Virtualization Technology News and Information
Expert Advice During World Password Day 2020

Password Day 

As you may know, World Password Day is today, May 7th.  The Registrar of National Day Calendar has designated the first Thursday of May of each year as World Password Day, and it is meant to promote better password habits.  Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, dating, banking, social media, private work, and life communications. 

In a cyber world, secure passwords are important.  And this year, strong passwords are especially important as cyberattacks skyrocket during the coronavirus pandemic. 

But while passwords have been around for many years, they might ultimately be considered lose-lose.  Why?  They simultaneously provide a poor user experience and can represent a tremendous security risk for all users and their employers.

This is because threat actors with access to one user's set of pilfered login credentials can reuse that password and username to infiltrate accounts with much more sensitive data, including financial, healthcare or professional accounts.  As a result, it is not surprising that four out of five global data breaches are caused by weak or stolen passwords

Calls to eliminate the password as we know it have become more prevalent in recent times.  And the technology is ready for that change.  But are people? 

A few industry security experts have chimed in to share their perspectives and opinions with VMblog.


Ben Goodman, SVP of Global Business and Corporate Development at ForgeRock

"Passwords and usernames have been the primary method for authenticating users for years. However, as users create more accounts for social media profiles, email addresses, financial services portals, online gaming profiles, corporate accounts and more, they often opt to reuse the same password and username combination to save the pain of remembering multiple sets of credentials. Even with a password manager, there is still a password and username combination being used to login to applications, which means it can still be attacked by a bad actor who gains access to the information.

Password challenges can be solved by leveraging technology that provides a passwordless user journey. With the use of biometrics or push notifications, organizations can bring the same effortless authentications users have experienced on their smartphones with technologies like FaceID from Apple or Samsung's Ultrasonic Fingerprint scanner, to every digital touchpoint while ensuring security. By adopting a passwordless approach, organizations provide users with frictionless, secure digital experiences."

Csaba Galffy, Senior Advisor at One Identity 

"A compromised password is always costly - and the stakes are now higher than ever. That remote access you just rolled out created a whole new attack surface for your organization. Potential attackers now don't have to deal with the physical security of your office buildings, and as long as they have the correct login data, they can access the corporate network with all its riches. Considering the billions of login data stolen from various organizations in gigantic data breaches, we recommend changing passwords for all remote workers as the work-from-home program is rolled out.

And with the recent revolution in password policy guidelines, now is the best time to implement these in your organization too. If you want to know more about the recent shift in password security, here's a short summary: industry recommendations, like the NIST-published Digital Security Guidelines and the Microsoft Security Baseline now recommend dropping password expiration policies, removing complexity rules, and asking for longer passwords."

Colin Truran, Principal Technology Strategist at Quest

"This World Password Day provides a moment for us to stop and think about why the use of passwords is still causing so many problems for security. With data breaches hitting the news on an almost weekly basis, and ‘credential stuffing' techniques being used to great effectiveness against organizations, we need to talk about the problem of password reuse. We all recognize this problem as, unfortunately, many of us still reuse our passwords! Human beings will continue to reuse passwords because they struggle to remember them - it's a habit of convenience. Even the growing trend of forcing users to update their passwords regularly is not helping as the majority of people are just numbering their passwords, or cycling through a handful of regulars. This does very little to impede a cybercriminal who has access to the individual's login credentials from any number of recent data breaches.

Training up an individual on best practice is one thing, but for reliable security we have to look for ways of removing the human element from this process of authentication. Password management applications are becoming ever more popular, and this is very encouraging to see. Outsourcing the need to memorize passwords will allow people to make use of truly authentic passwords and change them regularly, quickly increasing our personal and collective security. Cybercriminals exploit the human factor in security - if you don't know your password, and don't need to know it, it's a lot more difficult for a cybercriminal to know it as well."

David Emm, Principal Security Researcher at Kaspersky

"The re-use of passwords is widely known to be one of the most risky password behaviors. That being said, most people find it stressful to try and remember all of the passwords for the dozens of sites with login credentials that they use. Especially in today's world with people staying home and creating many new accounts - e-commerce sites, video chat apps, telemedicine, grocery store delivery set up, etc. - it's crucial their passwords are unique and strong enough to keep their personal information on these accounts protected."

