Today is World Password Day. A day meant to remind everyone about the importance of protecting themselves through strong passwords. World Password Day is an annual observance that falls on the first Thursday of every May, also meant to commemorate security researcher Mark Burnett’s book, Perfect Password: Selection, Protection, Authentication, where he encouraged people to not only have safe and smart passwords but to also have a password day.
Burnett’s tips were taken up by Intel Security, which took the initiative to declare the first Thursday in May as World Password Day, in May 2013, following which the Registrar of National Day Calendar formally designated it.
To observe this day, CISO MAG interacted with several cybersecurity experts from around the globe about the relevance of World Password Day, the trends in authentication technologies, and the best practices that need to be established.
1User frustration is ever-increasing with forced password resets
“When World Password Day was established in 2013, the world recognized that passwords were a necessary evil, despite being a flawed and insecure method of authentication. But the root of the problem goes back to the foundation of the ‘commercial internet’ in the mid-1990s, when Netscape and others enabled widespread access and consumer accounts, prompting a massive need and meteoric rise in password use, and beginning an era of consumer insecurity and exposure.
Fast forward to today and the problem has ballooned. Verizon’s 2020 Data Breach Investigations Report (DBIR) revealed that 80% of breaches use stolen credentials, collected either through database leaks or phishing attacks. And even if you follow recommendations for password hygiene, criminals can still get their hands on your password through a range of means – from fraudulent ‘phishing’ sites to insecure password databases and even commandeering your phone to intercept password reset messages.
The industry has responded by putting an even greater burden – not to mention blame – on consumers, to compensate for what can only be described as a complete systemic failure and an unwillingness to upset the market apple cart by refusing to fix the foundational issue. Complexity and user frustration are ever-increasing with forced password resets, cumbersome password creation requirements, and extra steps for multi-factor authentication (MFA). In summary, consumers must expect and demand better internet security and end the ‘stupid user’ blame game. The industry itself is headed in this direction with corporations and groups advocating for the eradication of passwords – but the industry is not moving fast enough, and the technology exists to make change now.”
2Password-sharing behavior may stem from early childhood
“While a lot of the coverage about passwords focuses on business users, it’s really important not to overlook children and teens in this discussion. They will typically make some of the same types of common mistakes as adults when creating and using online passwords, but there are several that stand out the most for this age group.
One of the worst is sharing credentials with friends, boyfriends/girlfriends, etc. At that age, relationships tend to be shorter in duration and some kids end up using the shared access against each other such as posting inappropriate messages on social media accounts or conducting surveillance over account activity. This type of password-sharing behavior may even stem from early childhood when parents would share their credentials with their kids for accessing devices or online sites. This should be avoided at all costs.
Secondly, kids and teens are exposed to devices everywhere they go from the library, to school, to over a friend’s house, etc. It’s important to avoid entering your credentials on untrusted devices that you do not own, control, or completely trust. Devices in public places should only be used for anonymous web browsing and not for logging into any of your online accounts since passwords can be easily stolen from these types of computers.
Finally, it’s important to avoid using personal information when creating any of your passwords. Young kids, and even adults for that matter, want to generate a password that is easy enough to remember. So they’ll use their name, birthdate, address, phone number, etc. These are all details that can be either easily guessed or end up further exposing you if a website is ever compromised.”
3Passwordless authentication is picking up steam
“World Password Day is a timely reminder of how important it is for enterprises to recognize the importance of secure sign-in credentials and its shifting landscape. An estimated 80% of hacking-related breaches can be attributed to lost or stolen credentials, which leads to millions of dollars in financial damages and creates a snowball effect of stolen data. Protecting passwords has become an industry-wide concern that continues to remain an ongoing problem. It is therefore imperative for organizations to prioritize password security by adding in multiple authentication layers, limit employee privileges and consider passwordless alternatives.
Two-factor authentication has been one popular way companies are addressing password and login security. While it’s a helpful and beneficial security step to incorporate, it isn’t without its flaws. Building in an additional security feature does thwart more attacks, but two-factor is also becoming more and more vulnerable to advanced hacking techniques that can steal phone numbers or redirect codes to access accounts.
Passphrases that are much lengthier and more effective than passwords are also another option security teams have been implementing. These 20 – 30-character phrases drastically limit brute force attacks, but also have similar pitfalls to passwords. A more interesting future might be a world without passwords or passphrases altogether. Passwordless authentication is picking up steam, with over 150M people currently using passwordless login methods each month. The passwordless option doesn’t necessarily solve this entire security problem, but it would force attackers to extract and replay tokens, a much more difficult process than using brute force for weak passwords, password reuse, phishing, or credential stuffing.
