Did you know, today, May 6th, is World Password Day! The Registrar
of National Day Calendar has designated the first Thursday of May of
each year as World Password Day, and it is meant to promote better
password habits - something we could all use, I'm sure. Passwords are critical gatekeepers to our digital
identities, allowing us to access online shopping, banking,
social media, private work, and life communications.
The importance of good hygiene was a familiar discussion point over the
past year and is likely to remain so into the foreseeable future. During the coronavirus pandemic, cyberattacks skyrocketed, making the need for secure passwords more important than ever. We are reminded that good password hygiene is an essential way for
businesses and individual users to protect the health of their data;
especially in light of the FBI estimated 4,000 ransomware attacks being
carried out on a daily basis.
To help get a handle on things, a number of industry security experts have chimed in to share their perspectives and opinions with VMblog readers.
--
Dave Russell, VP Enterprise Strategy, Veeam
"Password protections have never been more critical to an effective
security posture – especially as we’ve begun to rely more on the cloud
and Software-as-a-Service to create, store and manage data. Consumers
and enterprise IT teams alike should feel confident in leveraging the
cloud for data storage and keeping personal information safe, and can do
so with simple actions to keep password protections up-to-par. I
recommend these three steps:
- Do not re-use passwords across multiple services. Password managers
can help to both generate and store secure passwords, and prove to be
effective on the security front. Password managers are also useful for
ensuring that strong passwords are created, often with up to 20
characters, and a combination of upper and lowercase letters, numbers,
and special characters.
- Only use and enable cloud services that allows multi-factor authentication for additional protections.
- Ensure that any forms of personally identifiable information (PII)
use an added layer of encryption. Infrastructures that hold personal,
financial or medical data are the most appealing to hackers, and deserve
additional protections."
--
Kurt Baumgartner, principal security researcher at Kaspersky"This year we’re seeing the continued prevalence of password spraying, in which cybercriminals take a single compromised password and try it across other accounts where it may have been reused. Even if you don’t think of yourself as a potential target for such an attack, millions of people’s user accounts and passwords are already included on lists being sold on the dark web for exactly this purpose.
We see frequent activity from financially motivated cybercriminal groups who will just spray servers with passwords. And eventually one of these probably works. It works because people are using pretty simple passwords, they just don’t change them, or they’re not using two-factor authentication.
There’s some pretty straightforward stuff you can do. Always keep the software on your laptop or phone updated. Use unique passwords across accounts, try out a password manager, and use phrases that are longer and more complex than a single word. Make sure you use two-factor authentication where it’s available, especially with your bank and credit card accounts. There’s all kinds of companies that now that offer other methods to prove who you are besides just a password. Take them up on it and make sure that it’s something other than text messaging, because SIM swapping can be used to break that method."
--
Tim Wade, Technical
Director, CTO Team at Vectra
"While passwordless authentication is admirable and
authentication systems solely based on passwords have been, and will continue
to be, abused it's important to consider that an effective authentication
system must also account for effective credential revocation and replacement as
much as credential strength - there are few things more trivially revoked and
replaced than the knowledge inside someone's head. At the risk of
unpopularly defending the merits of passwords, they may continue to have a role
to play in strong, robust, multi-factor authentication systems even as they're
replaced as the sole (or even most important) anchor of authentication."
--
Tyler Shields, CMO at JupiterOne
"Passwords are the most misused line of defense in cyber
security. There are numerous war stories of post it notes with passwords
appearing in television commercials and shows or on YouTube videos. People
write them on white boards that you can see through open windows or that end up
on a Zoom chat. Passwords complexity requirements are annoying and difficult to
remember. Requiring people to change their password with a high frequency makes
things even more difficult. All around...passwords simply stink!
The best way to use passwords is to not have to use
them by hand! Get a password manager such as LastPass or 1Password and use
very complex, difficult to guess, randomly generated passwords via those tools.
