Virtualization Technology News and Information
Article
RSS
Industry Experts on World Password Day 2021

password 

May 6th 2021 is World Password Day. The day is dedicated to remind the world to maintain better password habits. With the pandemic bringing most people indoors and online, passwords are more important than ever. A few industry experts have chimed in on their advice for World Password Day this year.

Joseph Carson, chief security scientist & advisory CISO, ThycoticCentrify

"It is World Password Day, which means it is time to reflect on your current password hygiene and determine if your password choices are putting you at serious risk of becoming a victim of cybercrime.  According to the UK National Cyber Security Centre (NCSC), 15% of the population uses pets' names, 14% uses a family member's name, and 13% picks a notable date. In fact, the weak password problem is so severe that the UK recently proposed new internet and IoT reforms that would make using "password" as your password illegal. 

Passwords remain one of the biggest challenges for both consumers and businesses around the world. Thanks to the SolarWinds security incident in late 2020, we were all reminded that a poor password choice can not only impact your own organization but all connected organizations as well. This was likely one of the biggest supply chain cyberattacks in history -- all stemming from poorly-created passwords.

If you are a consumer, start by using a password manager today. If you are a business leader, you should move beyond password managers straight into privileged access security. Rotating and choosing passwords is one of the biggest causes of cyber fatigue, so organizations can reward employees with privileged access security solutions that will eliminate one of their biggest work headaches and introduce security solutions that they will want to use. Privileged access security is one of the few security solutions that will transform your employee password experience into one that will make them more productive -- and you'll never need to create unique, complex passphrases for every account as privileged access management (PAM) will do that for them. It's time to increase security and ease stress by moving passwords into the background with a modern PAM solution."

Neil Jones, cybersecurity evangelist, Egnyte 

"Recently, one of the largest data dumps in history, referred to as  COMB (Compilation of Many Breaches), exposed an astronomical 3.2 billion passwords linked to 2.18 billion unique email addresses. This is frightening news for all of us, but it's particularly worrisome for IT leaders. So many of them are kept up at night with a gnawing concern: How do I manage the growing risk of data breaches, with a large proportion of my employees working remotely?    

Remote work can lead to employees accessing unsanctioned devices, apps and networks, particularly when they experience issues with work-related IT resources. This broadens the attack surface for bad actors and leaves few checks in place for careless behavior that can result in data leaks. 

To commemorate World Password Day, we'd like to remind you about practical steps that you can take to protect your valuable information, while embracing today's work-from-home environment:  

  • Educate your employees on password safety - Teach your users that commonplace passwords such as "123456," "password" and their pets' names can put your data and their personal reputations at risk. Remind users that passwords should never be shared with anyone.  
  • Institute two-factor authentication - IT administrators should require additional login credentials during the users' authentication process, to prevent potential account breaches. This can be as simple as a user providing their password, then entering an accompanying numeric code from an SMS text.  
  • Set passwords for personal devices - Personal devices are on the rise in a remote-work environment and are particularly vulnerable to data theft, so encourage your employees to password-protect them.  
  • Change your Wi-Fi password regularly - Remember that potential hackers are often working from home, just like us. If you haven't updated your Wi-Fi password recently, do it immediately.  
  • Establish mandatory password rotations - Greatly reduce exploitation of default and easily-guessable employee credentials by making your employees change their passwords regularly.  
  • Update your account lockout requirements - Prevent brute force password attacks by immediately locking out access points after several failed login attempts."

Jon Clemenson, director, Information Security, TokenEx

"Despite technology trends moving toward risk-based authentication, passwords are likely to remain in play for some time. Considering this, World Password Day provides the perfect opportunity to reiterate strong password policies that are vital to both personal and business security. Cybercriminals often reuse credentials from password dumps found online, commonly referred to as credential stuffing, to access sensitive data. That tactic combined with using simple passwords does not provide appropriate data protection. We ask users not to repurpose passwords across websites, and instead, institute lengthy and unique complex passwords whenever possible in conjunction with two-factor authentication.

