imposters, credential phishing, large-scale data breaches, dark web user data dumps and man-in-the middle attacks. Selfie and video-based authentication allows for organizations to leverage biometric user data captured during enrollment and to re-verify that data in the future, effectively combining identity proofing and ongoing authentication in one solution. By leveraging AI and biometric data for initial identity proofing and ongoing user authentication, organizations can protect their business from fraudsters and provide users with an online experience that is fast, secure, accurate and easy to use, thus replacing traditional passwords altogether.”
Password + 2FA = TOTAL Security
Geoff Bibby, SVP, OpenText
“World Password Day is an excellent time for individuals, channel partners and businesses to reflect on their current password practices and ensure they are building the safest habits to protect themselves and their company from cybercriminals. Many are under the assumption that if they are taking the steps to create unique passwords for each platform and application, they are secure.
But it’s not enough.
The number of headline-grabbing breaches that have taken place over the last year highlight the critical need for safeguards across the entire company network. While there are a few different ways to protect login credentials beyond a simple username and password, one of the most popular and effective options is two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user’s phone, email address or through an authenticator app, after entering their username and password. It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical.
Email is a common point of attack because it often contains sensitive and valuable communications. Organizations should also consider implementing an email security solution that conducts a security audit to analyze its admins, users, mailboxes, and rules for vulnerabilities such as outdated passwords so they can be resolved before a breach happens. This is especially true for ensure partners so that they can ensure the customers they support are protected against today’s cyberthreats and vulnerabilities. Organizations should use World Password Day to evaluate their internal Password Policies and send reminders to employees and customers alike about the importance of good password hygiene.”
Password Manager Should Be a Default Implementation
Joseph Carson, chief security scientist & advisory CISO at Delinea
“World Password Day is a time to stop and reflect on current password hygiene. Passwords remain one of the biggest cyber challenges for both consumers and businesses around the world as a poor password choice can make it extremely easy for cybercriminals to steal and spy on your data. As humans, we continually gravitate towards creating passwords that are easy to remember and simplistic. Incorporating a birthday or special date within a password is a common denominator, one that cybercriminals are all too aware of. Dangerously, we continue to leave it up to humans to create strong and secure passwords, despite the fact that most people have already been victims of borderline password disclosures from a person’s history of password choices. Having already had your previous password decisions and choices exposed means that an attacker can simply take that as the baseline and from there create variations of that. An effective password should include passphrases, a sequence of random words for added security. Regular consumers should consider deploying and utilizing a password manager to enhance and regularly rotate their log-in credentials.
For organizations, a password manager should be a default implementation. If you are a business leader then you must move beyond just having password managers and start using privileged access security to control and protect privileged access. Privileged access security will help automate, rotate and secure your passwords for you and your business, eliminating a significant amount of cyber fatigue. Taking it a step further, organizations should look beyond just their internal password hygiene and take a deeper dive look into their suppliers and contractors to ensure password protection. Are they using a password manager, do they have MFA deployed and how do they protect access to their privileged accounts? We’ve seen the catastrophic domino effect that one poor password choice can have within a supply chain.
Organizations can enhance their password posture by understanding that security starts with the social network around you. Why not encourage your employees’ families to use a password manager and reward them? They see that you’re not just taking care of the company but that you’re actually extending security to the social sphere, so that their family and kids can even extend to using password managers and reduce the threats, because attackers can and will target them first as stepping stones to get into your organization. So it makes you think, why not extend your perimeter to the social sphere around the organization. Your supplier, your contractor, partners, your customers and everybody.”
A Password Alone Is Not Enough to Protect You
Patrick Beggs, CISO, ConnectWise
“In the early days of the world wide web, you were probably able to get away with a password as simple as ‘12345’. Times have changed since then, but humans remain predictable. Research has found that women typically include personal names in their passwords while men often use their hobbies. And experienced hackers also know the common vowels, numbers, and symbols that often appear in passwords. Cybersecurity breaches are at an all-time high, but there are three simple things we can all do to protect ourselves. First, prioritize length over complexity, because we aren’t very good at remembering complex passwords, and longer ones are more secure. Second, only use platforms with multi-factor authentication — a password alone is not enough to protect you. And finally, never reuse. Most breaches happen when a password from one platform is used with another system that shares the same password. If you follow these three simple steps, your passwords should be strong enough to stop a determined hacker from causing damage.”
How Strong and Secure is your Password Ecosystem?
Manoj Srivastava, General Manager of ID Agent and Graphus
“World Password Day is a good reminder for IT professionals to take a closer look at the security of their environment. Though having the right security solutions in place is crucial, it’s often the small habits that can make or break an organization’s security posture. One of the most important things an organization can do is foster a security-first culture that provides employees with the “why” behind aspects like multi-factor authentication (MFA) and frequent password changes that can often seem like a hindrance to their productivity. Short, frequent security awareness training around topics like the importance of strong passwords and why to use a password manager can help break employee bad habits that threaten the entire IT environment.
