Part 2: World Password Day: Experts Share Best Practices to Keep Data Protected
In Part 2 of our coverage on World Password Day, we spoke to industry leaders and analysts on the growing concern around enterprise security, data protection and WFH policies.
In our digitally-centered world, we’re required to have passwords to hundreds of different accounts for everything from email to bank accounts to applications we use for our jobs and even the apps that control our robot vacuums. In an ideal world, we would create unique and random passwords for each of these accounts, but oftentimes, this critical security step is ignored.
While it’s much easier to use and remember a password like “Fluffycat123,” these kind of easily guessable passwords leave yourself open to serious security threats–especially when the password is used for multiple online accounts. In honor of World Password Day today, we spoke with nine cybersecurity experts to get their insight on the importance of password security and how to create the strongest password.
“The demand for better authentication solutions for employees, particularly passwordless authentication, is greater than ever and with this exciting partnership we give our global corporate clientele an even wider selection of authentication options to complement our Passwordless Enterprise platform,” says Raz Rafaeli, Co-founder and CEO of Secret Double Octopus.
The World needs Better Password Management and Security Measures
Joseph Carson, chief security scientist & advisory CISO, ThycoticCentrify
“It is World Password Day, which means it is time to reflect on your current password hygiene and determine if your password choices are putting you at serious risk of becoming a victim of cybercrime. According to the UK National Cyber Security Centre (NCSC), 15% of the population uses pets’ names, 14% uses a family member’s name, and 13% picks a notable date. In fact, the weak password problem is so severe that the UK recently proposed new internet and IoT reforms that would make using “password” as your password illegal.
Passwords remain one of the biggest challenges for both consumers and businesses around the world. Thanks to the SolarWinds security incident in late 2020, we were all reminded that a poor password choice can not only impact your own organization but all connected organizations as well. This was likely one of the biggest supply chain cyberattacks in history — all stemming from poorly-created passwords.
If you are a consumer, start by using a password manager today. If you are a business leader, you should move beyond password managers straight into privileged access security. Rotating and choosing passwords is one of the biggest causes of cyber fatigue, so organizations can reward employees with privileged access security solutions that will eliminate one of their biggest work headaches and introduce security solutions that they will want to use. Privileged access security is one of the few security solutions that will transform your employee password experience into one that will make them more productive — and you’ll never need to create unique, complex passphrases for every account as privileged access management (PAM) will do that for them. It’s time to increase security and ease stress by moving passwords into the background with a modern PAM solution.”
Heightened Risks Associated with the WFH Trends
Neil Jones, cybersecurity evangelist, Egnyte
“Recently, one of the largest data dumps in history, referred to as COMB (Compilation of Many Breaches), exposed an astronomical 3.2 billion passwords linked to 2.18 billion unique email addresses. This is frightening news for all of us, but it’s particularly worrisome for IT leaders. So many of them are kept up at night with a gnawing concern: How do I manage the growing risk of data breaches, with a large proportion of my employees working remotely?
Remote work can lead to employees accessing unsanctioned devices, apps and networks, particularly when they experience issues with work-related IT resources. This broadens the attack surface for bad actors and leaves few checks in place for careless behavior that can result in data leaks.
To commemorate World Password Day, we’d like to remind you about practical steps that you can take to protect your valuable information while embracing today’s work-from-home environment:
- Educate your employees on password safety – Teach your users that commonplace passwords such as “123456,” “password” and their pets’ names can put your data and their personal reputations at risk. Remind users that passwords should never be shared with anyone.
- Institute two-factor authentication – IT administrators should require additional login credentials during the users’ authentication process, to prevent potential account breaches. This can be as simple as a user providing their password, then entering an accompanying numeric code from an SMS text.
- Set passwords for personal devices – Personal devices are on the rise in a remote-work environment and are particularly vulnerable to data theft, so encourage your employees to password-protect them.
- Change your Wi-Fi password regularly – Remember that potential hackers are often working from home, just like us. If you haven’t updated your Wi-Fi password recently, do it immediately.