Adopting a Zero Trust security model can further help limit password exposure in on-premises or cloud environments, while also ensuring that proper network access is strictly granted to authorized individuals. It’s intended to use several factors to authenticate users (to establish trust) other than a username, password, and overall user profile. And should a compromise occur to user credentials, it’s mostly limited to an isolated, single-threaded incident and won’t compromise the network’s system, data, or applications.”
- James Carder, CSO, LogRhythm
4Use MFA paired with contextual access policies
“The dark web contains over 15 billion stolen account logins, including credentials, usernames, and password pairs, a massive amount of data that is mostly being offered for free. With most breaches resulting in the distribution of duplicate files that are shared amongst cybercriminals, it makes it incredibly difficult to track down stolen data and find the source of stolen information. While hackers have access to a substantial amount of data that can lead to unauthorized organizational access and data breaches, multi-factor authentication is an effective means of thwarting attacks while bolstering and improving password protections.
Multi-factor authentication requires knowledge (password or pin), possession (one-time code, ID card, or digital key), and inherents (fingerprint or scan) to verify user identity. While digital codes or tokens to a device can potentially end up in the wrong hands, adding another blanket of security like inherents alleviates the risk should a smartphone fall into the wrong hands. Another approach is to use multi-factor authentication paired with contextual access policies (e.g. device, geography) in a step-up fashion. This uses a tiered security system, allowing access to different types of resources that then require additional, stronger verification methods for more sensitive information. By utilizing multi-factor and step-up authentication, enterprises are strategically prepared to protect the high-priority organizational data and user passwords across platforms.”
- Anurag Kahol, CTO, Bitglass
5Password brute-forcing is exploited in the wild
“When we look at API security, we can see that the most common attack vector exploited in the wild is different forms of password brute-forcing, such as credential stuffing and dictionary attacks. If you expose a password-based login endpoint to the internet, it’s just a matter of time until someone will try to attack. From the attacker’s perspective, the exploitation of these endpoints is simple, generic, and easy to scale while the reward is high.
From a defender’s perspective, protecting your authentication mechanism from password-based attacks (such as credential stuffing) should always involve three aspects: 1. enforce your users to use strong passwords (according to industry standards); 2. implement rate-limiting on the server-side to block attacks; 3. use multi-factor authentication.
- Inon Shkedy, Security Researcher, Traceable
6Use passphrases that are far harder to crack
“Our recently released State of Email Security Report found increases in all attack types over the past year, as the pandemic and switch to remote work created new vulnerabilities that cybercriminals are working hard to exploit. In response, organizations should build greater cyber resilience by implementing updated security controls and prioritizing regular cybersecurity awareness training to protect employees – and the business – from attack.
Effective training is engaging, interesting, frequent and, among other things, encouraging users to regularly update their passwords. Users should always use passphrases, as these are far harder to crack, make use of IT-approved password managers, and ensure they aren’t using the same password across multiple platforms. Having unique passwords across personal and company platforms will ensure that if a person’s social media profile is phished, for example, they aren’t at risk of having a corporate account compromised. Effective cybersecurity awareness training should be the bedrock of any modern organization’s cybersecurity efforts.”
- Duane Nicol, cybersecurity expert, Mimecast
7Hackers are interested in passwords that open doors to privileged access
“Passwords are the entry gates to voluminous data especially from the accounts that have privileged access. Weak and reused credentials are at the centre of such breaches. In April, shocking news came to light based on the findings of a massive 100GB data set called COMB21. As per this data, 3.2 billion passwords were leaked out of which 1.5 million email addresses were exposed mainly belonging to government departments. 625,505 passwords alone belonged to the U.S. government. This monstrous number of compromised credentials is why people now more than ever need to be sensitized about password etiquette. This is why since 2013, the first Thursday of May every year is observed as ‘World Password Day.’ What many fail to realize is that it’s not just random passwords that hackers are interested in. Their primary targets are passwords that open doors to privileged access. The overall security of an enterprise or a government agency reflects on how the network credentials are managed. Comprehensive authentication and access control should always be the number one priority.
