Nowadays, figuring out someone’s password is as simple as gaining access to their social media. A recent survey found that 90% of people post personal information about themselves online and, correspondingly, the number of social-engineering type password-related cyberattacks have increased substantially in the past year. It’s now more critical than ever to ensure organizations are protecting themselves from being a target of security breaches stemming from password insecurity.
Companies who leave themselves vulnerable by not ensuring employees are taking the effort to create secure passwords puts the entire company at risk of detrimental cyberattacks. World Password Day, a day created to highlight the importance of having strong passwords, is the perfect time to think about how your passwords are developed and assess whether yourself–or your team–possess any poor password habits that need breaking.
Leading industry experts have come together to provide businesses with advice on how organization leaders can encourage employees to strengthen their security practices and help businesses reach their data security goals.
Joseph Carson, chief security scientist & advisory CISO, ThycoticCentrify
“It is World Password Day, which means it is time to reflect on your current password hygiene and determine if your password choices are putting you at serious risk of becoming a victim of cybercrime. According to the UK National Cyber Security Centre (NCSC), 15% of the population uses pets’ names, 14% uses a family member’s name, and 13% picks a notable date. In fact, the weak password problem is so severe that the UK recently proposed new internet and IoT reforms that would make using “password” as your password illegal.
Passwords remain one of the biggest challenges for both consumers and businesses around the world. Thanks to the SolarWinds security incident in late 2020, we were all reminded that a poor password choice can not only impact your own organization but all connected organizations as well. This was likely one of the biggest supply chain cyberattacks in history — all stemming from poorly-created passwords.
If you are a consumer, start by using a password manager today. If you are a business leader, you should move beyond password managers straight into privileged access security. Rotating and choosing passwords is one of the biggest causes of cyber fatigue, so organizations can reward employees with privileged access security solutions that will eliminate one of their biggest work headaches and introduce security solutions that they will want to use. Privileged access security is one of the few security solutions that will transform your employee password experience into one that will make them more productive — and you’ll never need to create unique, complex passphrases for every account as privileged access management (PAM) will do that for them. It’s time to increase security and ease stress by moving passwords into the background with a modern PAM solution.”
Neil Jones, cybersecurity evangelist, Egnyte
“Recently, one of the largest data dumps in history, referred to as COMB (Compilation of Many Breaches), exposed an astronomical 3.2 billion passwords linked to 2.18 billion unique email addresses. This is frightening news for all of us, but it’s particularly worrisome for IT leaders. So many of them are kept up at night with a gnawing concern: How do I manage the growing risk of data breaches, with a large proportion of my employees working remotely?
Remote work can lead to employees accessing unsanctioned devices, apps and networks, particularly when they experience issues with work-related IT resources. This broadens the attack surface for bad actors and leaves few checks in place for careless behavior that can result in data leaks.
To commemorate World Password Day, we’d like to remind you about practical steps that you can take to protect your valuable information, while embracing today’s work-from-home environment:
- Educate your employees on password safety – Teach your users that commonplace passwords such as “123456,” “password” and their pets’ names can put your data and their personal reputations at risk. Remind users that passwords should never be shared with anyone.
- Institute two-factor authentication – IT administrators should require additional login credentials during the users’ authentication process, to prevent potential account breaches. This can be as simple as a user providing their password, then entering an accompanying numeric code from an SMS text.
- Set passwords for personal devices – Personal devices are on the rise in a remote-work environment and are particularly vulnerable to data theft, so encourage your employees to password-protect them.
- Change your Wi-Fi password regularly – Remember that potential hackers are often working from home, just like us. If you haven’t updated your Wi-Fi password recently, do it immediately.
- Establish mandatory password rotations – Greatly reduce exploitation of default and easily-guessable employee credentials by making your employees change their passwords regularly.
- Update your account lockout requirements – Prevent brute force password attacks by immediately locking out access points after several failed login attempts.”