- Establish mandatory password rotations – Greatly reduce exploitation of default and easily-guessable employee credentials by making your employees change their passwords
- Update your account lockout requirements – Prevent brute force password attacks by immediately locking out access points after several failed login attempts.”
How Do CTAs Access Your Password?
Jon Clemenson, director, Information Security, TokenEx
“Despite technology trends moving toward risk-based authentication, passwords are likely to remain in play for some time. Considering this, World Password Day provides the perfect opportunity to reiterate strong password policies that are vital to both personal and business security. Cybercriminals often reuse credentials from password dumps found online, commonly referred to as credential stuffing, to access sensitive data. That tactic combined with using simple passwords does not provide appropriate data protection. We ask users not to repurpose passwords across websites, and instead, institute lengthy and unique complex passwords whenever possible in conjunction with two-factor authentication.
Further, malware and other attack methods can completely bypass passwords, which is especially concerning during remote work. Before cyber thieves can advance on your credentials, we recommend using password managers to auto-generate strong passwords, or moving to biometric or physical keys for authentication, which are more secure than using passwords. For sensitive data like credit card numbers or other personal info, businesses can remove that data from systems entirely using tokenization. That way, if a hacker does access company systems, they won’t steal any useful information.
Finally, to rise above being a ‘low hanging fruit’ target for a malicious actor, good password hygiene practices like not sharing or reusing passwords are vital. Investing the time to take one extra step to secure your data is invaluable when compared to the fallout of a data breach.”
Tips on Protecting your Online Data
Glenn Veil, VP, engineering, Wisetail
“Passwords play a critical, ongoing role in different aspects of our lives. In our personal lives, they provide a layer of defense against fraud and identity theft. In the workplace, they defend us against a breach of sensitive company or customer data. At Wisetail, we implement policies, standards, and guidelines around credential security, but the key is to create awareness and sensitivity in our employees through education and training.
Here are some tips we recommend to protect yourself and your business from cyberattacks:
- Educate your people on the importance of credential security and provide them with the tools to protect credentials
- Create an environment where your people are comfortable highlighting security issues or cases where practices are not being followed so you can continue to improve your credential security
- Utilize multi-factor authentication to reduce the damage that can be done by weak or exploited passwords
- According to NIST’s 2021 security recommendations, it’s important to keep your passwords long but not too complex. Theoretically, if the password is long enough, the chance of a hacker figuring out the correct sequence is low.
Follow these best practices beyond World Password Day, and your entire team will play a part in creating obstacles for digital adversaries and protecting your data.”
How to Overcome Persistent Password Weaknesses
Josh Odom, CTO, Pathwire
“As we reflect on cyber hygiene practices for World Password Day, we recognize that for many years users were encouraged to create strong passwords using random combinations of characters that are difficult for humans to remember, but easy for computers to guess. This is the opposite of the intended purpose and often leads to inherently poor habits such as writing down passwords or reusing ones that are easier to remember.
Some websites utilize a password strength meter, but this can also be tricky and lead users to make weaker passwords instead of stronger ones.
While we’ve engineered these meters to score the passwords we create, they are better used against ones that a computer can create because humans are too predictable, even when we try our best not to be.
To overcome these persistent password weaknesses, utilizing a password manager that generates passwords from a large set of characters to achieve a desired level of entropy is one of the best options currently for creating strong and unique passwords. Still, other options available such as security keys, authenticator apps, or any available multi-factor authentication methods beyond using just a password should be considered for security. Finally, resources like haveibeenpwned.com which check for exposed passwords, are reliable compared to inventing and using your own strength-checking algorithms.”
Yes, Your Backups are Targets for Malware Attacks Too!
Surya Varanasi, CTO of Nexsan, a StorCentric Company
“Few would argue that creating strong passwords must remain a priority. However, even after creating a seemingly impenetrable password using every best practice possible, undiscovered threats might still be able to penetrate them and expose your environment to unnecessary risk.
