Did you know, today, May 5th, is World Password Day! The Registrar
of National Day Calendar has designated the first Thursday of May of
each year as World Password Day, and it is meant to promote better
password habits - something we could all use, I'm sure. Passwords are critical gatekeepers to our digital
identities, allowing us to access online shopping, banking,
social media, private work, and life communications.
We use a lot of online services in our daily lives. And we're constantly having to deal with the possibility of so many different types of attacks, making digital protection more and more important. So let World Password Day be a reminder and encourage people to protect themselves with a series of strong passwords.
To help get a handle on things, a number of industry security experts
have chimed in to share their perspectives and opinions with VMblog
readers.
--
Rick McElroy, Principal Cybersecurity Strategist, VMware
“Passwords
have been firmly established as the weakest link in an organization’s
cybersecurity strategy, and exploiting them is as easy as picking a lock
for hackers. I hope that passwords will become a thing of the past very
soon. We are already seeing other methods of authentication, such as
fingerprint biomarkers and one-time passcodes, being used alongside
traditional passwords to ensure robust security measures.
I
believe we will begin to see other factors, such as DNA or heartbeat and
brainwave biometrics, considered for authentication as well. While
these authentication factors are being tested on the battlefield, they
may soon be leveraged in the civilian world to verify identity in
healthcare or ensure secure access to critical data and infrastructure.
Additionally, we’re seeing the emergence of skill-based authentication
with devices that scan for specific body movements. This is something
like the ‘draw on the grid’ tools that Android phones use to unlock
phones – but in 3D space with entire arm or hand and finger movements.
Until
we live in a world without passwords, moving away from a central store
of identities and leveraging multi-factor authentication will go a long
way in bolstering an organization’s security.”
++
Andy Syrewicze, Technical Evangelist at Hornetsecurity
"Despite a TON of new and emerging technologies in the industry that are designed to enable passwordless logins that will help harden user data in the cloud era, the password *remains* the holy grail of hackers everywhere. The primary method attackers use to get ahold of credentials hasn’t changed much either. Low-knowledge, spray-style attacks via phishing are easier than ever to enact. The attacker simply needs a contact list and rented time from a botnet via the darkweb and they’ll likely gain access to a number of accounts. When we’re talking scale of tens of thousands of mailboxes, a 1% success-rate for the attacker is still a vast number of organizations potentially compromised. Effective and powerful security in your communications stack along with strict Multi-Factor Authentication policies are crucial in protecting your users’ passwords from the bad guys."
++
Kurt Baumgartner, principal security researcher at Kaspersky
"We like to remind people not only to use strong passwords but also to use a different password for every online account. Password reuse may make it easier to remember passwords, but it also makes things far easier for criminals. Once they get their hands on the email and password you use for everything, they can essentially spray those credentials around the internet, in an automated fashion, to efficiently compromise as many accounts as possible. If you’ve been using the same password for years, you can bet that it’s already floating around on stolen databases that are up for sale on the dark web to be used for this purpose. I recommend using passphrases – more than just a single word – that are more than 16 characters. Password managers are a very easy way to create good passwords and keep all of them handy without having to memorize anything. I also recommend always using two-factor authentication where possible, avoiding SMS-based 2FA whenever you can."
++
Candid Wüest, VP of Cyber Protection Research at Acronis
"World Password Day often feels like the cyber groundhog day – warning users once again to use strong and unique passwords on their accounts. Let’s hope we can soon break this loop, as it has become popular for criminal initial access brokers to sell access to businesses on dark market sites. These credentials are often simple passwords or access tokens that have been stolen and never changed.
The fact that most users still use the same weak password across multiple services, without any multifactor authentication (MFA), makes this attack tactic highly successful. According to an Acronis survey, only 52% of IT professionals use MFA on most of their accounts, while for home users it’s just 36%. Organizations should therefore enforce MFA on privileged accounts to limit the impact of phishing attacks. That said, keep in mind that MFA is not a silver bullet against account hijacking. Be sure to also use the principle of least privilege if possible and have a process to deactivate old accounts (e.g. employees who have left the company)."
++
Nabil Hannan, Managing Director, NetSPI
“World Password Day serves as a moment in time for organizations to re-evaluate password security best practices. Today, a strong authentication strategy must include policies for safe password storage, the most important aspect of password security. Additionally, at a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.
From a user perspective, all staff working within or alongside the organization should be required to use strong, complex passwords that follow NIST’s latest guidelines. Security leaders may also practice the principle of least privilege, where only those who need access to certain information have it. With these best practices, organizations can better bolster protection and set themselves up for success on World Password Day and beyond.”
++
Stephen Cavey, Co-founder and Chief Evangelist, Ground Labs
“Passwords have always been one of the biggest threats to an organization's security posture, with many employees still using the same weak login passwords across several websites, some of which may eventually be compromised. World Password Day serves as an important reminder to continuously evaluate your password security, which is easily overlooked given some of the more prominent cybersecurity challenges today.