Respectable password managers have integrations into your daily workflow and
systems including browser plugins or command line tools. If you do it right,
you can remove the pain of passwords while making your world much more secure.
For any system of value, or ideally every system that offers it, you should
also turn on two factor authentication (2FA) and have it connect to an
authenticator on your phone. By incorporating these two protection
techniques, password difficulties will become a thing of the past.
Finally, if you are an enterprise or business, keep track of
and audit the permissions and access capabilities for all accounts in your
environment. If you are too large to do this by hand, cyber asset management
tools can help you automate the process."
--
Sean Nikkel, Senior Cyber
Threat Intel Analyst at Digital Shadows
"Passwords continue to be a major weak point across the
internet. Most of the problems stem from password reuse, passwords that are not
complex or otherwise easy to guess, or just other general bad security
practices. One of the easiest ways to manage this is through the use of a
password manager, many of which are free or low-cost, and can help users create
complex passwords which they can then use exclusively for each site they visit.
In addition, using multifactor authentication for sites that store important
information, such as email, social media, banking websites, or other high-value
sites can help deter attackers in the event a password is leaked or reused.
Given the billions of passwords and other points of consumer data which are
freely available now on the internet and deep and dark webs, it's now only a
matter of time before any account could be breached. Adopting strong security
practices early and proactively helps to delay, or even prevent, a future
attack which could lead to exposure of sensitive or personal data, both from a
business account or your own personal life. Plenty of criminals are willing to
get that data or pay for it, so why make it easy for them to cash in on your information?"
--
Monti Knode, Director of
Customer & Partner Success at Horizon3.AI
"Attackers don't hack in...they log in. Annual security
reports illustrate this trend across industries, exploding this past year. In
more than 500 pentest operations in the last six months, we've seen this as
well, with weak or default credentials topping our top-10 findings lists for
the second quarter in a row, averaging over 90 credentials exploited per
operation.
This topic is so top-of-mind in cybersecurity that it was the inspiration for
our first Tech Talk webinar earlier
this year. We can't understate the value of password variance and length.
Credential stuffing and reuse is a real problem; people will use the same
password for their streaming service, their bank and their domain admin
account.
In a recent operation, we found one password was in use by
152 accounts, ~20% of the enterprise. We also saw a steep decline in our
ability to crack passwords as the password length increased from the
8-character minimum set by policy.
Credentials are the new perimeter, so if celebrating a World
Password Day inspires people to reconsider their easily cracked P@$$w0rd, buy
me a shiny hat and let's have a party."
--
Mathew Newfield, Chief Security and Infrastructure Officer for Unisys
"It is important to change default passwords and to start using passphrases of significant strength – greater than eight characters – with at least three of the following four characteristics: uppercase, lowercase, number, special character. Do not use words or deviations of words as passwords. Also, multi-factor authentication, or MFA, is not just for businesses. If you've ever had to use a verification code, texted to your cell phone, to log into a personal bank or credit card account, you're at least vaguely familiar with the concept of two-factor or multi-factor authentication. Today, consumers can choose from additional authentication choices, as many apps offer MFA options. In this instance, consumers have the option of setting up voice or facial recognition-based access or to receive push notifications if a new or unauthorized login is detected."
--
Myke Lyons, CISO at Collibra
"Passwords are indeed passé, and the technology has moved beyond them. With just a few minutes of enablement, people can be set up for authentication, and the security and user experience benefits are well worth it. Organizations should not underestimate the savvy of their users. While we sometimes see resistance to change, users typically prefer modern authentication once they experience it."
--
Topher Tebow,
cybersecurity analyst at Acronis
"Passwords are the zombies of
cybersecurity - they've been dead for a long time, but they just won't go away.