But if your organization has data that is too important to lose, too private to be seen, and too critical to be tampered with then you must take the next step to thwart cyber-criminals. This can be accomplished by employing a strategy that enables you to unobtrusively offload data from what is likely expensive primary storage (cost savings is another bonus here) to a cost-effective storage solution that is engineered specifically to be regulatory compliant and tamper-proof from even the harshest ransomware attacks.
And since backups have become the latest malware targets, the storage platform should include “unbreakable backup” meaning it includes an active data vault that creates an immutable copy, which makes recovery of unaltered files fast and easy – so there’s zero operations disruption and never any need to pay ransom.”
JG Heithcock, GM of Retrospect, a StorCentric Company
“A global survey conducted by Gartner found that 88% of business organizations mandated or encouraged employees to work from home (WFH) as a result of the COVID-19 pandemic. With millions of workers around the world now having to access their organization’s data remotely, data protection was put under increased pressure.
For many, the answer was to employ a strong password — oftentimes, requesting that employees do so employing a random mix of no less than 15 characters. Undeniably, this was a step that could not be ignored. Unfortunately, many learned the hard way that this was not enough to stop today’s increasingly determined and aggressive cyber-criminals. And given that research, such as that from the Harvard Business School, shows that the WFH paradigm will likely endure, it is clear that stronger measures must also be taken.
The next step in the data protection and business continuity process for virtually any organization (or personally, for that matter) is an effective backup strategy. And the good news is that there is no need to reinvent the wheel here. A simple 3-2-1 backup strategy will do the trick. This means that data should be saved in at least three locations — one on the computer, one on easy-to-access local storage and another on offsite storage. The options range from local disk, to removable media, to the cloud and even tape. And, if at least one copy is “air-gapped” meaning completely unplugged from the network, all the better.
In 2021 and beyond, multi-layered data protection strategies – such as those employing strong passwords combined with thorough backup practices – will help to ensure you, your data and your organization remain protected in the event of a simple accident, cyber-attack or any other disaster.”
Here Comes the Great Roman Connections with Password Security
Wes Spencer, CISO, Perch Security, a ConnectWise Solution
“Here’s a riddle for you: what’s the one thing we all have, all hate and never remember?
Yep, a password. Isn’t it ironic that in 2021, we’re still using one of the most broken systems for authentication ever? Even Julius Caesar hated passwords and preferred his own cipher to communicate instead.
Why is this? Well, passwords are like underwear. You see, you should never share them, never hang them on your monitor, and honestly, no one should ever see them. So how do we go about living in a password-required world?
First, remember that long passwords are always better than complex ones. This is because the human brain is hardwired to be extremely poor at creating and remembering complex passwords. In fact, a long 16-digit password is far more secure than a short 8-character complex password.
Second, never reuse a password. Ever. Most successful breaches occur when a stolen password from one platform is leveraged against another system that shares the same password. At Perch Security, we’ve dealt with many breaches that occurred this way. It’s a true shame. The best way to avoid this is by using a reputable password manager and keeping it locked down. The password manager can handle the creation, storage and security of every password you use.
Lastly, never rely on your password alone. All reputable platforms today should support multi-factor authentication. We should be religious about this.
If you’ll follow these three things, your life with passwords will be much better. And perhaps one day, we’ll get rid of this pesky, broken system for good.”
Need of the Hour: Education on Best Password Security Frameworks
Ralph Pisani, president, Exabeam
“World Password Day 2021 is more important than ever as organizations grapple with the new reality of ‘work from anywhere’ and the fast adoption of the hybrid workplace trend. Cybercriminals will capitalize on any opportunity to collect credentials from unsuspecting victims. Just recently, scammers began preying on people eagerly awaiting vaccinations or plans to return to the office as a means to swipe their personal data and logins, for instance.
The most common attack technique that I often see in the breach reports that I read is stolen credentials. This is a never-ending battle between the security industry and cybercriminals, but there are ways organizations can protect themselves against credential theft.