At minimum, companies should require employees to enable built-in security features such as biometrics on mobile phones and drive adoption of multi-factor authentication use within all platforms that store important company or customer information, such as personal data. Password managers are another effective way to ensure unique complex passwords are used for each distinct platform or site without needing to remember them.
Getting back to basics like password security is an easy and straightforward step that organizations can take to avoid being the next victim of a data breach. Whilst password security may not be the main focus of your organization, it can result in considerable consequences if left ignored.”
++
Mike Scott, CISO, Immuta
“World Password Day presents an opportunity to reflect on the strength of passwords and to determine whether they provide adequate security against today’s evolving cybersecurity landscape. With over-privileged users continuing to rank as one of the biggest risks to organizations (according to the 2021 Verizon Data Breach Report) the need for strong, unique passwords has never been more pressing.
Today, many organizations default to giving employees more access to data and privileges than they need. While this is done with good intention to help foster collaboration, and encourage innovation, and ease administrative burden, most of these accounts that they have access to are only protected with a simple password that is often short, predictable or re-used making it easy for attackers to crack them. To ensure compromised passwords do not result in attackers gaining easy access to sensitive data, it’s imperative that employees continue to follow password best practices including password diversification across accounts, leveraging multi-factor authentication, and password complexity.”
++
John Xereas, Executive Director, Technology Solutions, Raytheon Intelligence & Space
“In keeping with the security changes in both policy and strategy, zero trust considerations need to factor into how password management solutions are implemented and managed. Zero trust assumes that hackers will get in. With that understanding, even the strictest of password enforcement technologies alone do not offer enough protection. The best bet these days for password security is a fusion of multi-attribute security solutions which offer a multi-level capability that only zero trust can achieve.”
++
Janer Gorohhov, CPO & Co-Founder, Veriff
“Reports of fraudulent activity and data breaches are skyrocketing across industries, making it clear that even lengthy and complex passwords no longer deter hackers or bad actors. To maintain customer trust, organizations must look to alternative measures to protect their customers’ identities and data. The future of internet safety will require replacing passwords with face match and biometric technologies as these innovations advance, allowing more organizations to treat people’s “identity” as a password itself. This creates a barrier that is much more difficult for an intelligent and determined bad actor to bypass.”
++
Manoj Srivastava, General Manager of ID Agent and Graphus
"World Password Day is a good reminder for IT professionals to take a closer look at the security of their environment. Though having the right security solutions in place is crucial, it’s often the small habits that can make or break an organization’s security posture. One of the most important things an organization can do is foster a security-first culture that provides employees with the “why” behind aspects like multi-factor authentication (MFA) and frequent password changes that can often seem like a hindrance to their productivity. Short, frequent security awareness training around topics like the importance of strong passwords and why to use a password manager can help break employee bad habits that threaten the entire IT environment.
When assessing their technology stack, IT professionals should look for identity and access management (IAM) solutions that combine single sign-on (SSO), MFA and password management to ensure better protection against cyberthreats. Organizations should discourage reuse of passwords and set strong password requirements for the solutions that employees use daily to avoid the use of some of the most common passwords like 123456 or password—which unfortunately are still frequently used, according to data from ID Agent."
++
Dan Conrad, AD Security and Management Team Lead, One Identity
"The question of what to do about passwords revolves around authentication. . On this World Password Day, enterprises should recognize that if they are solely relying on passwords alone for authentication, then problems are bound to arise.
Authentication is changing as developers are adapting and learning what can be trusted. Users, employees, and consumers have matured to the point where strong authentication is critical to protect their information and assets. For example, most authentication in the U.S. Military and Federal Government is through smart card authentication. This was mandated in 2004 and was a crucial leap forward in preventing account compromise for critical infrastructure.
Especially with the rise in popularity of cryptocurrency, identity security should not be dictated with just a username and password. Multifactor authentication is essential and plays a strong role in security enterprises, whether that’s from a push-to-authenticate method or using biometric authentication such as fingerprinting."
++
Kevin Lee, VP of Trust and Safety, Sift
"Account takeovers (ATOs) are plaguing digital businesses and consumers, with attacks surging 307% between 2019 and 2021. Cybercriminals have been able to take ATOs to new and sustained heights due to poor password hygiene. And it’s happening at scale, with fraudsters using automation to steal stored account value, payment information and other personal data from thousands of accounts at one time.
Sift’s research team, for example, discovered a sophisticated fraud ring, dubbed Proxy Phantom, that was using bots to overwhelm merchants. Using a massive cluster of rotating IP addresses paired with credential stuffing attacks, the group used 1.5 million stolen credentials to flood businesses with bot-based login attempts to conduct as many as 2,691 attempts per second.
This new level of sophistication coming from fraudsters has driven fraud teams to actively seek out passwordless alternatives to more securely and seamlessly authenticate users. Legacy account security approaches, like passwords, and knowledge-based authentication, are no longer enough to effectively verify users and consistently defend against fraudulent logins. Customers should be free to permanently ‘forget’ their passwords. If a business can’t grant that freedom, customers may take their business elsewhere.