There are good reasons for this persistence. Passwords are familiar, and have
been a part of our workflows for decades, making a change to something else
seem inconvenient, at minimum. Of course, convenience also leads us to the
greatest danger posed by the traditional username and password method of
logging in. Dictionary lists of common passwords can often get an attacker into
an account, especially when combined with usernames from a data leak. Let's
face it, sometimes the dictionary list isn't even needed, if leak data can be
combined to provide both a likely username and password.
Password managers remain one
of the most convenient ways to thwart attempts by attackers to access our
accounts, especially when combined with unique, complex passwords. My password
manager contains over 450 distinct passwords, which means if one password finds
its way into a leak, it doesn't help an attacker access any other accounts
through a credential stuffing attack. Add multi-factor authentication (MFA)
into the mix, and the likelihood of an attacker being able to access your
accounts is negligible. When used properly, neither a password manager or MFA
add a prohibitive level of complexity for the user, but they to add a
potentially prohibitive level of complexity for an attacker."
Candid Wuest, VP of
cyber protection research at Acronis
"As soon as you have to rename
your cat for the fifth time, due to its name being your password which was
leaked again in a data breach, then you should realize that secure passwords do
matter. Of course, passwords should not be easily guessable or so short that
they could be brute-forced, but more important is that your passwords are
unique for each service. If you use the same password on multiple services,
then one leak at one of these services is enough to break all of them. As
attackers will use the leaked credentials and try them with a huge list of
other services. These so-called credential stuffing attacks are unfortunately
still very successful. To remember all these cryptic passwords that you need on
a daily basis, a password manager tool can be used to securely store them. Now
you only need to remember one strong master password and protect the key
database. In addition to this, password managers can prevent you from copying
the credentials to phishing websites as they detect that the website URL has
changed. They can also offer Multi-Factor Authentication (MFA) integration,
which increases the security of a static password combo once more. Even though
there have been successful attacks against text message based 2FA in the past,
it still is better than no MFA at all."
--
Russ Kirby, CISO, ForgeRock
"As our lives shifted online over the past year, we have become more reliant on our digital identities. Whether making an online grocery order, confirming payment to stream a movie, or logging into a virtual meeting, our digital identities have become our main point of access with the outside world. Traditionally we have authenticated these digital experiences via usernames and passwords; however, not only are passwords less secure than many think, but usernames and passwords also create a clunky experience as users navigate from one site to the next. A shift from passwords to biometrics would create a significantly better experience, and a much safer alternative. For example, fingerprints and keyboard typing patterns can verify a user’s identity in the background, while creating a seamless, secure login experience. And as we move rapidly into a hybrid future, biometrics will continue to unlock the next frontier of online access and security."
--
Clara Angotti, President of Next Pathway
"One of the most powerful yet simple ways to improve any organization's security posture is by enforcing strong password management policies and practicing good password hygiene, as passwords are critical gatekeepers to our digital identities and information. Passwords are the backbone of any organization’s cyber security strategy but can also be the biggest threat to an organization’s security. Weak password management can leave enterprises vulnerable to data loss and privacy violations. Organizations must enforce strong password management policies.
Organizations should train employees on company password policies and procedures to enhance password security. Password training should cover how to come up with a strong password and employees should be advised against using the same passwords across multiple applications and systems. Using the same password for different accounts increases the chances of accounts being hacked. If one account is compromised, all other accounts with that same password are at risk.
A single password can compromise a company’s security, opening the floodgates for hackers to steal information. Once a corporate network is breached, it can have consequences that affect the entire business and everyone who works for it."
--
Don Boxley, CEO and Co-Founder of DH2i
"While few would argue the necessity of choosing a strong password, many continue to ignore (or perhaps are unaware) how best to do so and instead choose the types of easy-to-guess, predictable passwords that have plagued data security since the beginning of digital login credentials. However, the truth is that when it comes to data security, even the most complicated, random and continuously changing password is rarely enough.