Further, malware and other attack methods can completely bypass passwords, which is especially concerning during remote work. Before cyber thieves can advance on your credentials, we recommend using password managers to auto generate strong passwords, or moving to biometric or physical keys for authentication, which are more secure than using passwords. For sensitive data like credit card numbers or other personal info, businesses can remove that data from systems entirely using tokenization. That way, if a hacker does access company systems, they won't steal any useful information.

Finally, to rise above being a ‘low hanging fruit' target for a malicious actor, good password hygiene practices like not sharing or reusing passwords are vital. Investing the time to take one extra step to secure your data is invaluable when compared to the fallout of a data breach."

Glenn Veil, VP, engineering, Wisetail

"Passwords play a critical, ongoing role in different aspects of our lives. In our personal lives, they provide a layer of defense against fraud and identity theft. In the workplace, they defend us against a breach of sensitive company or customer data. At Wisetail, we implement policies, standards and guidelines around credential security, but the key is to create awareness and sensitivity in our employees through education and training.

Here are some tips we recommend to protect yourself and your business from cyberattacks:

  1. Educate your people on the importance of credential security and provide them with the tools to protect credentials
  2. Create an environment where your people are comfortable highlighting security issues or cases where practices are not being followed so you can continue to improve your credential security
  3. Utilize multi-factor authentication to reduce the damage that can be done by weak or exploited passwords
  4. According to NIST's 2021 security recommendations, it's important to keep your passwords long but not too complex. Theoretically, if the password is long enough, the chance of a hacker figuring out the correct sequence is low.

Follow these best practices beyond World Password Day, and your entire team will play a part in creating obstacles for digital adversaries and protecting your data."

Josh Odom, CTO, Pathwire

"As we reflect on cyber hygiene practices for World Password Day, we recognize that for many years users were encouraged to create strong passwords using random combinations of characters that are difficult for humans to remember, but easy for computers to guess. This is the opposite of the intended purpose and often leads to inherently poor habits such as writing down passwords or reusing ones that are easier to remember. Some websites utilize a password strength meter, but this can also be tricky and lead users to making weaker passwords instead of stronger ones. While we've engineered these meters to score the passwords we create, they are better used against ones that a computer can create because humans are too predictable, even when we try our best not to be.

To overcome these persistent password weaknesses, utilizing a password manager that generates passwords from a large set of characters to achieve a desired level of entropy is one of the best options currently for creating strong and unique passwords. Still, other options available such as security keys, authenticator apps, or any available multi-factor authentication methods beyond using just a password should be considered for security. Finally, resources like haveibeenpwned.com which check for exposed passwords, are reliable compared to inventing and using your own strength-checking algorithms."

Surya Varanasi, CTO of Nexsan, a StorCentric Company

"Few would argue that creating strong passwords must remain a priority. However, even after creating a seemingly impenetrable password using every best practice possible, undiscovered threats might still be able to penetrate them and expose your environment to unnecessary risk. 

But if your organization has data that is too important to lose, too private to be seen and too critical to be tampered with then you must take the next step to thwart cyber-criminals. This can be accomplished by employing a strategy that enables you to unobtrusively offload data from what is likely expensive primary storage (cost savings is another bonus here) to a cost-effective storage solution that is engineered specifically to be regulatory compliant and tamper-proof from even the harshest ransomware attacks. And since backups have become the latest malware targets, the storage platform should include "unbreakable backup" meaning it includes an active data vault that creates an immutable copy, which makes recovery of unaltered files fast and easy - so there's zero operations disruption and never any need to pay ransom."

JG Heithcock, GM of Retrospect, a StorCentric Company

"A global survey conducted by Gartner found that 88% of business organizations mandated or encouraged employees to work from home (WFH) as a result of the COVID-19 pandemic. With millions of workers around the world now having to access their organization's data remotely, data protection was put under increased pressure. For many, the answer was to employ a strong password -- oftentimes, requesting that employees do so employing a random mix of no less than 15 characters. Undeniably, this was a step that could not be ignored. Unfortunately, many learned the hard way that this was not enough to stop today's increasingly determined and aggressive cyber-criminals. And given that research, such as that from the Harvard Business School, shows that the WFH paradigm will likely endure, it is clear that stronger measures must also be taken. 

