The last year has seen most of us adopt new ways of working, collaborating, communicating, and shopping, as well as changing our entertainment habits.
By Jeffrey Kok, VP, Solution Engineers, Asia Pacific and Japan, CyberArk
We have more accounts with more websites, applications, and services than ever before. This has created exponential growth in the number of digital identities each one of us possess. Many of these identities, unfortunately, will be secured by weak passwords, putting not only our data at risk but our whole digital ecosystem, including our employers.
Cybercriminals are well-aware of this, routinely taking advantage of the opportunities to exploit weak passwords and compromise data. Here are three tips to reduce the password-related risk this World Password Day:
- Use a strong password – Strong passwords contain several different types of characters and, consequently, require more effort and time for an attacker to hack. Passwords should contain at least 10 characters and include a combination of character types, such as commas, percent signs, and parentheses, as well as uppercase and lowercase letters and numbers.
- Don’t Re-use Passwords – If you re-use passwords on multiple sites or accounts, even if your password is complex enough and long, all it will take is for one of your accounts to be compromised to make all of your other accounts vulnerable.
- Use multi-factor authentication (MFA) – Many services we use online require that multiple types of authentication – not just a password – are required to unlock the account. But many only give you the option. If MFA is an option, use it. Yes, it’s a little more time-consuming, but it keeps you and your data much safer.
The last year has seen the forced acceleration of digital transformation, with many organizations adopting a new way of working, collaborating, and communicating.
Whilst this may have boosted innovation within an enterprise, it’s also created challenges for security and IT professionals. Every new corporate application or tool becomes a new identity silo, with unique password management requirements, such as complexity or how often they should be rotated.
And because we are pretty bad at using and remembering strong passwords, we often use weak ones or re-use them. In fact, 84% of remote workers admitted to re-using passwords in our survey. Added to this, passwords are still often the only verification method in use. Because of this, IT professionals consider passwords to be amongst the weakest links in their company’s defenses.
World Password Day 2021 provides a timely opportunity for IT admins and security teams to reinforce best practices. Here are four top tips to reducing password-related risk:
- Mandate the use of a strong password – Strong passwords contain several different types of characters and, consequently, require more effort and time for an attacker to hack. Passwords should contain at least 10 characters and include a combination of character types, such as commas, percent signs, and parentheses, as well as uppercase and lowercase letters and numbers.
- Enforce the use of one unique password for each service and account – If employees re-use passwords on multiple sites or accounts, even if the password is complex enough and long, all it will take is for one of their accounts to be compromised to make all of their other accounts vulnerable.
- Use multi-factor authentication – This means that multiple types of authentication – not just a password – are required to unlock the account. The first part of the authentication process requires something the user already knows, like a password. The other part of the authentication process involves something the user doesn’t already know, such as a code sent to the mobile phone by authentication software or created by a designated application on the phone.
This code becomes the other half of a user’s login authentication. Now, even if attackers manage to get a password, they still don’t have access to the account without the other part of the authentication.
- Address the risk of local admin accounts on workstations – Weak passwords and end-users with local admin rights on their workstations represent a significant security risk for organizations. Many attacks start on endpoints where attackers initially gain access through a phishing attack or when an employee inadvertently downloads and executes a malicious application. In many cases, an attacker’s aim is to compromise the privileged credentials that reside on workstations.
Privileged credentials – such as admin rights – can allow attackers to move laterally until they can secure credentials to the system with sensitive PII (personally identifiable information) or intellectual property. To reduce this risk, organizations should rotate local admin credentials (including the OS build-in local account) on a periodic basis as an important security measure. Over time, organizations should consider removing local admin rights from end-user workstations altogether to further reduce the risk of attacks from the endpoint.
About the Author
Jeffrey Kok is Vice President of Solution Engineers, Asia Pacific and Japan at CyberArk. Kok is responsible for working with various internal teams at CyberArk to qualify leads, identify business issues and drivers in any particular sales opportunity, and managing the entire presales and solution process of the business cycle.
Prior to joining CyberArk, Kok was Technical Consultant Director, Asia Pacific and Japan for RSA, managing a team of senior pre-sales engineers and technicians. While in this role he built a strong and high-performing cross-regional pre-sales practice.
Kok has more than 17 years of experience in the cybersecurity industry, serving in companies and institutions including RSA, Cisco Systems, Nera Telecommunications, and the National University of Singapore (NUS).
Kok holds a Bachelor of Applied Science in Computer Engineering from the Nanyang Technological University and CISSP certification.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.