IT professionals know this and have worked to fortify their organization’s network and data security with additional enhancements. While VPNs have historically been the data access and security solution of choice, more recently they have proven to be less than reliable. In fact, research conducted prior to the COVID-19 pandemic and the unfathomable increase in ransomware and other bad actors showed that of those already utilizing VPNs, 62% cited inadequate security as their number one VPN pain point. And, almost 40% of those responsible for keeping ransomware and other malware from penetrating their network, believed that in fact, it already had.
This is why so many in the industry are now turning to software defined perimeter (SDP) solutions to replace their outdated VPNs. With SDPs, users are able to construct lightweight, discreet, scalable, and highly available “secure-by-app” connections between edge devices, on-premises, remote, and/or cloud environments. Contrary to VPN design, SDP solutions were engineered specifically for the way we work and live today -- which when combined with effective passwords, will provide virtually impenetrable protection now and into the future."
--
Rajesh Ganesan, vice president of ManageEngine
"It's imperative for organizations to employ sound privileged access security controls to safeguard access to sensitive information and monitor live remote sessions. Poor password practices, such as reusing and sharing critical credentials, are not uncommon and could open several security loopholes for attackers to exploit. Manual management and tracking of privileged credentials using spreadsheets is not just cumbersome, but also not reliable owing to the fact that one malicious or ignorant insider is all it takes to expose the credentials to criminals.
One way companies can practice well defined password hygiene and protection, is by investing in a reliable PAM (privileged access management) solution that automates the mundane tasks of:
- Discovering, consolidating, and storing privileged passwords in secure vaults
- Automatically resetting passwords based on existing policies and rotating passwords after every one-time use
- Assigning the least privileges possible to normal users and elevating their privileges if and when required
- Enforcing multi-factor authentication controls to authorize access to privileged resources"
--
Peter Tsai, Head of Technology Insights at Spiceworks Ziff Davis (SWZD)
"Enforce strong passwords on all devices and accounts, preventing the use of short or easy-to-guess combinations. Consider single-sign-on or password managers to reduce the number of passwords employees must keep track of. Add two-factor authentication for additional layer of protection. Strongly discourage the shared use of corporate devices. Automatically lock employees’ machines after a short timeout. Use encryption to protect data on locked devices. Educate users on password best practices they can use at work and at home. And of course, users shouldn’t write passwords down… especially on Post-it notes stuck to their monitors!"
--
"Ensuring our passwords are secure is a crucial element of protecting our digital identities and sensitive information that we may provide when shopping online, using social media or mobile banking apps (to name a few popular examples). The wide array of password protected services available to us leads many to re-use the same password across many applications for the sake of convenience. However, in the event that a password for one service is breached, many doors could be opened to would-be attackers if users are in fact re-using passwords—a very common attack strategy.
Understanding password security best practices—such as not re-using passwords, employing a password manager, and using multi-factor authentication whenever possible—teaches users how to create a more secure environment in which to protect their data. And new technologies are continuously emerging to improve security and scalability while also accounting for a seamless user experience."
--
Robert Haynes, SCA and Open Source Evangelist, Checkmarx
"On
World Password Day, while the focus is traditionally on humans' use of
passwords, it's important for organizations to think about how passwords and
other credentials are stored in IT automation systems like Infrastructure as
Code and container build files.
We
have seen numerous compromises caused when credentials are exposed by machine,
versus by man. The same level of attention, therefore, should apply to how
passwords and secrets are managed by our processes, instead of just by our
people. The risks are similar, and the results of exposure can be just as
serious.
Organizations
should use a secrets management tool, which is similar to how humans would use
a password manager, while also performing routine scans of infrastructure as
code templates and container builds for exposed passwords and credentials."
