Virtualization Technology News and Information
Article
RSS
World Password Day: Security experts share insights on keeping passwords safe

world-password-day 

Some of the most infamous data breaches in modern history, such as the Colonial Pipeline, can be attributed to stolen credentials or passwords. This year's World Password Day emphasizes the significance of establishing robust, continuous security policies. To commemorate the day, various cybersecurity experts have gathered to offer important advice on what you can do to avoid having your passwords become one of the 15 billion accessible on the Dark Web.

Patrick Beggs, CISO, ConnectWise

"In the early days of the world wide web, you were probably able to get away with a password as simple as ‘12345'. Times have changed since then, but humans remain predictable. Research has found that women typically include personal names in their passwords while men often use their hobbies. And experienced hackers also know the common vowels, numbers, and symbols that often appear in passwords.

Cybersecurity breaches are at an all-time high, but there are three simple things we can all do to protect ourselves. First, prioritize length over complexity, because we aren't very good at remembering complex passwords, and longer ones are more secure. Second, only use platforms with multi-factor authentication -- a password alone is not enough to protect you. And finally, never reuse. Most breaches happen when a password from one platform is used with another system that shares the same password.

If you follow these three simple steps, your passwords should be strong enough to stop a determined hacker from causing damage."

Tyler Farrar, CISO, Exabeam

"Colonial Pipeline and Twitch. Both of these organizations have one thing in common: they suffered data breaches as a result of stolen passwords and credentials. Credential theft has become one of the most common and effective methods cyber threat actors use to infiltrate organizations of all sizes and access sensitive data.

We strongly support efforts, like World Password Day, that raise public awareness and can help to combat this pervasive issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional passwords and credentials to prevent credential-based attacks from continuing.

Credential-driven attacks are largely exacerbated by a ‘set it and forget it' approach to credential management, but organizations must build a security stack that is consistently monitoring for potential compromise. Organizations across industries can invest in data-driven behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior indicative of credential theft, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time."

Neil Jones, director of cybersecurity evangelism, Egnyte

"For as long as I can remember, easily-guessed passwords such as 123456, qwerty, and password have dominated the global listing of most commonly-used passwords. Unfortunately, weak passwords can become a literal playground for cyber-attackers, particularly when they gain access to your organization's remote access solution and can view corporate users' ID details.

Similarly, not a day goes by where I don't hear another customer in a public setting like a pharmacy or a supermarket vocally share his/her email address and/or personal or business phone number, to obtain affinity club credit for a transaction or to earn a discount. That private contact information - combined with weak password administration - can represent a data breach just waiting to happen.

In commemoration of World Password Day, here are practical tips to protect your company's mission-critical data:

  • Institute Multi-Factor Authentication (MFA) - One of the most effective ways to prevent unauthorized access is by requiring additional validation of login credentials during a user's authentication process. This can be as straightforward as a user providing his/her password, then entering an accompanying numeric code from an SMS text. 
  • Educate your employees on password safety - Educate your users that frequently-guessed passwords such as 123456, password, and their favorite pets' names can put your company's data and their personal reputations at risk. Reinforce that message, by reminding users that passwords should never be shared with anyone, including your IT team.
  • Inform users about the dangers of social engineering and spear-phishing - Remind users that unanticipated email messages, texts, and phone calls can be attempts to capture their login and password credentials. When proper login credentials are entered, malware can be initiated that will place your organization at risk of an even wider and more destructive cyber-attack.
  • Keep personal and business contact information separate - Remind your users that maintaining separate email accounts and contact details for affinity clubs and discount programs protects their personal privacy and your company's valuable data. Users should never provide business login credentials (such as their email addresses) in public forums, particularly within earshot of others.
  • Establish mandatory password rotations - Discourage the usage of system default passwords and easily-guessable employee credentials, by forcing employees to change their passwords on a routine basis.
  • Update your account lockout requirements - Prevent brute force password attacks, by immediately disabling users' access after multiple failed login attempts."

Gunnar Peterson, CISO, Forter

"It is especially fitting that we collectively celebrate World Password Day in light of recent breaches this quarter that have resulted in terabytes of stolen proprietary data and untold financial cost. The day is a reminder that the simplest of defenses in our toolbelt, credential and identity management, can be the difference between a secure system or an unimaginable incident.

Most of the breaches we hear about in the news are a result of businesses relying on automated access control and realizing too late when a user has been hijacked. Once an account is compromised, identity-based fraud can be extremely difficult to detect considering the advanced tactics and randomness of different crime groups like LAPUS$ and Conti.

To succeed against dynamic cybercriminals and account takeover (ATO) attacks, organizations must build robust identity management systems and invest resources into building a learning system that evolves to identify anomalous user activity. These techniques can ebb and flow with the sophisticated threat landscape we're witnessing today."