The next step in the data protection and business continuity process for virtually any organization (or personally, for that matter) is an effective backup strategy. And the good news is that there is no need to reinvent the wheel here. A simple 3-2-1 backup strategy will do the trick. This means that data should be saved in at least three locations -- one on the computer, one on easy-to-access local storage and another on offsite storage. The options range from local disk, to removable media, to the cloud and even tape. And, if at least one copy is "air-gapped" meaning completely unplugged from the network, all the better. 

In 2021 and beyond, multi-layered data protection strategies - such as those employing strong passwords combined with thorough backup practices - will help to ensure you, your data and your organization remain protected in the event of a simple accident, cyber-attack or any other disaster."

Wes Spencer, CISO, Perch Security, a ConnectWise Solution

"Here's a riddle for you: what's the one thing we all have, all hate and never remember? Yep, a password. Isn't it ironic that in 2021, we're still using one of the most broken systems for authentication ever? Even Julius Caesar hated passwords and preferred his own cipher to communicate instead.

Why is this? Well, passwords are like underwear. You see, you should never share them, never hang them on your monitor, and honestly, no one should ever see them. So how do we go about living in a password-required world? First, remember that long passwords are always better than complex ones. This is because the human brain is hardwired to be extremely poor at creating and remembering complex passwords. In fact, a long 16-digit password is far more secure than a short 8-character complex password.

Second, never reuse a password. Ever. Most successful breaches occur when a stolen password from one platform is leveraged against another system that shares the same password. At Perch Security, we've dealt with many breaches that occurred this way. It's a true shame. The best way to avoid this is by using a reputable password manager and keeping it locked down. The password manager can handle the creation, storage and security of every password you use.

Lastly, never rely on your password alone. All reputable platforms today should support multi-factor authentication. We should be religious about this.

If you'll follow these three things, your life with passwords will be much better. And perhaps one day, we'll get rid of this pesky, broken system for good."

Ralph Pisani, president, Exabeam 

"World Password Day 2021 is more important than ever as organizations grapple with the new reality of ‘work from anywhere' and the fast adoption of the hybrid workplace trend. Cybercriminals will capitalize on any opportunity to collect credentials from unsuspecting victims. Just recently, scammers began preying on people eagerly awaiting vaccinations or plans to return to the office as a means to swipe their personal data and logins, for instance. 

The most common attack technique that I often see in the breach reports that I read is stolen credentials. This is a never ending battle between the security industry and cybercriminals, but there are ways organizations can protect themselves against credential theft. 

Through a mix of educating staff on complex password best practices, security awareness training and investing in machine learning-based security analytics tools, organizations can make it much more difficult for digital adversaries to utilize their employees' usernames and passwords for personal gain. Behavioral analytics tools can swiftly flag when a legitimate user is exhibiting anomalous behavior indicative of compromised credentials. This approach provides greater insights to SOC analysts about both the impacted and malicious user, which results in a faster response incident time and the ability to stop adversaries in their tracks, before they can do damage. 

The pandemic increased the velocity of digital transformation, and cybercriminals are clearly becoming more advanced in parallel. Thus, we must stay hyper vigilant in protecting credentials this World Password Day and beyond."

Ric Longenecker, CISO at Open Systems

"We've come quite a long way in user awareness around passwords, and there’s been a 10x improvement in 10 years in how the general public approaches information security. However, organizations are only as strong as the weakest link – and just as leading tech has started to require better security from their users and also transparency, i.e. Apple forcing 2FA and also providing notifications of logins in a clear way, it’s now time for the enterprise to follow."

Dr. Mohamed Lazzouni, CTO, Aware

"2020 saw a huge spike in cybercrime following the COVID-19 pandemic, and as 2021 progresses the vulnerabilities continue to surge across all sectors. World Password Day was born to popularize some of the best practices in password protection, mainly the need to change passwords, use different ones for different applications and choose complex compositions using letters, symbols and numbers.
 
However, the benefits of varied, long, and complex passwords add to the burden and the anxiety of the user. Luckily, many technologies have progressed significantly to lower the friction without compromising on security. As an example, biometric authentication gained considerable adoption amongst users to simply use face or voice biometrics to unlock devices or sign in into accounts.
 