--
Lamont Orange, Chief Information
Security Officer, Netskope
"This year, World Password
Day comes at a time when business and life are conducted in a dramatically
different virtual fashion due to the pandemic. As organizations suddenly
shifted to remote work in 2020 and as they continue to rapidly increase cloud
usage, they're presented with new risks around user access and authentication,
data security, and cloud threats. In order to embrace cloud apps and services
while effectively managing them, the situation calls for dynamic access
controls, for example, to ensure corporate data doesn't leak to unmanaged
devices. It also requires protecting sensitive data by governing the
downloading of files by users accessing applications such as Microsoft Office
365 from personal devices or BYOD. To address these evolving challenges and
enable collaboration and agility for a distributed workforce, IT and security
teams need to modernize their data protection, with identity and access control
of users being a critical first step."
--
Rick McElroy, Principal Cybersecurity
Strategist, VMware Security Business Unit
"Using
a password is as antiquated as using a standard key on your front door -- it's
locked but someone can copy the key or pick the lock and still get access. For
this reason, it's important to prioritize multi-factor authentication, in the
form of behavioral and continual authentication, and move away from a central
store of identities, which can easily be hacked.
Moving
forward, we'll begin to witness hand and fingerprint biomarkers, two-factor
authentication with a mobile device and facial recognition replace traditional
password authentication processes. At some point in the future, DNA will
probably be used to verify identity in the medical field. Long term, I could
see a future where a combination of measurements like a heartbeat and brain
waves could be used, making it more difficult than ever for cybercriminals to
break the digital lock."
--
Stephen Cavey, co-founder and
chief evangelist, Ground
Labs
"Many
data experts would argue that a ‘secure password' is an oxymoron. Historically,
passwords have been an extremely weak form of authentication and represented
one of the greatest threats to an organization's security posture.
The
key to any successful security program is making security easy for an employee
or user to follow. With less than 25% of Americans using a password manager to
prevent password re-use across multiple applications and sites, data breaches
caused by compromised credentials is unlikely to disappear anytime soon unless
our dependency on passwords as a primary means to authenticate is eliminated.
Modern security standards such as the PCI DSS compliance requirements now
mandate the use of multi-factor authentication as part of achieving a
comprehensive Identity and Access Management framework.
Furthermore,
a modern Identity and Access Management framework that eliminates sole reliance
on passwords will become a critical component of an organization's data
security strategy, ensuring robust verification that a user is who they say
they are, limiting their access to data to only what they need, and providing a
comprehensive and reliable audit trail."
--
Kevin Breen, director of
cyber threat research, Immersive
Labs
"The
average internet user has 100+ passwords. So when it comes to picking strong,
memorable, unique passwords for every single service you use, I'm going to be
harsh and simply say: don't. Use a password manager instead. Password managers
can either be your salvation or your biggest downfall - but they're certainly
better than trying to cram hundreds of strong passwords into your head. They're
great at creating very complex and long passwords that you don't have to
remember, and they integrate into your browser and mobile device. But they do
place all your proverbial eggs into the same proverbial basket. If your master
password is compromised, then everything else could be too.
Multi-factor
authentication as an extra layer of security should also always be added. This
can range from a simple SMS code to a physical security key. It's always worth
setting up MFA if you can; it means that if anyone has stolen your password,
they'd need to invest a lot more time and effort into specifically targeting
you before accessing any of your accounts.
A
great service that both individuals and enterprises can benefit from using is
haveibeenpwned. It's free and will allow you to register your email address or
the domain so that any time the email or domain is found in a public breach,
you will receive a notification on where and when it took place, giving you the
chance to change your password.
To
all the developers out there creating authentication flows in applications, you
can help by making sure you select algorithms that are difficult or
time-consuming to brute-force like bcrypt or PKDF2. You should also salt your
passwords, and please never store the cleartext versions in logs anywhere. You
could also consider implementing the haveibeenpwned password API to stop users
entering known compromised passwords, and allow your users to enrol an MFA
provider like U2F or Google Authenticator."
--
Bindu Sundaresan, Director, AT&T Cybersecurity
"The
use of passwords, the most common digital authentication method to log
into a company system, is rife with problems, from being an
annoyance to posing a security risk. Today, the number of data breaches that
have spiked across different organizations means your password is likely
already on the internet somewhere. As a result, reusing a password (even if
it's a strong one) can be dangerous. The passwords you create should be
strong and unique.