As we look into the future of account-based security on World Password Day, companies need an intelligent approach that verifies users, secures accounts and stops ATOs. Through passwordless authentication solutions, trust and safety teams can have forward-looking security protocols that address businesses' account security needs and stop ATOs in their tracks."
++
Don Boxley, Co-Founder and CEO, DH2i
"On World Password Day, we are not only reminded of the importance of an effective password strategy, but of data security overall. In the face of increasingly prevalent and aggressive cyberattacks, such as ransomware and other malware, the criticality of data security has been pushed aggressively to the forefront. And while few would argue the need for a rock-solid password strategy, most would agree that this is just a first step. The next is to ensure secure network connectivity. Today more than ever, almost every organization has remote users and third parties who need to be able to connect to cloud or on-premises applications from wherever they are – the airport to the home office to the local coffee shop.
Unfortunately, traditional VPNs for remote users rely upon complex, expensive and less-than-secure network-to-network approaches. So, what is the solution? The answer is a new and reliable approach to networking connectivity – the Software Defined Perimeter (SDP).
This approach enables you to build a secure software-defined perimeter and use Zero Trust Network Access (ZTNA) tunnels to seamlessly connect all your applications, servers, IoT devices, and users behind any symmetric NAT to any full cone NAT: without having to reconfigure networks or set up complicated VPNs."
++
Chris Hallenbeck, CISO for the Americas, Tanium
"Passwords have been basic cyber hygiene 101 for decades. But the fact is, they are no longer a viable method of security amid today’s rising attacks. Hackers launch an average of 50 million password attacks every day, or about 580 per second. And approximately 60% of data breaches are attributed to compromised credentials.
Big tech is already transitioning away from passwords – take Microsoft, Google and Apple, for example – and toward more high-tech solutions like biometric logins and facial recognition software. However, passwords are likely to remain for a little while longer. And with the average cost of a data breach estimated at $4.2 million, we must continue to embrace them to avoid becoming the target of the next big breach.
Proactively using strong password management and multi factor authentication (MFA) remain best practice, and have become commonplace for consumers, employees and organizations alike. MFA effectively protects against “credential stuffing,” where hackers reuse stolen passwords to launch attacks, and while a good first step, simply isn’t enough to ensure security given today’s threat landscape. That said, this World Password Day, consider changing your passwords and revisit your cyber hygiene habits to protect your information."
++
Keith Neilson, Technical Evangelist at CloudSphere
"When it comes to protecting business data and enhancing overall security, passwords play a critical role. World Password Day serves as a reminder for enterprises to use stronger passwords as a safeguard. Allowing databases to be accessible without even basic password protection is an all-too-common source of data leaks, but it is easily preventable with solutions that provide security guardrails and automated remediation of such misconfigurations.
However, instead of putting emphasis primarily on the best practices for passwords, we must shift the attention over to secure access and next-generation authentication. This involves the development of new and improved alternatives to password management, which will need the implementation of robust cyber asset management systems. Cyber asset management that enables authentication will become a greater priority when challenging authentication methods such as behavioral biometrics and liveness detection become more prevalent, since they need a far more sophisticated collection of cyber assets and rules.
In the end, World Password Day is a good occasion to observe the importance of strong passwords and password protection as part of overall security. While newer ways will undoubtedly replace the traditional password, they will continue to be used as a fallback and "master key.” Enterprises will increasingly adopt more advanced authentication methods and the cyber asset management capabilities that support this evolution."
++
Corey Nachreiner, CSO at WatchGuard Technologies
"World Password Day continues to serve as an annual reminder that we all need to practice better password security, and despite rumors that password-less authentication will kill the password, I’m confident the password is here to stay for decades, necessitating this continued attention.
According to Verizon’s 2021 Data Breach Investigations Report, 61% of breaches leverage stolen or leaked credentials. Attackers continue to add millions of new leaked credentials to the billions already available on various undergrounds and the dark web. This trend has continued for years now, which is why World Password Day is still important. Password-less authentication has become more accurate in the last few years, with Microsoft officially supporting password-less only options in Windows 10 and 11. However, passwords will not die that easy with countless use cases still requiring them and most Windows organizations still using them. For that reason, you still need to follow password best practices. These include choosing strong passwords or passphrases (I like actual short sentences) with at least 16 characters, using a unique password for every account, and leveraging password managers to keep track of them all.