If users must continue to use passwords, they should ensure they are following password hygiene in order to remain resilient to attacks on their personal information – many of which are not difficult to implement.

  • First, choose challenging passwords using a combination of letters, symbols and numbers.
  • Second, make them long enough and, where applicable, follow the guideline of the site providing password strength feedback.
  • Do not use the same password across multiple accounts. This way, if a password associated with a lower-risk account is breached you prevent the attacker from carrying out additional breaches on higher-risk accounts that hold information such as financial records safeguarded by an often used password.
  • Be cautious of anyone reaching out to “verify” contact information. Knowing definitively who you are providing your information to is critical.
  • Look for security options that include biometrics (face, voice, fingerprint) during verification processes.
  • Avoid sharing sensitive information over e-mail or other non-encrypted methods.
  • Beware of phishing attacks where password reset requests are disguised though websites and phone calls impersonating legitimate businesses or government agencies.
  • And if you suspect you have been a victim to identity theft immediately notify the concerned parties and authorities to report the incident."
Dave Wagner, CEO of Zix
 
"World Password Day is an excellent time for individuals and businesses to reflect on their current password practices and ensure they are building the safest habits to protect themselves and their company from cybercriminals. Many are under the assumption that if they are taking the steps to create unique passwords for each platform and application, they are secure. But it's not enough.
 
The number of headline-grabbing breaches that have taken place over the last year highlight the critical need for safeguards across the entire company network. While there are a few different ways to protect login credentials beyond a simple username and password, one of the most popular and effective options is two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user's phone, email address or through an authenticator app, after entering their username and password. It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical.
 
Email is a common point of attack because it often contains sensitive and valuable communications. Organizations should also consider implementing an email security solution that conducts a security audit to analyze its admins, users, mailboxes, and rules for vulnerabilities such as outdated passwords so they can be resolved before a breach happens. Organizations should use World Password Day to evaluate their internal Password Policies and send reminders to employees and customers alike about the importance of good password hygiene."
 
Francois Lasnier, Vice President, Access Management solutions, Thales

"With more employees working remotely than ever before due to COVID-19, businesses are at greater risk from a cyber-attack with workers accessing systems outside of the usual company network. As such, this year’s World Password Day is in fact a timely reminder for businesses to drop passwords forever – they are no longer good enough and are the prime resource for hackers to gain access. Instead, companies should rollout access management solutions such as passwordless authentication which verifies users through other methods like their IP address or if they are accessing through a device or operating system associated to them. This will overcome the inherent vulnerabilities of text-based passwords, while improving levels of assurance and convenience.

No single solution is enough though, so organisations should also be looking to adopt a Zero Trust model in their approach to authenticating users and certifying their authorisation to access data. This strategy, based on the principle, “Never Trust, Always Verify”, views trust as a vulnerability and requires employees to only access data they’re authorised to do so, while ensuring they verify who they are each time they want access."
 
Corey Nachreiner, CTO, WatchGuard Technologies

"World Password Day has served as an annual reminder that we all need to practice better password security for nearly a decade. And yet, 80% of breaches began with brute force attacks, or lost or stolen credentials last year. Attackers add millions of new usernames and passwords every day to the billions already available on the dark web. This has been the trend for years now, so at a certain point we have to ask if daily headlines on the latest security breaches and hacks aren’t enough of a cue to practice good password hygiene, is there much value in World Password Day?

Yes, it’s a helpful prompt to use best practices like changing passwords for your accounts regularly, choosing strong passwords or passphrases with at least 16 characters, using a unique password for every account, and leveraging password managers to keep track of them all. But these password security policies should be basic table stakes at every organization by now and should be required and reinforced all year long.

I believe that a "World MFA Day" would be a more powerful and effective observance when it comes to strengthening corporate and individual security. Authentication is the cornerstone of good security, and multi-factor authentication means users must provide at least one additional token on top of their password to log into an account. These authentication tokens are typically something you are (biometric fingerprint or facial scans), something you have (like a hardware key or mobile phone) and something you know (like a password). MFA allows you to ensure that even if an attacker gains access to one of these tokens, like a user password, they’ll be unable to log in without the second (and sometimes third) authentication token. It’s an absolute no-brainer when it comes to addressing the widespread and persistent issues around poor password security and should be a primary focus for both businesses and individual users. So let’s make World MFA Day a reality in 2021!"  