Through a mix of educating staff on complex password best practices, security awareness training and investing in machine learning-based security analytics tools, organizations can make it much more difficult for digital adversaries to utilize their employees’ usernames and passwords for personal gain. Behavioral analytics tools can swiftly flag when a legitimate user is exhibiting anomalous behavior indicative of compromised credentials. This approach provides greater insights to SOC analysts about both the impacted and malicious user, which results in a faster response incident time and the ability to stop adversaries in their tracks, before they can do damage.
The pandemic increased the velocity of digital transformation, and cybercriminals are clearly becoming more advanced in parallel. Thus, we must stay hyper-vigilant in protecting credentials this World Password Day and beyond.”
Password Complexity versus Proof of Concept
Chris Morales, Chief Information Security Officer at Netenrich
Good password security in my mind would be to not rely on a password for security. It’s concerning that the cybersecurity industry still gives a false sense of hope as an excuse to continue to force a poor user experience on everyone. Passwords are stolen in large files and databases from poorly configured apps by the millions, or auth tokens are compromised for account takeover. For that reason, all passwords are useless regardless of strength.
It’s crazy that “what you know” is still the primary means of validating identity for online systems which then provide complete access to a broad set of resources with no further validation. That would be like giving my house keys to a random man on the street who claims to be my mom and can prove it by telling me the name of my dog when I was a kid. Even worse if my mom is standing right next to me but doesn’t remember that dog’s name so I trust the stranger but not her. Password complexity is the equivalent of expecting the stranger to give me a whole list of random facts as proof. Does not matter how much he knows. Still not my mom.
Sounds ridiculous right? The cybersecurity industry has built an authentication system which can only be considered inhumane and with a singular value of infuriating everyone. People are the victims, not the cause of breaches.
User access should be adaptive based on level of need and risk. A person should be allowed the appropriate level of access to the appropriate resources at the appropriate time. Most importantly, access should be fluid and not require an incomprehensible amount of user input or predetermined knowledge.
For authentication, the number of variables is more important than the level of complexity of those variables. No reason a password is anything more than a 4-to-6-digit pin. Authentication can be based on who you are (biometrics) what you know (pin) what you have (device/token) and where you are authenticating from (geolocation). Even then, authentication is not trust. Trust is situational awareness. What do you need, why do you need it, when do you need it, and what is your current operating environment? The operating environment is a measure of the risk of providing that access even when the need is justified and the identity asking is authenticated.
There is a combination of local authentication methods combined with remote risk analytics here. Totally doable and the outcome is less intrusive on the end user so we can stop blaming people for human error as to why a breach occurred. To err is human.
Passwords Are the Most Misused Line of Defense in Cybersecurity
Tyler Shields, CMO at JupiterOne
Passwords are the most misused line of defense in cybersecurity. There are numerous war stories of post it notes with passwords appearing in television commercials and shows or on YouTube videos. People write them on whiteboards that you can see through open windows or that end up on a Zoom chat. Passwords complexity requirements are annoying and difficult to remember. Requiring people to change their password with a high frequency makes things even more difficult. All around…passwords simply stink!
The best way to use passwords is to not have to use them by hand! Get a password manager such as LastPass or 1Password and use very complex, difficult to guess, randomly generated passwords via those tools. Respectable password managers have integrations into your daily workflow and systems including browser plugins or command line tools. If you do it right, you can remove the pain of passwords while making your world much more secure. For any system of value, or ideally every system that offers it, you should also turn on two factor authentication (2FA) and have it connect to an authenticator on your phone. By incorporating these two protection techniques, password difficulties will become a thing of the past.
Finally, if you are an enterprise or business, keep track of and audit the permissions and access capabilities for all accounts in your environment. If you are too large to do this by hand, cyber asset management tools can help you automate the process.
Passwordless Authentication Is Admirable. But, Then What?
Tim Wade, Technical Director, CTO Team at Vectra
While passwordless authentication is admirable and authentication systems solely based on passwords have been, and will continue to be, abused it’s important to consider that an effective authentication system must also account for effective credential revocation and replacement as much as credential strength – there are few things more trivially revoked and replaced than the knowledge inside someone’s head.