Weak
or unprotected passwords continue to be a top cause of security breaches. There
is a rise in credential stuffing attacks stemming from the original theft of
usernames and passwords, through their sale and distribution among
cybercriminals, to their eventual use for fraud. Credential stuffing remains an
enormous problem that demands the attention and investment of the security
community.
At
the root of these problems are the systems that authenticate users with
passwords. Passwords are inconvenient and create numerous security
vulnerabilities. A password by itself should be
considered a point of high exposure. In today's connected world, hackers can
easily access systems and personal devices. Passwords are shared, stolen,
reused, and replayed. They are the hacker's favorite target, and entire
categories of vendor products exist to make up for the shortcomings of
passwords. While passwords are not the only reason for diminished trust, they
are certainly the most expensive. Two distinct authentication factors,
each acting as a separate padlock, are necessary to help secure information.
2021 may be the year we move away from passwords. Companies are accountable to
their users, and while most users claim to value security over convenience,
their actions speak otherwise."
--
Gary E. Barnett, CEO of Semafone "One year has passed since the beginning of the pandemic and protecting passwords has never been more important. Good password hygiene is essential as people continue to spend time at home and create new accounts on ecommerce sites, online grocery or food delivery apps, and social media platforms. Having unique passwords for each service, using a variety of characters, alternating between upper and lowercase letters, or even using passphrases or mnemonic devices can all go a long way in helping create safe and memorable passwords.
Since bad actors have become more advanced in their security breaching efforts, dual factor authentication, biometrics, single sign-on services, and password vaults or managers all provide further layers of protection to help secure important personal information. As people grow their digital presence through the increased use of mobile apps and online services, safeguarding passwords is critical to digital safety.
Additionally, when it comes to making payments, whether over the phone or via digital channels, it’s important to remember that the CVV or three-digit security code on the back of your payment card effectively functions as your card’s password, and should be protected just as strongly as conventional passwords. Never provide this information to untrusted parties, and when possible, make sure merchants aren’t storing it unprotected on your behalf."
--
Darren Siegel, Product Specialist at Specops Software"Employee passwords are the backbone of any company’s cybersecurity posture. Social engineering and AI-driven ‘spray and pray’ attacks are escalating and it's easier than ever for attackers to obtain lists of leaked passwords. Despite companies’ best efforts to abide by corporate security best practices and guidelines, we still see companies that are failing to use effective protections like blocking leaked passwords with a known breached password list."
--
Jenn Markey, Director, Identity, Entrust"Our collective hope as an industry is that one day World Password Day will be obsolete as encryption and advanced authentication replace the age-old practice of entering password credentials to access desired information. But until that day comes, organizations must continue ramping up their security tech and training to fill existing knowledge gaps and avoid detrimental breaches.
Requiring a password plus one or more added credentials, also known as multi-factor authentication (MFA), is a good way to prevent unauthorized account access, but going passwordless is so much better. Virtually every data breach can be traced back to compromised passwords, with phishing being one of the most common attacks. Working from home multiplies this risk with insecure workspaces and an increased propensity for bad habits like writing passwords down.
Instead of passwords, business leaders should work with their security and IT managers to implement and deploy high-assurance credential-based passwordless authentication that merges the power of digital certificates with smartphone biometrics to create an employee’s trusted workplace identity, wherever that workplace may be. By eliminating the password, you effectively protect your organization from phishing attacks which minimizes the risk of a data breach."