However, the most important authentication best practice in this day and age is to use Multi-factor authentication (MFA), which is why I believe that a ‘World MFA Day’ would make a more powerful and effective observance to strengthening digital identities. Unfortunately, some password-less options suffer from the same issues as passwords do. The crux is no single factor of authentication will ever be perfectly resilient to an attack. Passwords can get lost or stolen, as can digital certificates and keys. Biometrics have been repeatedly hacked and bypassed; even hardware tokens have been defeated. Some password-less methods may not include a password but still only rely on a single factor of authentication. The only way to slow down authentication attackers is to combine multiple factors of authentication, like something you are (biometric fingerprint or facial scans), something you have (like a hardware key or mobile phone) and something you know (like a password). MFA allows you to ensure that even if an attacker gains access to one of these tokens, like a user password, they’ll be unable to log in without the second (and sometimes third) authentication token. It’s an absolute no-brainer when it comes to addressing the widespread and persistent issues around poor password security and should be a primary focus for both businesses and individual users. We didn’t quite succeed in 2021, but I still say we should make World MFA Day a reality in 2022!"
++
Darren James, Head of Internal IT, Specops
"Chances are, your password looks a little something like this – Password123! – a capital letter, followed by some lowercase letters, numbers, and a special character. On this World Password Day, it’s important for businesses and consumers to know that it is no longer enough to use a mix of capital and lowercase letters, numbers, and special characters – in fact, 68% of passwords used in attacks contain at least two character types, according to recent Specops research. Here are a few rules of thumb for choosing strong passwords:
• Instead of a password, choose a passphrase – 3 random words that mean something to you but would be meaningless – and therefore difficult to guess – to anyone else.
• Better yet, use a password manager and generate passwords that even you can’t guess. The longer and more complex a password is, the harder it will be to guess.
• Check passwords against breached password lists. There are a number of consumer and enterprise services available that will notify you when your password has been compromised in a breach. Check any old or new passwords against these lists and change your password in the event it has been compromised.
• Use multi-factor authentication. There are billions of passwords available on the dark web, meaning that even if you do choose the world’s most unguessable password, there is still a chance hackers will find it. MFA provides an extra layer of account protection so that hackers won’t be able to access your sensitive data even in the event they do find your login credentials."
++
Ashish Gupta, CEO and President at Bugcrowd
"World Password Day is an opportunity to take a step back and examine what the future holds for secure logins. To date, over 600 million passwords have been exposed through data breaches. Needless to say, standalone password protection is an insufficient and ineffective method of protecting organizations and sensitive information. Weak, insufficient, and stolen credentials are common causes for breaches and hacks that often result in millions of dollars in damages and data loss. It’s more important than ever before for companies to rely on two-factor authentication that also incorporates additional login tokens or one-time codes to fully obtain access. This adds in another layer of security to help address the password problem but still hasn’t solved it entirely as hackers can still gain access through authentication code interception techniques and SIM swapping.
While two-factor is a step up from traditional password safety, modern-day problems require modern solutions, and passwordless authentication may hold the future key to more effectively securing credentials. Passwordless authentication is an intriguing and hopefully superior option in the near future, but it’s not a standalone panacea for security concerns. Coupling in additional measures such as Zero Trust, crowdsourced cybersecurity and proactive threat detection will keep enterprises secure and information safely protected in the future."
++
Joseph Carson, chief security scientist and Advisory CISO at Delinea
"World Password Day is a time to stop and reflect on current password hygiene. Passwords remain one of the biggest cyber challenges for both consumers and businesses around the world as a poor password choice can make it extremely easy for cybercriminals to steal and spy on your data. As humans, we continually gravitate towards creating passwords that are easy to remember and simplistic. Incorporating a birthday or special date within a password is a common denominator, one that cybercriminals are all too aware of. Dangerously, we continue to leave it up to humans to create strong and secure passwords, despite the fact that most people have already been victims of borderline password disclosures from a person’s history of password choices. Having already had your previous password decisions and choices exposed means that an attacker can simply take that as the baseline and from there create variations of that. An effective password should include passphrases, a sequence of random words for added security. Regular consumers should consider deploying and utilizing a password manager to enhance and regularly rotate their log-in credentials.
For organizations, a password manager should be a default implementation. If you are a business leader then you must move beyond just having password managers and start using privileged access security to control and protect privileged access. Privileged access security will help automate, rotate and secure your passwords for you and your business, eliminating a significant amount of cyber fatigue. Taking it a step further, organizations should look beyond just their internal password hygiene and take a deeper dive look into their suppliers and contractors to ensure password protection. Are they using a password manager, do they have MFA deployed and how do they protect access to their privileged accounts? We’ve seen the catastrophic domino effect that one poor password choice can have within a supply chain.
Organizations can enhance their password posture by understanding that security starts with the social network around you. Why not encourage your employees' families to use a password manager and reward them? They see that you're not just taking care of the company but that you're actually extending security to the social sphere, so that their family and kids can even extend to using password managers and reduce the threats, because attackers can and will target them first as stepping stones to get into your organization. So it makes you think, why not extend your perimeter to the social sphere around the organization. Your supplier, your contractor, partners, your customers and everybody."