Jon Clemenson, director, Information Security, TokenEx
“Despite technology trends moving toward risk-based authentication, passwords are likely to remain in play for some time. Considering this, World Password Day provides the perfect opportunity to reiterate strong password policies that are vital to both personal and business security. Cybercriminals often reuse credentials from password dumps found online, commonly referred to as credential stuffing, to access sensitive data. That tactic combined with using simple passwords does not provide appropriate data protection. We ask users not to repurpose passwords across websites, and instead, institute lengthy and unique complex passwords whenever possible in conjunction with two-factor authentication.
Further, malware and other attack methods can completely bypass passwords, which is especially concerning during remote work. Before cyber thieves can advance on your credentials, we recommend using password managers to auto generate strong passwords, or moving to biometric or physical keys for authentication, which are more secure than using passwords. For sensitive data like credit card numbers or other personal info, businesses can remove that data from systems entirely using tokenization. That way, if a hacker does access company systems, they won’t steal any useful information.
Finally, to rise above being a ‘low hanging fruit’ target for a malicious actor, good password hygiene practices like not sharing or reusing passwords are vital. Investing the time to take one extra step to secure your data is invaluable when compared to the fallout of a data breach.”
Glenn Veil, VP, engineering, Wisetail
“Passwords play a critical, ongoing role in different aspects of our lives. In our personal lives, they provide a layer of defense against fraud and identity theft. In the workplace, they defend us against a breach of sensitive company or customer data. At Wisetail, we implement policies, standards and guidelines around credential security, but the key is to create awareness and sensitivity in our employees through education and training.
Here are some tips we recommend to protect yourself and your business from cyberattacks:
1. Educate your people on the importance of credential security and provide them with the tools to protect credentials
2. Create an environment where your people are comfortable highlighting security issues or cases where practices are not being followed so you can continue to improve your credential security
3. Utilize multi-factor authentication to reduce the damage that can be done by weak or exploited passwords
4. According to NIST’s 2021 security recommendations, it’s important to keep your passwords long but not too complex. Theoretically, if the password is long enough, the chance of a hacker figuring out the correct sequence is low.
Follow these best practices beyond World Password Day, and your entire team will play a part in creating obstacles for digital adversaries and protecting your data.”
Josh Odom, CTO, Pathwire
“As we reflect on cyber hygiene practices for World Password Day, we recognize that for many years users were encouraged to create strong passwords using random combinations of characters that are difficult for humans to remember, but easy for computers to guess. This is the opposite of the intended purpose and often leads to inherently poor habits such as writing down passwords or reusing ones that are easier to remember. Some websites utilize a password strength meter, but this can also be tricky and lead users to making weaker passwords instead of stronger ones. While we’ve engineered these meters to score the passwords we create, they are better used against ones that a computer can create because humans are too predictable, even when we try our best not to be.
To overcome these persistent password weaknesses, utilizing a password manager that generates passwords from a large set of characters to achieve a desired level of entropy is one of the best options currently for creating strong and unique passwords. Still, other options available such as security keys, authenticator apps, or any available multi-factor authentication methods beyond using just a password should be considered for security. Finally, resources like haveibeenpwned.com which check for exposed passwords, are reliable compared to inventing and using your own strength-checking algorithms.”
Surya Varanasi, CTO of Nexsan, a StorCentric Company:
“Few would argue that creating strong passwords must remain a priority. However, even after creating a seemingly impenetrable password using every best practice possible, undiscovered threats might still be able to penetrate them and expose your environment to unnecessary risk.
But if your organization has data that is too important to lose, too private to be seen and too critical to be tampered with then you must take the next step to thwart cyber-criminals. This can be accomplished by employing a strategy that enables you to unobtrusively offload data from what is likely expensive primary storage (cost savings is another bonus here) to a cost-effective storage solution that is engineered specifically to be regulatory compliant and tamper-proof from even the harshest ransomware attacks. And since backups have become the latest malware targets, the storage platform should include “unbreakable backup” meaning it includes an active data vault that creates an immutable copy, which makes recovery of unaltered files fast and easy – so there’s zero operations disruption and never any need to pay ransom.”