At the risk of unpopularly defending the merits of passwords, they may continue to have a role to play in strong, robust, multi-factor authentication systems even as they’re replaced as the sole (or even most important) anchor of authentication.
Do We Really Need a Password?
Aaron Cockerill, Chief Strategy Officer at Lookout
Passwords must go. We should not be celebrating World Password Day, we should celebrate the day no one ever needs to remember a password ever again. And That day is coming. But in the meantime, there is a lot of support to help us with systems that still require them.
Password managers and even browsers now notify you when passwords are repeated or stolen, and they suggest longer and stronger passwords that they remember rather than you having to. And increasingly your password can be strengthened by things like second factors and biometrics. Increasingly identity will be established using intelligent devices like your smartphone, leveraging both encryption and biometric sensors, and passwords will become a thing of the past.
The challenge then is to know that your smartphone is safe.
More Power to Multifactor Authentication
Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows
Passwords continue to be a major weak point across the internet. Most of the problems stem from password reuse, passwords that are not complex or otherwise easy to guess, or just other general bad security practices. One of the easiest ways to manage this is through the use of a password manager, many of which are free or low-cost, and can help users create complex passwords which they can then use exclusively for each site they visit.
In addition, using multifactor authentication for sites that store important information, such as email, social media, banking websites, or other high-value sites can help deter attackers in the event a password is leaked or reused.
Given the billions of passwords and other points of consumer data that are freely available now on the internet and deep and dark webs, it’s now only a matter of time before any account could be breached. Adopting strong security practices early and proactively helps to delay, or even prevent, a future attack that could lead to exposure of sensitive or personal data, both from a business account or your own personal life.
Plenty of criminals are willing to get that data or pay for it, so why make it easy for them to cash in on your information?
Never Ignore The Importance and The Value of Password Variance and Length
Monti Knode, Director of Customer & Partner Success at Horizon3.AI
Attackers don’t hack in…they log in. Annual security reports illustrate this trend across industries, exploding this past year. In more than 500 pentest operations in the last six months, we’ve seen this as well, with weak or default credentials topping our top-10 findings lists for the second quarter in a row, averaging over 90 credentials exploited per operation.
This topic is so top-of-mind in cybersecurity that it was the inspiration for our first Tech Talk webinar earlier this year. We can’t understate the value of password variance and length. Credential stuffing and reuse is a real problem; people will use the same password for their streaming service, their bank and their domain admin account.
In a recent operation, we found one password was in use by 152 accounts, ~20% of the enterprise. We also saw a steep decline in our ability to crack passwords as the password length increased from the 8-character minimum set by policy.
Credentials are the new perimeter, so if celebrating a World Password Day inspires people to reconsider their easily cracked P@$$w0rd, buy me a shiny hat and let’s have a party.
Password Best Practices to Ensure Data Is Effectively Protected
Ian Pitt, CIO of LogMeIn
This year’s World Password Day serves as another reminder that passwords play a pivotal role in protecting business information and enhancing overall security efforts. While organizations and individuals understand the importance of strong passwords, many continue to neglect password best practices leaving their organizations vulnerable to cyberattacks. In fact, a large majority of people understand the risks associated with reusing the same password across multiple accounts, yet they still do it. As we approach a post-pandemic world and enterprises allow long-term remote work, cybercriminals will continue to target those with poor security behaviors. Given this, companies need to encourage employees to improve password behaviors to increase the organization’s overall security. Below are some password best practices to ensure data is effectively protected.
- Give your passwords a safe home: Selecting the right password manager offers a safe, secure digital vault to store usernames and passwords.
- Generate unique passwords: Be sure to create strong and unique passwords for personal and business accounts, to decrease the chances of hackers compromising information.
- Implement multi-factor authentication: Turn on MFA when possible, to decrease hackers’ chances of accessing important information such as email and bank accounts.
- Update Software: Be sure to keep all home devices such as computers, mobile devices, or routers updated with the latest software, so others cannot tap into your network.