Aaron Sandeen, CEO and co-founder, Cyber Security Works (CSW)

"World Password Day is a day set aside not just to promote better password use, but to draw attention to the numerous password-related assaults. Tackling every password-related attack would be difficult, but addressing the problem of Password Reset Poisoning plays an important role in increasing organizational knowledge about better password use and vulnerability management.

Every online application with a login gateway has password reset capabilities. When a user forgets his password, this reset password option is useful. However, in many organizations, password reset poisoning is an attack in which the attacker obtains a victim's password reset token and is now able to reset the victim's password. The problem occurs when the program uses the host header to create the password reset link and then adds the user-supplied host header to the password reset link. It is crucial for companies to inform themselves of this type of password attack to protect the privacy of their employees and the business as a whole. While addressing similar password-related attacks, more vulnerabilities can be addressed and give security teams peace of mind."

Surya Varanasi, CTO of StorCentric

"Few would argue the fact that a strong password is an ideal first line of data protection defense. Without this basic security measure, you are leaving the door wide open to a multitude of cybercrime risks. Unfortunately, however, while highly sophisticated password tools are available, today's cyber criminals also have extremely advanced password hacking technology at their fingertips. Which means, an increased risk of your passwords being leapfrogged, and your data being compromised.

The ideal cybercrime defense is a layered defense that starts with a powerful password and continues with Unbreakable Backup. As backup has become today's cyber criminals' first target via ransomware and other malware, an Unbreakable Backup solution can provide you with two of the most difficult hurdles for cyber criminals to overcome - immutable snapshots and object locking. Immutable snapshots are by default, write-once read-many (WORM) but now some vendors have added features like encryption where the encryption keys are in an entirely different location than the data backup copy(ies). And then to further fortify the backup and thwart would be criminals, with object locking layered on top of that, data cannot be deleted or overwritten for a fixed time period, or even indefinitely."

JG Heithcock, GM of Retrospect, a StorCentric Company

"Ransomware is a huge global threat to businesses around the world. Beyond the high-profile attacks, including Colonial Pipeline, JBS, Garmin, and Acer, many people now personally know a colleague whose business was attacked. In fact, a Coveware research study revealed that most corporate targets are small and medium businesses (SMBs), with 72% of targeted businesses having fewer than 1,000 employees, and 37% fewer than 100.

There are likely a few reasons for this continuing trend. Certainly, one is that today's ransomware is attacking widely, rapidly, aggressively and randomly - especially with ransomware as a service (RaaS) becoming increasingly prevalent - looking for any possible weakness in defense. Another is that SMBs do not typically have the technology or manpower budget as their enterprise counterparts, leaving them more vulnerable targets.

It is therefore critical that in addition to powerful passwords, which anyone would agree is an indispensable first line of defense, there must be additional measures taken. The first is that all organizations regardless of size must be able to detect anomalies as early as possible to remediate affected resources. The next is SMBs and large enterprises alike need a backup target that allows them to lock backups for a designated time period. Many of the major cloud providers now support object locking, also referred to as Write-Once-Read-Many (WORM) storage or immutable storage. Users can mark objects as locked for a designated period of time, preventing them from being deleted or altered by any user - including internal bad actors."

John Gunn, CEO, Token

"World Password Day is akin to National Running with Scissors Day, both activities are inherently unsafe, with the latter being significantly safer based on a statistical analysis. The security of passwords, or lack thereof, has advanced only marginally over the sixty-one years since they were first implemented. It's time for us to collectively change the name of the day to World Passwordless Day and commit to eliminating passwords entirely."
 
Dave Cundiff, CISO, Cyvatar
 
"As it has become apparent through the years that passwords alone would not be sufficient to protect users and their data, multiple technologies have emerged. One of the most ubiquitous and easiest to implement these days is multi-Factor authentication. Before mobile technology became so widespread, MFA was enabled by hardware tokens you purchased from a company and either entered a code or scanned a key or inserted a USB. Now it can be as easy as having a code emailed to a different email address or texted to your smart phone. This vastly improves the chances of a user to not have their credentials compromised by eliminating the single point of failure, the password.
 
Further, we have additionally evolved to multiple biometric solutions such as fingerprint scanners, facial recognition, and even keyboard/mouse biometric models. A number of organizations require these types of security in addition to passwords to provide a greater reliability. Biometric continuous authentication systems like keyboard models monitor the typing styles of the user and build a sophisticated model of how the user interacts with their keyboard, what their typing style or cadence is and other data points to be able to discern very quickly a difference between the actual user and someone else. These methods will continue to improve in reliability and accuracy as we move forward, hopefully one day making the need for passwords as unnecessary as the early days of my childhood playing games like Zork."
 
Ismet Geri, CEO, Veridium
 
"Do you want to eliminate 80% of cybers attacks? Then kill the password.
 