The reasons for passwords getting compromised are – firstly, employees want to reuse their existing or old passwords. Secondly, if authentication mechanisms are overly burdensome, employees resort to risky or poor password practices. Finally, reusing the same password for different accounts make it easier for hackers to gain access to multiple accounts in one go. To prevent this, one needs data with industry-leading endpoint security solutions that include comprehensive encryption, strong authentication, and leading-edge malware prevention.
Though education and training are important in raising employee awareness, putting effective tools in place – like a password manager and multi-factor authentication – ensure that best practices are default and embedded into the company’s security culture.”
- Gurpreet Singh, Managing Director, Arrow PC Network (Dell Technologies Titanium Partner)
8Standalone password protection is insufficient
“World Password Day is an opportunity to take a step back and examine what the future holds for secure logins. To date, over 600 million passwords have been exposed through data breaches. Needless to say, standalone password protection is an insufficient and ineffective method of protecting organizations and sensitive information. Weak, insufficient, and stolen credentials are common causes for breaches and hacks that often result in millions of dollars in damages and data loss. It’s more important than ever before for companies to rely on two-factor authentication that also incorporates additional login tokens or one-time codes to fully obtain access. This adds in another layer of security to help address the password problem but still hasn’t solved it entirely as hackers can still gain access through authentication code interception techniques and SIM swapping.
While two-factor is a step up from traditional password safety, modern-day problems require modern solutions, and passwordless authentication may hold the future key to more effectively securing credentials. Passwordless authentication is an intriguing and hopefully superior option in the near future, but it’s not a standalone panacea for security concerns. Coupling in additional measures such as Zero Trust, crowdsourced cybersecurity and proactive threat detection will keep enterprises secure and information safely protected in the future.”
- Ashish Gupta, CEO & President, Bugcrowd
9 Implementing 2FA is critical
“World Password Day is an excellent time for individuals and businesses to reflect on their current password practices and ensure they are building the safest habits to protect themselves and their company from cybercriminals. Many are under the assumption that if they are taking the steps to create unique passwords for each platform and application, they are secure. But it’s not enough.
The number of headline-grabbing breaches that have taken place over the last year highlight the critical need for safeguards across the entire company network. While there are a few different ways to protect login credentials beyond a simple username and password, one of the most popular and effective options is two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user’s phone, email address, or through an authenticator app, after entering their username and password. It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical.
Email is a common point of attack because it often contains sensitive and valuable communications. Organizations should also consider implementing an email security solution that conducts a security audit to analyze its admins, users, mailboxes, and rules for vulnerabilities such as outdated passwords so they can be resolved before a breach happens. Organizations should use World Password Day to evaluate their internal Password Policies and send reminders to employees and customers alike about the importance of good password hygiene.”
- Dave Wagner, CEO, Zix
10Password policies need to advance
“Optiv strongly recommends all enterprises implement a password complexity of 12 characters, including uppercase, lowercase, numbers, and symbols. As technology is ever-advancing, the password policies we put in place also need to advance to keep up with would-be attackers. With most things, password cracking will continue to be a ‘cat and mouse’ game that can only be resolved through a fully implemented password policy, including password blacklisting, rotation, multi-factor authentication, complexity requirements, and security awareness training.”
- Brett Little, Senior Consultant (Threat Management), Optiv
1177% of people reuse passwords
“World Password Day is a great reminder to take inventory of our passwords, including where they are stored, whether you reuse them for multiple accounts and their complexity. Tessian’s recent report found that 77% of people reuse passwords, and 21% use predictable cues like their favorite football team, their pet’s name, or birthdays when crafting passwords. The problem? These personal details are likely to be found on people’s social media channels, making it easy for hackers to scan publicly available information to try to crack passwords or even answer security questions.
To prevent account takeover and business email compromise, CISOs and their teams should help educate employees about their social media footprint, cybersecurity best practices, and how to spot impersonation attacks. They should also reinforce the need for strong passwords that don’t include names or names of pets, birth dates, location, or other information that’s easy to find online. Even better, use a password manager like 1Password to randomly generate impossible-to-hack passwords. And while it can be tempting to reuse passwords that are easy to remember, never reuse or duplicate any passwords for personal or professional accounts. A bad actor could guess just one password and gain access to multiple accounts.”
- Tim Sadler, CEO and Co-founder, Tessian
12Best passwords are unique and long
“World Password Day is the perfect day for a reminder that best passwords are unique, long, include letter case, numbers, and characters like “#”, “$”, “&”. Additionally, here are two key steps to improve your password security:
- Password manager: Remembering passwords for different sites is difficult. A password manager can generate long, complex passwords and store them on a site-by-site basis. But you must protect it with a master password.