When assessing their technology stack, IT professionals should look for identity and access management (IAM) solutions that combine single sign-on (SSO), MFA, and password management to ensure better protection against cyberthreats. Organizations should discourage reuse of passwords and set strong password requirements for the solutions that employees use daily to avoid the use of some of the most common passwords like 123456 or password—which unfortunately are still frequently used, according to data from ID Agent.”
Raise Public Awareness
Tyler Farrar, CISO, Exabeam
“Colonial Pipeline, SolarWinds, Twitch. All of these organizations have one thing in common: they suffered data breaches as a result of stolen passwords and credentials. Credential theft has become one of the most common and effective methods cyber threat actors use to infiltrate organizations of all sizes and access sensitive data.
We strongly support efforts, like World Password Day, that raise public awareness and can help to combat this pervasive issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional passwords and credentials to prevent credential-based attacks from continuing.
Credential-driven attacks are largely exacerbated by a ‘set it and forget it’ approach to credential management, but organizations must build a security stack that is consistently monitoring for potential compromise. Organizations across industries can invest in data-driven behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior indicative of credential theft, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
Prevent Brute Force Password Attacks
Neil Jones, director of cybersecurity evangelism, Egnyte
“For as long as I can remember, easily-guessed passwords such as 123456, qwerty, and password have dominated the global listing of most commonly-used passwords. Unfortunately, weak passwords can become a literal playground for cyber-attackers, particularly when they gain access to your organization’s remote access solution and can view corporate users’ ID details.
Similarly, not a day goes by where I don’t hear another customer in a public setting like a pharmacy or a supermarket vocally share his/her email address and/or personal or business phone number, to obtain affinity club credit for a transaction or to earn a discount. That private contact information – combined with weak password administration – can represent a data breach just waiting to happen.
In commemoration of World Password Day, here are practical tips to protect your company’s mission-critical data:
Institute Multi-Factor Authentication (MFA) – One of the most effective ways to prevent unauthorized access is by requiring additional validation of login credentials during a user’s authentication process. This can be as straightforward as a user providing his/her password, then entering an accompanying numeric code from an SMS text.
Educate your employees on password safety – Educate your users that frequently-guessed passwords such as 123456, password, and their favorite pets’ names can put your company’s data and their personal reputations at risk. Reinforce that message, by reminding users that passwords should never be shared with anyone, including your IT team.
Inform users about the dangers of social engineering and spear-phishing – Remind users that unanticipated email messages, texts, and phone calls can be attempts to capture their login and password credentials. When proper login credentials are entered, malware can be initiated that will place your organization at risk of an even wider and more destructive cyber-attack.
Keep personal and business contact information separate – Remind your users that maintaining separate email accounts and contact details for affinity clubs and discount programs protects their personal privacy and your company’s valuable data. Users should never provide business login credentials (such as their email addresses) in public forums, particularly within earshot of others.
Establish mandatory password rotations – Discourage the usage of system default passwords and easily-guessable employee credentials, by forcing employees to change their passwords on a routine basis.
Update your account lockout requirements – Prevent brute force password attacks, by immediately disabling users’ access after multiple failed login attempts.”
Why should Organizations Invest in Identity Management Systems?
Gunnar Peterson, CISO, Forter
“It is especially fitting that we collectively celebrate World Password Day in light of recent breaches this quarter that have resulted in terabytes of stolen proprietary data and untold financial cost. The day is a reminder that the simplest of defenses in our toolbelt, credential and identity management, can be the difference between a secure system or an unimaginable incident.
Most of the breaches we hear about in the news are a result of businesses relying on automated access control and realizing too late when a user has been hijacked. Once an account is compromised, identity-based fraud can be extremely difficult to detect considering the advanced tactics and randomness of different crime groups like LAPUS$ and Conti.
To succeed against dynamic cybercriminals and account takeover (ATO) attacks, organizations must build robust identity management systems and invest resources into building a learning system that evolves to identify anomalous user activity. These techniques can ebb and flow with the sophisticated threat landscape we’re witnessing today.”
Have you Head About Password Reset Poisoning?
Aaron Sandeen, CEO and co-founder, Cyber Security Works (CSW)
“World Password Day is a day set aside not just to promote better password use, but to draw attention to the numerous password-related assaults. Tackling every password-related attack would be difficult, but addressing the problem of Password Reset Poisoning plays an important role in increasing organizational knowledge about better password use and vulnerability management.
Every online application with a login gateway has password reset capabilities. When a user forgets his password, this reset password option is useful. However, in many organizations, password reset poisoning is an attack in which the attacker obtains a victim’s password reset token and is now able to reset the victim’s password. The problem occurs when the program uses the host header to create the password reset link and then adds the user-supplied host header to the password reset link. It is crucial for companies to inform themselves of this type of password attack to protect the privacy of their employees and the business as a whole. While addressing similar password-related attacks, more vulnerabilities can be addressed and give security teams peace of mind.”