--
Faisal Bhutto, President, Cloud & Cybersecurity Solutions, AVCtechnologies"We have been raising awareness about good password hygiene for years, yet stolen credentials are still the number #1 reason for breaches. The rapid increase of remote workforce and BYOD since the pandemic has made it even more difficult for security professionals to enforce good password habits and policies. The good news is that more and more manufacturers in the tech ecosystem are adopting the FIDO (Fast ID Online) 2 standards due to which we are closer now to passwordless authentication than we have ever been. Most recently, companies like Cisco announced passwordless authentication for Duo using WebAunth while OKTA supports passwordless authentication for MFA factor. What is lacking is enterprise adoption of such technologies at a rapid pace. Cybersecurity focused solution providers and cyber professionals in the enterprises have a responsibility to work towards aggressive adoption of new standards to get us to the nirvana of a passwordless world. The reality, however, is that it will still take some time. Organizations will have to follow modern best practices for passwords such as using password managers, multi-phrase passwords, using salted passphrases or algorithms for security questions. As a security professional, think about what you must do to make sure the experience of an end user with password management is easier and the policies are not so antiquated and lacking behind the modern recommendations that it forces people to write down a password on a post-it!"
--
John Xereas, Senior Director, Raytheon Intelligence & Space"Businesses large and small invest increasingly to educate their employees on how to practice appropriate password hygiene, implement associated best practices, identify social engineering attacks, and yet user password theft continues to be a serious security concern. Compromised credentials in today’s interconnected enterprises, many of which leverage resources across multiple data centers and cloud providers, represent an even greater risk and impact of data and financial losses.
Organizations need to reimagine their credentialing approach and implement well designed, ICAM solutions that not only incorporate the latest in multi-factor authentication capabilities, but incorporate everything from behavioral analytics and machine learning techniques, to strict policy controls that are part of a continuously monitored security apparatus."
--
Aaron Cockerill, Chief Strategy Officer at Lookout"Passwords need to go. We should not be celebrating World Password Day, we should celebrate the day no one ever needs to remember a password ever again. And That day is coming. But in the meantime there is a lot of support to help us with systems that still require them. Password managers and even browsers now notify you when passwords are repeated or stolen, and they suggest longer and stronger passwords that they remember rather than you having to. And increasingly your password can be strengthened by things like second factors and biometrics. Increasingly identity will be established using intelligent devices like your smartphone, leveraging both encryption and biometric sensors, and passwords will become a thing of the past. The challenge then is to know that your smartphone is safe."
--
Mike Puglia, Chief Strategy Officer at Kaseya "The average adult has more than 20 passwords they use, so it’s not surprising that
39% of people say most of their passwords across both their work and home applications are identical. There are billions of passwords available on the dark web, and password reuse makes it even easier for hackers to use stolen credentials to conduct phishing attacks and spread ransomware. In addition to reusing passwords, individuals often pick words or number combinations that are easy to remember. When we did a scan of nearly three million passwords found on the dark web in 2020, we saw that
92 of the top 250 most common passwords were first names or variations of first names.
Every year since the 1990’s, there is some proclamation that passwords are going away – they aren’t. We’ve made great strides in areas like thumbprints, tokens, facial recognition, but don’t expect passwords to disappear in the next few years.
According to the Verizon Breach Report, the number one malware variant isn’t ransomware—it’s password dumpers. Password dumpers are favored by cybercriminals because passwords get attackers so much more – it makes it easier to propagate ransomware, steal data, and gain entry for long term access. It’s also become so much easier for attackers to use those passwords. Adversaries no longer have to target millions of individual organizations one by one - they can simply attempt logins against the major cloud and SaaS sites, especially since almost every company has some employee accounts on Google, Microsoft or Amazon. The access to targets supporting 95% of the world’s organizations are a click away from any location.
The bar is now ridiculously low for attackers. It requires minimal technical ability, and the financial cost to carry attacks out is negligible. Simply buying credential lists and attack kits yields 0.2%-0.5% success rates, and the attacks can be run by anyone. Additionally, today’s targets are centralized into a small number of environments that everyone uses. As long as the success rates remain high and the cost and effort remains low, these attacks will continue to increase.