Andrew Bud, CEO and founder at iProov

"Everyone knows that passwords are not secure. But the solution that is being applied to weak password security is to make passwords more complicated. Perhaps that's why half of Americans have abandoned online purchases in the past year and businesses have lost millions of dollars--we just can't remember our passwords. Imagine a world in which you never forget passwords because there aren't any. You simply authenticate yourself with biometrics--it remembers you even when you haven't visited a site for months, providing exceptional usability and outstanding security to remove the frustration with passwords and make everyone's lives better."

Topher Tebow, Cyber Security Analyst, Acronis

"User authentication is becoming increasingly complex. The standard for decades has been a username and password, but as computing advances, so does the need for stronger authentication. In recent years, we have seen emerging technologies such as biometrics and U2F keys, but these are not without their own drawbacks. Biometrics cannot be changed, which makes them more akin to a username, and there can also be concerns with how the biometric data is stored in some apps and devices. U2F keys are typically USB devices, which can be lost or stolen. It is unlikely we will see an end to passwords any time soon, so we must take measures to ensure the highest level of Cyber Protection – Safety, Accessibility, Privacy Authenticity and Security – are met.  

On the convenience side, we need to ensure that any form of authentication being used is always safely available and easily accessible. A good way to ensure this is by using a reliable password manager, and that any two-factor authentication tokens are configured to an authentication app on a device you keep with you, such as your mobile phone. The password manager and authentication app, also help maintain the privacy of your credentials by controlling access to them, and helps to secure your accounts by utilizing strong credentials. Keeping your passwords in a password manager enables you to use a unique password for each account, eliminating the need to memorize the majority of your passwords, and avoiding the possibility of falling victim to a credential stuffing attack where a malicious actor uses known credentials to attempt access to as many accounts as possible. Enabling multi-factor authentication helps limit access further, by ensuring that the user not only enter the username and password, but also use a temporary authentication token that can only be used once."

Tim Steinkopf, CEO at Centrify
"This World Password Day is unlike any other, as the pandemic and a 100% remote workforce makes business anything but usual. But for cyber-attackers, it’s just another day at the office. In fact, all evidence points to them ramping up their activities to take advantage of uncertain, confusing times, such as a reported 600% increase in phishing attacks since February. Now is the time to be more resilient and vigilant than ever, including taking advantage of biometrics and other stronger factors of authentication that are finally getting us closer to killing the password.

For privileged accounts, organizations should stop using shared or root passwords stored in a password vault and instead authenticate privileged users and grant them access based on their own identities and their assigned entitlements. Finally, enable machines with trust verification so they can protect themselves from illegitimate users who might seek access to them because they have a legitimate password. We all know passwords are not a modern form of authentication – the modern threatscape demands we move past them when stronger solutions are available."

Fausto Oliveira, Principal Security Architect at Acceptto

"Passwordless is not the future. It's what we need now. Every year, security incidents continue to occur due to account takeover and the causes are well known. The most relevant of them is credential hijacking which accounts for approximately 80% of attacks. In the past, the focus on password complexity encouraged credential re-usage and increased the total cost of ownership (TCO) associated with password resets and Helpdesk calls without improving overall security.

In general, any binary authentication, such as passwords, two-factor authentication (2FA) and some multi-factor authentication (MFA), including biometrics, are susceptible to fraud due to their binary nature. The industry needs to move away from passwords and start adopting passwordless solutions that do not threat authentication as a single event with a simple yes or no at point of entry, but as a continuum where user good behavior is constantly verified. It's time to finally make World Password Day a thing of the past."

Joseph Carson, chief security scientist and Advisory CISO at Thycotic

"World Password Day is a day to review your password hygiene to ensure you are up to date with the latest best practices.  However,  if you have not combined it with another security control such as two-factor authentication, you're leaving the door wide open,  putting yourself at risk of identity theft, ransomware, an online account hack, computer viruses and more.  It is also important when you do change your password to only perform this task from a safe network and not a public location. 