Remembering Passwords is One of the Most Irritating Things
Ricardo Amper, CEO of Incode
“Consumers today are using their smartphones for dozens of activities – from banking to shopping t and sending personal information – all while passwords that are simple to compromise.
With cyberattacks and data breaches more prevalent than ever, the idea of a “password” is becoming increasingly obsolete. They are time-consuming to retrieve, easy to forget and create a less than ideal customer experience. According to a study by Incode, consumers say that updating/creating and remembering passwords is one of the most irritating things when proving their identity online.
On this World Password Day, we recommend implementing a new version of the “password” to ensure optimal security and customer experience: identity verification via biometrics. Using biometric technology to verify someone’s identity instead of passwords can eliminate friction and is more accurate and secure than other mechanisms. Your face is your unique digital identity and is more challenging for cybercriminals to hack. As the shift to a digital-centric era continues, I expect in less than five years’ time our faces will become our passwords – and ultimately create more trust between consumers and the sites they use.”
“When it comes to protecting business data and enhancing overall security, passwords play a critical role. World Password Day serves as a reminder for enterprises to use stronger passwords as a safeguard. Allowing databases to be accessible without even basic password protection is an all-too-common source of data leaks, but it is easily preventable with solutions that provide security guardrails and automated remediation of such misconfigurations.
However, instead of putting emphasis primarily on the best practices for passwords, we must shift the attention over to secure access and next-generation authentication. This involves the development of new and improved alternatives to password management, which will need the implementation of robust cyber asset management systems. Cyber asset management that enables authentication will become a greater priority when challenging authentication methods such as behavioral biometrics and liveness detection become more prevalent, since they need a far more sophisticated collection of cyber assets and rules.
In the end, World Password Day is a good occasion to observe the importance of strong passwords and password protection as part of overall security. While newer ways will undoubtedly replace the traditional password, they will continue to be used as a fallback and “master key.” Enterprises will increasingly adopt more advanced authentication methods and the cyber asset management capabilities that support this evolution.”
Passwords Continue to Be Used as a Fallback And “Master Key.”
Keith Neilson, Technical Evangelist at CloudSphere
“When it comes to protecting business data and enhancing overall security, passwords play a critical role. World Password Day serves as a reminder for enterprises to use stronger passwords as a safeguard. Allowing databases to be accessible without even basic password protection is an all-too-common source of data leaks, but it is easily preventable with solutions that provide security guardrails and automated remediation of such misconfigurations.
However, instead of putting emphasis primarily on the best practices for passwords, we must shift the attention over to secure access and next-generation authentication. This involves the development of new and improved alternatives to password management, which will need the implementation of robust cyber asset management systems. Cyber asset management that enables authentication will become a greater priority when challenging authentication methods such as behavioral biometrics and liveness detection become more prevalent since they need a far more sophisticated collection of cyber assets and rules.
In the end, World Password Day is a good occasion to observe the importance of strong passwords and password protection as part of overall security. While newer ways will undoubtedly replace the traditional password, they will continue to be used as a fallback and “master key.”
Enterprises will increasingly adopt more advanced authentication methods and the cyber asset management capabilities that support this evolution.”
Passwords only Work Because They Are Secrets — but in 2021 More Than 16 Million Accounts Were Known to Have Been Breached Every day
Chris Brooks, founder of CryptoAssetRecovery.com
The point of World Password Day is to remind people to change their passwords. Think of a password like the oil in your car — if you don’t change it every three months, it becomes less effective — and failing to change it can destroy your engine. Passwords only work because they are secrets — but in 2021 more than 16 million accounts were known to have been breached every day. It’s extremely likely that some of your passwords are already known to hackers, and they’re learning more of them every day. Keep your digital life tuned, and change those passwords!
People often think that adding symbols to a password makes it more secure. Given the firepower that hackers have at their disposal today, that isn’t necessarily true. Short complex passwords can be cracked in fractions of seconds. Complexity + Length is what makes passwords secure.
How to Manage Your Passwords: Tips by Entrust Experts on Account of World Password Day 2022
Experts at Entrust provided their tips:
Set up MFA
To increase your online security, consider implementing Multi-Factor Authentication (MFA). This is the process of authenticating your identity when accessing one of your online accounts, usually by receiving a unique code via text message or email to confirm you are who you say you are. In the event of a password leak, MFA will prevent hackers from accessing your account.
Embrace biometrics
The added security measure of MFA is undoubtedly essential but can often be frustrating. To increase both security and user experience, consider adopting user biometrics, such as fingerprint and facial recognition technologies when authenticating with secure personal devices. These technologies have been around for a number of years and have recently seen a rapid growth in popularity, yet many continue to distrust them, perhaps through a lack of understanding of how they can potentially enhance cybersecurity and personal privacy.