Tom "TJ" Jermoluk, CEO of Beyond Identity

"When World Password Day was established in 2013, the world recognized that passwords were a necessary evil, despite being a flawed and insecure method of authentication. But the root of the problem goes back to the foundation of the ‘commercial internet' in the mid-1990s, when Netscape and others enabled widespread access and consumer accounts, prompting a massive need and meteoric rise in password use, and beginning an era of consumer insecurity and exposure.

Fast forward to today and the problem has ballooned. Verizon's 2020 Data Breach Investigations Report (DBIR) revealed that 80% of breaches use stolen credentials, collected either through database leaks or phishing attacks. And even if you follow recommendations for password hygiene, criminals can still get their hands on your password through a range of means - from fraudulent ‘phishing' sites to insecure password databases and even commandeering your phone to intercept password reset messages.

The industry has responded by putting an even greater burden - not to mention blame - on consumers, to compensate for what can only be described as complete systemic failure and an unwillingness to upset the market apple cart by refusing to fix the foundational issue. Complexity and user frustration are ever-increasing with forced password resets, cumbersome password creation requirements, and extra steps for multi-factor authentication (MFA). In summary, consumers must expect and demand better of their internet security and end the ‘stupid user' blame game. The industry itself is headed in this direction with corporations and groups advocating for the eradication of passwords - but the industry is not moving fast enough, and the technology exists to make change now."

Tim Bandos, CISO (Chief information Security Officer), Digital Guardian

"While a lot of the coverage about passwords focuses on business users, it's really important not to overlook children and teens in this discussion. They will typically make some of the same types of common mistakes as adults when creating and using online passwords, but there are several that stand out the most for this age group.

One of the worst is sharing credentials with friends, boyfriends/girlfriends, etc. At that age, relationships tend to be shorter in duration and some kids end up using the shared access against each other such as posting inappropriate messages on social media accounts or conducting surveillance over account activity. This type of password-sharing behavior may even stem from early childhood when parents would share their credentials with their kids for accessing devices or online sites. This should be avoided at all costs.

Secondly, kids and teens are exposed to devices everywhere they go from the library, to school, to over a friend's house etc. It's important to avoid entering your credentials on untrusted devices that you do not own, control, or completely trust. Devices in public places should only be used for anonymous web browsing and not for logging into any of your online accounts since passwords can be easily stolen from these types of computers.

Finally, it's important to avoid using personal information when creating any of your passwords. Young kids, and even adults for that matter, want to generate a password that is easy enough to remember. So they'll use their name, birthdate, address, phone number, etc. These are all details that can be either easily guessed or end up further exposing you if a website is ever compromised." 

Blake Hall, Founder and CEO, ID.me

"Passwords continue to plague consumers: How do you prove you are who you say you are online? Secure logins are usually valid for only one organization. People are forced to re-verify and create a new password at each site. We need to solve the password problem and put consumers in control of their own data.

The solution is a portable trusted login.

For example, at ID.me, we’ve developed a secure digital identity network. People use the same login and share their identity as they choose with both public and private sector organizations. Individuals verify their identity only once, and then their login and identity credentials move with them. People get improved access with less friction."

Steve Maloney, Executive Vice President, Acuant

"World Password Day is a chance to raise awareness about the importance of managing and keeping PII (personally identifiable information) secure from the increasing threat landscape. It all comes back to trust. People want to trust in the technology and the providers they choose to do business with for peace of mind.

2021 has already been filled with a myriad of password leaks and breaches and these trends point to the need for businesses to utilize trusted, privacy minded technology. Solutions like verifiable credentials and digital IDs can help, as can the use of cryptography and PKI (public key infrastructure) when appropriate. Securing access credentials through identity verification is critical to consumer safety, and with the technology available today there does not have to be compromise on security versus a good user experience."