++
Mike Parkin, Senior Technical Engineer at Vulcan Cyber
"Passwords are one of those things that hasn’t been up to the job for years, but no one’s presented a solution that works better and people are willing to accept. As computing power’s gone up, the requirements for a password to be considered “secure” have gotten longer and more complex to the point where users are tired of dealing with them. Pass-phrases are easier to remember, but who wants to type a fill sentence every time they log in? Given length and complexity requirements, it’s no wonder we still see passwords written on sticky notes around screens and under keyboards.
Multi-factor authentication schemes can go a long way to fixing the problem. Even if an attacker has an ID and password, they can’t get in without that physical or biometric factor. Unfortunately, a lot of users find them inconvenient or too technically challenging to use for everything that needs it. Hopefully, World Password Day will give people enough of a nudge for them to adopt both good password hygiene and multi-factor authentication for day-to-day use."
++
Hank Schless, Senior Manager, Security Solutions at Lookout
"Last year, there were 1,862 data breaches according to the Identity Theft Resource Center’s 2021 Annual Data Breach Report. That is an all time high and a 68% increase over breaches in 2020. According to Lookout, the leader in delivering integrated Security, Privacy, and Identity Theft Protection solutions, 80% of people’s emails are leaked on the dark web as a result of data breaches.
When data breaches happen, passwords for online accounts are also commonly leaked, leaving consumers at risk for identity theft. In order to keep your information safe Lookout has shared the top 20 passwords found on the dark web.
Top 20 Passwords Found On Dark Web:
1. 123456
2. 123456789
3. qwerty
4. password
5. 12345
6. 12345678
7. 111111
8. 1234567
9. 123123
10. qwerty123
11. 1q2w3e
12. 1234567890
13. DEFAULT
14. 000000
15. abc123
16. 654321
17. 123321
18. qwertyuiop
19. Iloveyou
20. 666666
++
Lamont Orange, CISO, Netskope
"Over the past year, organizations and individuals have almost completely adapted to operating within a flexible—and highly distributed—virtual environment. However, even though organizations are more well-adjusted to this digital lifestyle, the use of cloud tools and applications are still major contributors to threats against an organization's security infrastructure. Organizations’ security teams must remain vigilant. Ensuring that the correct individuals have visibility over network activity and can utilize remote access controls is critical. Organizations need to make certain that remote work nor the use of BYOD practices are allowing the exposure of sensitive company data. World Password Day serves as a great reminder that even though operations have been streamlined to accommodate the new world of work, user access/authentication and data protection are still very present security sensitivities that must be kept top of mind."
++
Bud Broomhead, CEO at Viakoo
"For both individuals and organizations, password management done poorly can leave the doors open to threat actors – with devastating consequences including loss of reputation, data exfiltration, and distribution of malware. But to be clear, organizations face orders-of-magnitude more consequences from poorly executed password strategies, and must face a massively harder task because of the scale of passwords used in an organization.
The cost to an organization from being breached is on average $8.19M, versus $225 for an individual; an astounding 36,000 times more costly. And unlike an individual, organizations have hundreds or thousands more devices and systems that require an effective password policy with every device running a unique password that meet strength and reusability requirements. Corporate environment containing multiple forms of IoT devices have another challenge: there are many parts of the organization who manage IoT devices, and sometimes even non-employees. Take the case of an external contractor installing new Point of Sale (POS) systems in a retailer; will they take the extra time to understand your company’s policies and set appropriate passwords, or will they install the system and leave the default vendor-provided passwords in place? Or other IoT devices like smart lighting systems that the Facilities team has installed and updated passwords on, but they use the same password on all of them (and leave it posted on sticky note in the breakroom).
This World Password Day, Viakoo’s advice is to bring unmanaged and IoT devices into compliance; use automated methods to ensure all devices are following corporate password policy, which provides focus to quickly fix devices that are non-compliant."
++
Marcin Kleczynski, CEO of Malwarebytes
"Whereas access to the corporate network could once be protected by a single level of security, this approach can and should no longer be followed in this way. If employees are given full access to the corporate network via a username and password, it is like giving cyber criminals the proverbial key to the lock. Whether via key loggers, credential interception malware or spear phishing, cybercriminals have developed a wide range of sophisticated methods to access credentials. Home office and mobile working models further compromise the security of credentials. The large number of new, potentially vulnerable access points to the network has weakened security measures in many companies. Cybercriminals know this. Not surprisingly, compromised credentials are cited as the most common cause of corporate security incidents. So it's more important than ever that businesses rethink the way they protect credentials and embrace contemporary approaches to credential security."
++
Jose Costa, CISO of Tugboat Logic by OneTrust
"Start using pass-phrases instead of passwords. The reason is that it is easier for a machine to guess words made up of symbols and special characters and harder for humans to remember. Hackers will always use technology to guess passwords so you want to make your password as hard as possible to guess but also easy to remember for you. The best strategy is to create longer passwords made up of a combination of words that are unrelated to each other. Consider using at least 4 words, don’t choose quotes or sayings (try to make the words as random as possible).
Use a unique passphrase for every account you own. That way, if one passphrase is ever exposed, the other accounts remain secure. If you are having a hard time keeping up, consider using a password manager.