Become vigilant to unfriendly requests
Phishing schemes are one of the most common ways for hackers to get hold of a user’s password to access their accounts. Nowadays, the schemes are becoming more and more difficult to spot, meaning users are unknowingly giving away sensitive information.
void using the same password for multiple accounts
Most people use the same password for multiple or even all of their online accounts due to the convenience of only having to remember one password. Whether you have an incredibly unique password, this is something that should be avoided as one compromised password will allow intruders to access all of your accounts. Instead, create unique passwords for all accounts so that if one account is compromised, you can rest assured knowing that only one account is put at risk.
Change your password on a regular basis
Some of us are guilty of having used the same password for online accounts for multiple years. However, simply changing your password on a regular basis will increase your online security drastically. In the case of a security breach and your password was lost to a hacker, the easiest way to secure your account is to change your password before they can gain access. The issue here is that it is often hard to know if your password has been leaked, therefore regularly changing your password may protect your account in the event of a leak.
What You Should Avoid This Password Day
High-ranking business executives have healthy password habits as many other internet users do, according to new research by NordPass.
While experts continuously urge companies to take cyber risks seriously, business owners, CEOs, and other C-suite executives continue typing “123456,” which, even after many warnings, remains the most popular password to date.
NordPass, in partnership with independent researchers specializing in the analysis of cyber incidents, compiled an extensive list of top passwords used by top-level executives.
“Michael,” “Jordan,” and other widely picked passwords
Among different executive roles that researchers examined — CEOs, C-level executives, management, and business owners — is a visible trend to use easily hackable passwords that mainly include sequence combinations of numbers or letters.
These include but are not limited to “1q2w3e,” “12345,” “11111,” and “qwerty.” The winner in all categories remains “123456” (used over 1.1 million times), with the password “password” (used over 700 thousand times) coming in second.
Research suggests that top-level executives also extensively use names or mythical creatures as an inspiration when creating passwords. Among the most popular are “dragon” and “monkey.” The most widely chosen names used in passwords are “Tiffany,” “Charlie,” “Michael,” and “Jordan,” which may or may not hint at the legendary basketball player.
Different industries and countries affected
This research was conducted in partnership with independent researchers who analyzed over 290 million data breaches worldwide. They grouped passwords according to job title and industry — among many fields affected, technology, finance, construction, healthcare, and hospitality were shown to experience the most security incidents.
Amidst the countries that experienced breaches examined in this study, France and the United Kingdom were listed among the most breached, accounting for 200 million and 600 million passwords leaked respectively.
The analysis findings demonstrate that business owners, C-suite, and other high-ranking executives, expected to be more conscious about their security online than the average internet user, have similarly poor password habits. This significantly increases the risks of cyberattacks at both the person and company level.
Data breach costs increase
Last year, NordPass presented similar studies, delving into the Top 200 Most Common Passwords people use online and those of Fortune 500 companies. Interestingly, the comparison of research shows that business executives are as likely to use easy-to-crack passwords as general internet users: “123456” and “123456789” rank in the top five among both audiences.
“It is unbelievable how similar we all think, and this research simply confirms that — what we might consider being very original, in fact, can place us in the list of most common,” says Jonas Karklys, the CEO of NordPass.
Jonas added, “Everyone from gamer teenagers to company owners are targets of cybercrimes, and the only difference is that business entities, as a rule, pay a higher price for their unawareness.”
The IBM report reveals that in 2021, the average global cost of a data breach reached 4.24 million USD, which is 10% more compared to 2020. The attacks that happen due to compromised credentials cost even more at 4.37 million USD and account for 20% of all breaches.
Tips to ensure your passwords are safe
According to Karklys, people can avoid many data breaches by following simple steps to improve password security:
Deploy a password manager. Password managers allow you to store all the passwords in end-to-end encrypted digital storage locked with a single keyword for the most convenience. Most password managers have additional features to check passwords’ strength and automatically generate unique passwords. For organizations, they can come in handy when sharing passwords with employees or managing their access.
Introduce cybersecurity training. Since simple human mistakes remain the leading cause of data breaches, it is worth investing in cybersecurity training sessions for employees. Starting from the basics might be a good idea given that people have different technology background levels.
Enable multi-factor authentication. Known as MFA, it serves as an extra layer of security. It is an authentication method that uses two or more mechanisms to validate the user’s identity – these can be separate apps, security keys, devices, or biometric data.
Password managers like NordPass, powered by the latest technology for the utmost security, allow users to access passwords securely on desktop, mobile, and browsers.
Thank you everyone for sharing your insights with us!
[To share your insights with us, please write to sghosh@martechseries.com]
Comments are closed.