James Carder, CSO, LogRhythm

"World Password Day is a timely reminder of how important it is for enterprises to recognize the importance of secure sign-in credentials and its shifting landscape. An estimated 80% of hacking-related breaches can be attributed to lost or stolen credentials, which leads to millions of dollars in financial damages and creates a snowball effect of stolen data. Protecting passwords has become an industry-wide concern that continues to remain an ongoing problem. It is therefore imperative for organizations to prioritize password security by adding in multiple authentication layers, limit employee privileges and consider passwordless alternatives.
 
Two-factor authentication has been one popular way companies are addressing password and login security. While it’s a helpful and beneficial security step to incorporate, it isn’t without its flaws. Building in an additional security feature does thwart more attacks, but two-factor is also becoming more and more vulnerable to advanced hacking techniques that can steal phone numbers or redirect codes to access accounts.
 
Passphrases that are much lengthier and more effective than passwords are also another option security teams have been implementing. These 20 – 30-character phrases drastically limit brute force attacks, but also have similar pitfalls to passwords. A more interesting future might be a world without passwords or passphrases altogether. Passwordless authentication is picking up steam, with over 150M people currently using passwordless login methods each month. The passwordless option doesn’t necessarily solve this entire security problem, but it would force attackers to extract and replay tokens, a much more difficult process than using brute force for weak passwords, password reuse, phishing, or credential stuffing.
 
Adopting a Zero Trust security model can further help limit password exposure in on-premises or cloud environments, while also ensuring that proper network access is strictly granted to authorized individuals. It’s intended to use several factors to authenticate users (to establish trust) other than a username, password, and overall user profile. And should a compromise occur to user credentials, it’s mostly limited to an isolated, single threaded incident and won’t compromise the network’s system, data, or applications."

Anurag Kahol, CTO, Bitglass

"The dark web contains over 15 billion stolen account logins, including credentials, usernames and password pairs, a massive amount of data that is mostly being offered for free. With most breaches resulting in the distribution of duplicate files that are shared amongst cybercriminals, it makes it incredibly difficult to track down stolen data and find the source of stolen information. While hackers have access to a substantial amount of data that can lead to unauthorized organizational access and data breaches, multi-factor authentication is an effective means of thwarting attacks while bolstering and improving password protections.

Multi-factor authentication requires knowledge (password or pin), a possession (one-time code, ID card or digital key) and inherents (fingerprint or scan) to verify user identity. While digital codes or tokens to a device can potentially end up in the wrong hands, adding another blanket of security like inherents alleviates the risk should a smartphone fall into the wrong hands. Another approach is to use multi-factor authentication paired with contextual access policies (e.g. device, geography) in a step-up fashion. This uses a tiered security system, allowing access to different types of resources that then require additional, stronger verification methods for more sensitive information. By utilizing multi-factor and step-up authentication, enterprises are strategically prepared to protect the high-priority organizational data and user passwords across platforms."

Ashish Gupta, CEO & President, Bugcrowd

"World Password Day is an opportunity to take a step back and examine what the future holds for secure logins. To date, over 600 million passwords have been exposed through data breaches. Needless to say, standalone password protection is an insufficient and ineffective method of protecting organizations and sensitive information. Weak, insufficient and stolen credentials are common causes for breaches and hacks that often result in millions of dollars in damages and data loss. It’s more important than ever before for companies to rely on two-factor authentication that also incorporates additional login tokens or one-time codes to fully obtain access. This adds in another layer of security to help address the password problem, but still hasn’t solved it entirely as hackers can still gain access through authentication code interception techniques and SIM swapping.

While two-factor is a step up from traditional password safety, modern day problems require modern solutions, and passwordless authentication may hold the future key to more effectively securing credentials. Passwordless authentication is an intriguing and hopefully superior option in the near future, but it’s not a standalone panacea for security concerns. Coupling in additional measures such as Zero Trust, crowdsourced cybersecurity and proactive threat detection will keep enterprises secure and information safely protected in the future."

##

Published Thursday, May 06, 2021 8:27 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<May 2021>
SuMoTuWeThFrSa
2526272829301
2345678
9101112131415
16171819202122
23242526272829
303112345