JG Heithcock, GM of Retrospect, a StorCentric Company:
“A global survey conducted by Gartner found that 88% of business organizations mandated or encouraged employees to work from home (WFH) as a result of the COVID-19 pandemic. With millions of workers around the world now having to access their organization’s data remotely, data protection was put under increased pressure. For many, the answer was to employ a strong password — oftentimes, requesting that employees do so employing a random mix of no less than 15 characters. Undeniably, this was a step that could not be ignored. Unfortunately, many learned the hard way that this was not enough to stop today’s increasingly determined and aggressive cyber-criminals. And given that research, such as that from the Harvard Business School, shows that the WFH paradigm will likely endure, it is clear that stronger measures must also be taken.
The next step in the data protection and business continuity process for virtually any organization (or personally, for that matter) is an effective backup strategy. And the good news is that there is no need to reinvent the wheel here. A simple 3-2-1 backup strategy will do the trick. This means that data should be saved in at least three locations — one on the computer, one on easy-to-access local storage and another on offsite storage. The options range from local disk, to removable media, to the cloud and even tape. And, if at least one copy is “air-gapped” meaning completely unplugged from the network, all the better.
In 2021 and beyond, multi-layered data protection strategies – such as those employing strong passwords combined with thorough backup practices – will help to ensure you, your data and your organization remain protected in the event of a simple accident, cyber-attack or any other disaster.”
Wes Spencer, CISO, Perch Security, a ConnectWise Solution
“Here’s a riddle for you: what’s the one thing we all have, all hate and never remember? Yep, a password. Isn’t it ironic that in 2021, we’re still using one of the most broken systems for authentication ever? Even Julius Caesar hated passwords and preferred his own cipher to communicate instead.
Why is this? Well, passwords are like underwear. You see, you should never share them, never hang them on your monitor, and honestly, no one should ever see them. So how do we go about living in a password-required world? First, remember that long passwords are always better than complex ones. This is because the human brain is hardwired to be extremely poor at creating and remembering complex passwords. In fact, a long 16-digit password is far more secure than a short 8-character complex password.
Second, never reuse a password. Ever. Most successful breaches occur when a stolen password from one platform is leveraged against another system that shares the same password. At Perch Security, we’ve dealt with many breaches that occurred this way. It’s a true shame. The best way to avoid this is by using a reputable password manager and keeping it locked down. The password manager can handle the creation, storage and security of every password you use.
Lastly, never rely on your password alone. All reputable platforms today should support multi-factor authentication. We should be religious about this.
If you’ll follow these three things, your life with passwords will be much better. And perhaps one day, we’ll get rid of this pesky, broken system for good.”
Ralph Pisani, president, Exabeam
“World Password Day 2021 is more important than ever as organizations grapple with the new reality of ‘work from anywhere’ and the fast adoption of the hybrid workplace trend. Cybercriminals will capitalize on any opportunity to collect credentials from unsuspecting victims. Just recently, scammers began preying on people eagerly awaiting vaccinations or plans to return to the office as a means to swipe their personal data and logins, for instance.
The most common attack technique that I often see in the breach reports that I read is stolen credentials. This is a never ending battle between the security industry and cybercriminals, but there are ways organizations can protect themselves against credential theft.
Through a mix of educating staff on complex password best practices, security awareness training and investing in machine learning-based security analytics tools, organizations can make it much more difficult for digital adversaries to utilize their employees’ usernames and passwords for personal gain. Behavioral analytics tools can swiftly flag when a legitimate user is exhibiting anomalous behavior indicative of compromised credentials. This approach provides greater insights to SOC analysts about both the impacted and malicious user, which results in a faster response incident time and the ability to stop adversaries in their tracks, before they can do damage.
The pandemic increased the velocity of digital transformation, and cybercriminals are clearly becoming more advanced in parallel. Thus, we must stay hyper vigilant in protecting credentials this World Password Day and beyond.”