This year, review your password best practices. Ensure that you have started to use passphrases to help make your password long and include some complexity as well, although the debate about how frequent you should change your password continues. My recommendation is that it should not be older than one year. It's best not to wait until you are notified about a data breach as it usually means cybercriminals had access for longer than two hundred days."   

Tim Wade, Technical Director, CTO Team at Vectra

"While passwordless authentication is admirable and authentication systems solely based on passwords have been, and will continue to be, abused it's important to consider that an effective authentication system must also account for effective credential revocation and replacement as much as credential strength - there are few things more trivially revoked and replaced than the knowledge inside someone's head.  At the risk of unpopularly defending the merits of passwords, they may continue to have a role to play in strong, robust, multi-factor authentication systems even as they're replaced as the sole (or even most important) anchor of authentication."

Arun Kothanath, Chief Security Strategist at Clango

"Forward thinking security professionals are currently asking "if compromised passwords defeat the very purpose of authentication, protecting sensitive data, then why not eliminate them?" Some industry leaders are pushing for stronger authentication standards, such as FIDO alliance (who promises simpler, stronger authentication), and are advocating for the elimination of passwords altogether. However, before we can eradicate passwords, we must ask ourselves "is the world ready for a passwordless universe?" I believe we are close. Modern Multifactor Authentication (MFA), Risk Based Authentication, etc. are focusing on increasing the trust in the authentication system. When you don't trust the static hash called a "password," what could replace it? The answer is trusted devices. Reliance on devices that can be trusted, such as a smart phone or a wearable, introduce another level of complexity that reduces the probability of that identity being compromised by an attacker. Smart phones, wearable devices and more are gaining the popularity to replace clumsy, password-based systems.

Implementing passwordless authentication platforms tend to be more complex in comparison to their credential-based counterparts, but the end user experience on a large-scale deployment is much simpler and more likely to be immediately adopted. These devices and the data they collect and store, are becoming part of your digital identity. Your smartphone holds a number of attributes (phone number, IMEI number, carrier information, digital certificates, GPS location, manufacturer information, CPU unique ID, etc.) which can be used to uniquely authenticate you, negating the need for a password. It is extremely difficult to compromise these devices and technology is available today to enhance the security and reliability of device-based authentication. As the value of the target asset increases, there can be other trusted devices, such as a Yubi Key and other hardware-based tokens, which can be governed under much tighter controls. All of this is trending towards a cutting-edge, identity-based authentication system and privilege management approach to eliminating passwords from the security equation." 

Peter Galvin, Chief Strategy Officer at nCipher Security

"Citizens can play their part in cybersecurity and personal data privacy by practicing good password hygiene. This includes vigilantly changing passwords and signing up for multi-factor authentication where available, avoiding insecure public Wi-Fi networks and shared computers, and resisting the urge to click on links from unknown sources. Outside of the workplace, the average citizen can more effectively – and securely – shoulder the burden of passwords by using a password manager app."

Cindy Provin, SVP of Entrust Datacard and General Manager at nCipher Security

"Password creation and change are often key themes of cybersecurity and personal data privacy conversations. But expert opinions on these subjects vary, and actual consumer behavior related to password creation and change frequency is mixed. Including the current year, our personal information such as birthdates and names, in passwords, is not ideal. It makes it easier for bad actors to guess your password. Yet many of us do that anyway because it helps us to recall the array of passwords we need to remember."

John Grimm, VP of Strategy and Business Development at nCipher Security

"Security that relies on just a password is inadequate for public Wi-Fi and home networks which haven’t been set up with security in mind. Hackers are already exploiting the work from home surge, preying on poorly protected networks and users whose guard is down. It’s critical to secure and protect the digital identities of remote workers working with sensitive data and applications – underscoring the importance of high-assurance, credential-based authentication."


Published Thursday, May 07, 2020 9:01 AM by David Marshall
Filed under:
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<May 2020>