- Check for leaked passwords: With data thefts, breaches over the years, it is possible that your password is leaked. Searchable databases like Avast HackCheckcan help to find if any password is compromised. If you find your password lost, change it immediately. If you don’t use the website, close the account entirely.”
- Christopher Budd, Senior Global Threat Communications Manager, Avast
13Attackers will always look to new tactics and techniques
“At the enterprise, most organizations have implemented password policies and expirations along with federated identity technology such as Active Directory as well as 2FA. While this has protected organizations to a degree, attackers will always look to new tactics and techniques to achieve their goals as evidenced by this year’s HAFNIUM and SUNBURST attacks. World Password Day is a good time to ensure systems running identity and federation services are hardened, and your endpoint detection systems are able to spot the tactics, techniques and procedures associated with attacks on credentials and the single sign-on infrastructure.”
- Anthony Di Bello, VP, Strategic Development, OpenText
14Change passwords frequently
“With millions of people working from home for more than a year now, organizations have adopted various password policies across the globe. While password policies are being implemented, cybercriminals continue to find ways around them, and data breaches are still on the rise. World Password Day 2021 is an opportunity for organizations not only to enhance awareness but also to strengthen their password policies as a step towards preventing cyberattacks. Use strong, unique passwords along with multi-factor authentication, change passwords frequently, avoid using similar passwords for all accounts are useful tips that help prevent data from being stolen or exploited.”
- Huzefa Motiwala, Director, Systems Engineering (India & SAARC), Palo Alto Networks
15Move to passwordless authentication
“While it is important to highlight the weaknesses of passwords, any message that you can make passwords “strong” is egregiously misleading. Given today’s enhanced threat landscape, relying on passwords alone is imprudent, even reckless. Adding an extra factor, such as a token, to enable multifactor authentication (MFA) is a minimum good practice, but the top practice is to move to passwordless authentication. In short, the only strong password is no password.”
- Ant Allan, Vice President Analyst, Gartner
16Be discreet while setting passwords
“It is always advisable to be careful and discreet while setting your password and not share it with anyone.
Things to keep in mind while creating/managing passwords:
- Make sure that no one is watching while you enter your password
- Always select “never” when your Internet browser asks for your permission to remember your passwords
- Passwords should always be long and complex – which cannot be hacked easily
- Regularly change passwords – Between three to six months interval
The best way to create a strong password is to think of a word or sentence and replace some letters with numbers or special characters.
It is raining cats and dogs! becomes 1tsrAIn1NGcts&DGS!
It is our responsibility to keep our information/data safe and secure.”
- Hardik Panchal,General Manager – Networking Services, Rahi Systems
17Bulletproof your passwords
“Protecting our privacy begins with strengthening our password. Password day is designated to remind us of the importance of this first line of defense against ransomware, spyware, and other bad actors. It acts as a key to our digital identity; the more unique the key, the lesser the chances of a stranger being able to unlock it. Hence, in today’s digital world where technology is ruling the world, creating a strong password is a must and it should be our foremost priority for everyone, especially when the hacker is becoming more advanced.
We have to understand that how vulnerable a poor password can leave us, especially when our lives and all our data has moved online. There are many things we should keep in mind while creating a password: bulletproof your passwords, enable two or multi-factor authentication, keep it impersonal, layer them up and last but not least use a password manager.
I believe multi-layered data protection strategies – such as those employing strong passwords combined with thorough backup practices – will help to ensure, our data, and our organization remains protected in the event of a simple accident, cyber-attack, or any other disaster.”
- Prashanth GJ, CEO at TechnoBind
18Password with your pet’s name isn’t going to protect you
“In today’s digital-everything world, so much of our lives are available online and accessible across multiple devices. We have grown accustomed to sharing our personal information online, sometimes without giving thought to the potential consequences.
“Personally identifiable information has become an attractive target for cybercriminals and unfortunately a password with your pet’s name isn’t going to protect you. Weak or predictable passwords are akin to having a door with no hinges, a thief can get through. Far too many scams focused on tricking individuals to disclose their passwords have occurred in India and the negative consequences as a result cannot be understated.
“Rather than relying on passwords alone, add additional layers of security. Implement authentication methods [multi-factor authentication (MFA)], such as the use of biometrics or one-time passcodes [OTPs]. This is simple and prevents identity theft and other cybercrimes.”
- Kartik Shahani, Country Manager, Tenable India