If given the option, always use multi-factor authentication (MFA). If you are not familiar with MFA, it is basically a mechanism to make sure that you are the right person using the credentials. It means that you need to use a combination of evidence to demonstrate who you are from one of these categories: something you know (i.e. Pass-phrase), something you have (i.e. an app in your phone) or something you are (i.e. your fingerprint)."
++
Tom "TJ" Jermoluk, CEO of Beyond Identity
"On World Password Day this year, let’s endeavor to eliminate passwords. They are the root cause of most cyberattacks – from account takeovers to ransomware to advanced persistent threats – so we have the opportunity to eliminate the single largest attack vector we face. As cybersecurity professionals, we need to stop training and blaming users and put the onus on us, and organizations that have not yet taken steps to adopt secure, passwordless authentication. Solutions are currently available that leverage standards developed by the FIDO Alliance and use other approaches that replace passwords with secure forms of authentication. So let’s mark World Password Day 2022 by committing to eliminate passwords, and all easily phishable authentication factors. We can and should eliminate the risks they impose on our customers and our companies."
++
Zane Bond, Director of Product Management at Keeper Security
"Password protections have come a long way since 1961 when MIT created the first computer password, yet credentials are a popular attack vector for bad actors to hack into organizations. The need for strong credentials continues to escalate along with new threats, but now, even the most frequently updated and strongest credentials can be stolen.
The evolving threat landscape, coupled with the proliferation of connected devices, data and apps spread across an increasingly complex, distributed network environment, is creating the need for sophisticated password protections and Identity Access Management (IAM) software and systems.
At a time when every aspect of work and life is becoming digital, it’s surprising how unsophisticated most systems still are. After 60+ years of using passwords to verify identity – and 35 years since two-factor authentication was first adopted – we have the technology to make passwords secure, and easy to manage, and to eliminate the hassle of remembering passwords. This year Password Day should be a call to take advantage of the tools to make passwords better and more secure for everyone."
++
Rick Negrin, Vice President of Product Management, SingleStore
"Right now, dedicated technology professionals are striving for a world without passwords. New innovations in facial recognition, biometrics and two-factor authentication will help secure us from growing cyber threats, while eliminating the need to memorize or jot down those cumbersome, clunky, confusing passwords.
On this World Password Day, everyone should update their passwords, create unique ones for every account, and add a secondary level of security like two-factor authentication. Until we can operate without passwords, we should make it nearly impossible for hackers to take advantage of our data, money, and livelihoods."
++
Peter Tsai, Head of Technology Insights, Spiceworks Ziff Davis
"The pandemic-driven shift to remote work made it common for corporate devices to operate from insecure home environments. Increasingly, to add additional layers of security, businesses are turning to multi-factor authentication, in addition to passwords. SWZD’s State of IT report revealed that plans to use hardware-based authentication jumped from 54% of businesses in 2020 to 68% in 2022. Additionally, plans to adopt biometric authentication grew from 39% of businesses in 2020 to 46% in 2022."
++
Clara Angotti, Co-founder and President, Next Pathway
"As consumers, nearly every activity we participate in involves logging in to a site using a password, whether on our smartphone or on a computer. Until we are the victims of a breach, we take it for granted that our information will be safe. But World Password Day is a good reminder that we need to be diligent about safeguarding our passwords to ensure our precious information doesn’t fall into the hands of malicious agents. Hackers have become increasingly sophisticated; cyber threats are on the rise. The U.S. government has recently warned its citizens to be on the alert from such attacks implemented by Russia. With cyber criminals becoming more pervasive and their attacks more severe, I wonder how much longer passwords will remain in existence. Perhaps it’s time to replace traditional passwords with tools like biometric identity verification, such as iris, facial or voice recognition, to ensure the safety of our information."
++
Brian Pagano, Chief Catalyst and VP at Axway
"On this World Password Day, we would like to call on everyone to pledge to abandon the old faith in passwords. You can tell if an IT department is not evolving if you are required to frequently change your password (this practice has been shown to decrease security and has largely been abandoned). With technologies like biometrics, and two-factor authentication, we are evolving towards a world where we would not solely rely on passwords. However, until we reach that point, we need to keep in mind to not use the same passwords for all our accounts. If possible, set a data cleanse day where you make sure all your cookies are cleared, and history is cleaned. This will help in making sure that your data is secure. Always remember that anything written down could appear in public—so think before you type."
++
Ricardo Amper, CEO, and founder of Incode
"Consumers today are using their smartphones for dozens of activities - from banking to shopping and sending personal information - all while using passwords that are simple to compromise. With cyberattacks and data breaches more prevalent than ever, the idea of a “password” is becoming increasingly obsolete. They are time-consuming to retrieve, easy to forget and create a less than ideal customer experience. According to a study by Incode, consumers say that updating/creating and remembering passwords is one of the most irritating things when proving their identity online.