In 2001, I recall walking around with an RSA MFA token on my belt. Though 20 years later MFA is still not ubiquitous, the next few years will bring significant changes. The next five years will bring password plus MFA for all logins, with password only being the exception. It’s already happening with consumer accounts – banks, phones, even gaming systems- and now we are seeing it roll out across all business applications. Though MFA cannot stop 100% of attacks, it raises the effort and costs required for adversaries to be successful. It is the only way we start to lower the number of breaches."
--
"World Password Day this year is a reminder for organizations to acknowledge the gaps created by passwords and consider alternatives and the concept of a passwordless future. The most notorious breaches of the last year have all involved weak or compromised credentials, showcasing that passwords are still the easiest way for cybercriminals to access a network. Stolen passwords are now more difficult than ever for IT teams to flag as a threat and can allow an unauthorized user to access a system undetected for a long period of time. Best practices such as enforcing the principle of least privilege, implementing multi-factor authentication, and educating employees on strong password hygiene will strengthen enterprises’ cybersecurity posture.
However, as long as the concept of requiring a person to remember multiple passwords is a major part of an organization's security strategy, the risk still remains. Instead of solely relying on passwords, enterprises should implement multi-factor authentication to protect accounts from password compromises.
Organizations should also investigate behavioral biometrics technologies for identity access and authentication purposes. Using machine learning to identify a baseline of user behavior, systems can flag when users deviate from their typical behavior and take immediate action, shortening the time it takes to detect and remediate an incident. Combining consistent messaging to employees, access and authentication practices, auditing and behavioral biometrics creates a strong cybersecurity defense for enterprises, and will be fundamental to the industry’s step towards a passwordless future."
--
Chris Morales, Chief Information Security Officer at Netenrich"Good password security is not relying on a password for security. It is concerning that the cybersecurity industry still gives a false sense of hope as an excuse to continue to force a poor user experience on everyone. Passwords are stolen in large files and databases from poorly configured apps by the millions, or auth tokens are compromised for account takeover. For that reason, all passwords are useless regardless of strength.
It is insane “what you know” is still the primary means of validating identity for online systems which then provide complete access to a broad set of resources with no further validation. That would be like giving my house keys to a random man on the street who claims to be my mom and can prove it by telling me the name of my dog when I was a kid. Even worse if my mom is standing right next to me but doesn’t remember that dog's name so I trust the stranger but not her. Password complexity is the equivalent of expecting the stranger to give me a whole list of random facts as proof. Does not matter how much he knows. Still not my mom.
Sounds ridiculous right? The cybersecurity industry has built an authentication system which can only be considered inhumane and with a singular value of infuriating everyone. People are the victims, not the cause of breaches.
User access should be adaptive based on level of need and risk. A person should be allowed the appropriate level of access to the appropriate resources at the appropriate time. Most importantly, access should be fluid and not require an incomprehensible amount of user input or predetermined knowledge.
For authentication, the number of variables is more important than the level of complexity of those variables. No reason a password is anything more than a 4-to-6-digit pin. Authentication can be based on who you are (biometrics) what you know (pin) what you have (device/token) and where you are authenticating from (geolocation). Even then, authentication is not trust. Trust is situational awareness. What do you need, why do you need it, when do you need it, and what is your current operating environment? The operating environment is a measure of the risk of providing that access even when the need is justified and the identity asking is authenticated.
There is a combination of local authentication methods combined with remote risk analytics here. Totally doable and the outcome is less intrusive on the end user so we can stop blaming people for human error as to why a breach occurred. To err is human."
--
Duncan Steblyna, VP of Product, Veriff"Now is the time for the security industry to embrace 3FA (three-factor authentication). The three factors would be "something you know", "something you have", and "something that is part of you" like your face, fingerprint or other biometric measure. None of these are foolproof, but once combined they create a barrier that is much more difficult for a determined, intelligent fraudster to bypass."
##