On this World Password Day, we recommend implementing a new version of the “password” to ensure optimal security and customer experience: identity verification via biometrics. Using biometric technology to verify someone’s identity instead of passwords can eliminate friction and is more accurate and secure than other mechanisms. Your face is your unique digital identity and is more challenging for cybercriminals to hack. As the shift to a digital-centric era continues, I expect in less than five years’ time our faces will become our passwords - and ultimately create more trust between consumers and the sites they use."
++
Dave Martin, Vice President, Managed Detection and Response, Open Systems
"Today’s threat landscape has historic implications, and both businesses and individuals must safeguard their assets and organizations with more than just a password. While best practices for passwords themselves include using unique, complex passwords, this is not enough: it is absolutely imperative to involve another level of security provided through multi-factor authentication. Multi-factor authentication methods better control who has access to sensitive information, as well as mitigating fraud.
As we look to build a more secure digital future, it will be more important than ever to adopt additional security mechanisms beyond a unique password. In some organizations, this requires a culture shift and more education for users on the importance of password best practices, effective multi-factor authentication and consistent security hygiene."
++
Miles Hutchinson, Chief Information Security Officer, Jumio
"When it comes to protecting business data and enhancing overall security, passwords play a critical role — but not the one you might think. World Password Day highlights the importance for enterprises to use more robust, secure and reliable authentication methods that go far beyond passwords. Passwords are one of the top vulnerabilities for organizations, especially those that deliver privileged access to organizational systems or networks. Sixty-one percent of data breaches in 2021 were attributed to leveraged credentials, according to Verizon. Traditional authentication methods are no longer reliable and secure, therefore it is crucial for organizations to adopt new authentication methods by leveraging AI coupled with biometrics.
Traditional authentication measures like knowledge based authentication (KBA) and SMS out-of-band authentication can be vulnerable to imposters, credential phishing, large-scale data breaches, dark web user data dumps and man-in-the middle attacks. Selfie and video-based authentication allows for organizations to leverage biometric user data captured during enrollment and to re-verify that data in the future, effectively combining identity proofing and ongoing authentication in one solution. By leveraging AI and biometric data for initial identity proofing and ongoing user authentication, organizations can protect their business from fraudsters and provide users with an online experience that is fast, secure, accurate and easy to use, thus replacing traditional passwords altogether."
++
Dirk Schrader, VP of Security Research at Netwrix
"We often hear about so-called 'strong' passwords and how difficult it is for cybercriminals to discover them or brute force them, based on their length and complexity. In the meantime, the prevailing sentiment in the cybersecurity space is that passwords are becoming a thing of the past due to the spread of multi-factor authentication (MFA) and implementation of biometrics as an access code.
The truth is somewhere in between. MFA and the requirement of a secondary verification method through a separate communication channel, are significant security enhancements for important data. However, this approach adds another level of complexity not only to the attacker but to the user. One-time password via SMS is easily tolerated when it comes to a user’s personal bank account but becomes annoying if they need to verify their access rights this way 30 times a day. This is what we call cybersecurity fatigue. Security administrators should not overlook this and should consider it as a threat vector.
Passwords will therefore not disappear because of the human factor. They are here to stay for non-sensitive or, let’s say, not-that-sensitive accounts. IT teams shouldn’t neglect employee training to nurture the proper cyber hygiene among their fellow colleagues. Every user has to take the same precaution with passwords as with the keys to their home: do not share them, keep an eye on them, and change the lock in case of loss.
The National Institute for Standards and Technology (NIST) suggests that companies use a password manager to help their employees and stakeholders encrypt and generate strong passwords. NIST password guidelines say you should focus on length, as opposed to complexity when designing a password. Paradoxically, using complex passwords (adding special characters, capitalization, and numbers) may make it easier to hack your code, and this mostly has to do with user behavior. Complex passwords are harder to remember, which means users may need to update their passwords more often, making minor changes, which makes them easier prey for cyber attacks. NIST requires an 8-character minimum for passwords."
++
George Gerchow, Chief Security Officer, Sumo Logic
"Recent reports indicate a need for organizations to prioritize password protection and security as insider threats continue to impact organizations. World Password Day provides a perfect opportunity for organizations to address these needs. Here are a few steps organizations can take to prioritize password safety.
- Password Vaults: As the world adjusts to a hybrid work model, companies must provide employees with a password vault. Employees who work from home typically balance the use of personal and professional passwords throughout their workdays. With one single, trusted login or password program, vital work and personal data and information can securely live in one location.
- Passphrases: To help prevent threat actors from stealing passwords, organizations should utilize passphrases – passwords that are different phrases rather than similar names and numbers. Passphrases are more difficult to crack as they don’t necessarily have to pertain to the user, contain more letters and numbers, and provide more opportunities to toggle between capital letters.
- Biometrics: The future of passwords is biometrics; it provides a more secure and trusted method for storing sensitive data. Companies like Apple have already proven that passwords can be replaced through the implementation of digital identity, and organizations should look to follow suit. Biometrics will never be 100% perfect, but it removes the need for multiple passwords or passphrases, and provides improved account security and a single, trusted login for all accounts."
++
Avi Shua, CEO and Co-Founder, Orca Security
"With an ever widening threat landscape, organizations must be able to find all passwords and secret keys that have been mistakenly stored within their cloud estates and pose grave security risks if stolen. Our research team recently found that 1 in 3 customer organizations provided root admin access to cloud accounts without MFA in place, showing the damage one password could create.
Organizations should use modern entitlement mechanisms that don’t rely on passwords within their cloud accounts and internet connected systems. By not practicing sound password management, they put themselves at risk of serious security breaches. It is critical that security teams harness tools and approaches to monitor their cloud accounts for risks, including misplaced passwords, to protect against theft and educate others around them on this importance to avoid preventable mishaps."
++
John Fung, Director of Cybersecurity Operations, MorganFranklin Consulting
"Despite password use being so simple, there is still a lot employees can do to better protect themselves and help reduce risk. Organizations should require the use of password managers as one essential step for password security. Password managers make it easier for employees to organize and keep long, unique and random passwords for each account. Password managers also only fill in passwords on appropriate sites, which protects against phishing attacks. They also help generate passwords for their users, which can make enforcing corporate password policies easier (length, randomness, character sets, etc.).
Implementing a single sign-on approach is another way to reduce an employee's password management responsibility to a single password. This makes it easier to use strong passwords, similar to password managers. SSO also centralizes authentication management, which can help with access controls, monitoring and logging, compliance, and other Identity and Access Management functions."
++
Gary De Mercurio, Vice President, Trustwave SpiderLabs
"Password security is ever-evolving, but not necessarily due to any revelation the common user has about creating one. Instead, it’s due to the constant advancement in technology and the ability of attackers to crack those passwords. Ten years ago, a six-character password like ‘Be4r$1’ would have taken the Cain and Abel tool about 93 years to crack. However, with faster and more advanced processing speeds and the switch from utilizing central processing unit (CPU) cracking to graphics processing units (GPUs), that same password now only takes about five seconds to figure out.
Organizations suffer from internal security problems with staff because long, complex passwords are cumbersome, and people can get aggravated with inputting them repeatedly. When IT regiments require computers to lock after five minutes of inactivity, staff often feel like they must type ‘FRBuyps#6Ph3’ 50 times a day. Some days they probably do type that password in 50 times, wasting valuable time spent elsewhere.
Many organizations get stuck evaluating whether password length or complexity is more important, preferring complexity. But a very long password can be just as secure as a complex one and can oftentimes be easier to remember and input. For example, ‘FRBuyps#6Ph3’ at current rates would take about 34,000 years to crack but would be agonizing to input each time a company computer locked. Instead of using ‘FRBuyps#6Ph3’, people use alternatives like ‘Summer#2002’ which satisfy complexity standards but are featured in every cracking dictionary in the world, making them easily guessed in minutes. That's where length comes in. For example, ‘iHatemyc0mpanyspasswords~’, although very simple and easy to remember, would take somewhere in the ballpark of 7 quadrillion years to crack with today’s tools.
Remember, what is secure today may not be secure tomorrow, making consistent security testing critical. Hackers are always escalating and finding new ways to break both new and old security processes. Therefore, testing the waters periodically to ensure what you think is secure truly is – is paramount."
++
Gee Rittenhouse, CEO of Skyhigh Security
"World Password Day is a great opportunity to remind everyone about the importance of protecting data within organisations as well as your own personal data.. Cybercriminals today are more sophisticated at obtaining usernames and passwords making it easier for them to conduct a data breach. Today is a great opportunity to remind ourselves of a few simple steps to improve our data security.
A first step is to bolster their approach to authentication. Simply having a username and password is no longer enough. We need to move beyond this to adopt more secure processes, such as two-factor authentication or multi-factor authentication.
The second step is the adoption of Zero Trust across the enterprise network. This means that no trust is given automatically to users – instead it is earned through logging in patterns and behaviours, which facilitates tighter security. Also, employees are only given access to data, apps and systems that are related to their daily jobs meaning that if passwords are compromised, the subsequent damage is limited.
While following these important steps to stay data-aware is always beneficial, World Password Day is a great reminder for us all."
++
Carolyn Duby, Field CTO & Cybersecurity Lead at Cloudera"This World Password Day, it’s an absolute must to keep in mind that classification of data is becoming very important when it comes to privacy conversations. You have to be able to figure out what is in your data that represents potentially protected information - in the form of security numbers, account numbers, user names, addresses, and passwords especially for example. The challenge is, organizations have a lot of data that is coming from multiple silos, usually ending up all in the same data lake. If not managed properly, an attacker can go after your lake and take all your data, all at once. We must embrace the idea that data should be effectively secured and governed in the form of a mix of data catalogs and a data profiler to classify private information and help IT practitioners secure and govern it appropriately."
##