We all have heard about Colonial Pipeline attack that took down one of the largest fuel pipelines in the US and the T-Mobile millions of customers data breach, just to name a few of them. All these attacks have in common the use of compromised credentials. Compromised passwords have been the root cause of 80% of these attacks. Google have warned that billions of passwords are available in the dark web, probably your passwords are already in use.
 
Authentication is the fundamental cornerstone for everything happening in our digital world, would this be connecting to our social medias, login into our enterprise applications, making online purchase, executing financial transactions, …We have been dependent on shared secrets for authentication for many decades, we have been dependent for too long time on the shortcoming of passwords.
 
This must change now! Our digital society can’t rely anymore on passwords, on share secrets. Technologies for passwordless multifactor authentication are now robust, resilient, and well tested. Smartphones, desktops used in combination with biometrics such as fingerprint, facial recognition and behavioral analytics can be used to both onboard and authentication users."

Monti Knode, Director of Customer Success, Horizon3.ai

"The movies typically frame hackers as underground, terrifying, sneak-into-your-home types of criminals, but that’s not really the case. The fact of the matter is that most attackers don’t hack in; they log in. The password pandemic that plagues the technology world today is rampant, but definitely fixable. How?

  • First: take control. Having weak or default passwords such as ‘adminadmin’, ‘password1’ or even ‘P@$$w0rD’ leaves you with your pants around your ankles – exposed.
  • Second, don't reuse your passwords. Having one singular password for everything means that if one is successful or cracked, an attacker will attempt to reuse it and then your entire foundation comes crumbling down around you.
  • Finally, aggressively seek out your weaknesses. One way to do this is autonomous pentesting. By continuously searching your network for paths and openings, you are proactively fighting against attackers.

Be your own hero this World Password Day by protecting your ‘crown jewels’."

Lance Spitzner, Director of Security Awareness, SANS Institute

"Even if you have the longest, most secure password in the world, if that password is compromised cyber attackers have full access to your account, system, and data. One of the most effective and proven approaches for strong authentication is something called Multi-Factor Authentication, or MFA. This way, if your password is compromised, your account, system, and data are still safe as the other factor or factors still protect you. MFA can include:

  1. A one-time, unique code is sent to your mobile device via SMS text that is then used along with your password to authenticate and log-in.
  2. An authentication mobile app (such as Google Authenticator) that generates the unique one-time codes for you. You download the mobile app to your mobile device, then to enable MFA for your accounts you sync the authentication app with each account. Some mobile authentication apps (like Microsoft’s Authenticator) also make it so that when you log into certain websites, instead of requiring a one-time use code, the website pushes an authentication request to your mobile app asking if that is you trying to log in.
  3. A physical device that connects to your laptop or computer and is registered with the websites you regularly log into. When the device is connected to your computer (via the USB port or connected via NFC technology) and you visit these websites, the device authenticates you."

Lucia Milică, Global Resident CISO at Proofpoint

"Passwords are one of the first critical barriers between a person, a threat actor and a successful cyberattack. One of the most common mistakes that people make is reusing the same ID/email address and password across multiple sites and devices. Password reuse is exacerbated by the increasing volume and success rates threat actors are reaping with advanced credential phishing campaigns that use fake websites resembling the login page of a legitimate online service to steal usernames and passwords.

We recommend consumers use different passwords, especially on critical financial and data-driven accounts. Be sure to turn on multi-factor authentication (MFA) if available for as many accounts as possible. If MFA is not an option for the account, use a password manager. A password manager creates randomized passwords that are safely stored, encrypted, and accessible across all personal devices and reduces the burden of trying to remember complicated login credentials across multiple websites. If you use a passphrase as part of your password, make sure you never use common words or phrases, names or dates associated with you or direct family members. It’s also best to change all passwords twice a year and change business passwords every three months.
 
Since 95% of cybersecurity issues can be traced to human error, it remains important for businesses to implement a people-centric approach to security. Ensure that both your remote and in-office employees receive training and education on basic cybersecurity best practices, including how to identify a credential phishing attempt and how to securely manage passwords."

Matt Middleton-Leal, Managing Director Northern Europe, Qualys

"Passwords have been around for years, and they will continue being used. Why? They are an extremely simple approach to enforce some degree of security that works when everything around it is done correctly.

The challenge with passwords is that they have become increasingly complex to manage sufficiently, due in part to the sheer number of accounts that users hold. The rules around passwords can make them harder for people to remember, so they either re-use one password for multiple accounts or write them down. Equally, best practices for secure passwords can be missed. Take something like enforcing a limit to the number of times users can attempt to enter a password so that attackers can’t use dictionary attacks or password libraries to brute force their way in. This might be obvious for applications that are customer-facing, but those rules should also apply to internal applications or cloud services too.

In today’s world, passwords alone are not enough to keep IT access secure. As such, tools like multi-factor authentication (MFA) - which requires users to provide two or more verification factors to gain access to a resource - have become available to further improve security hygiene. Companies, no matter the industry or size, must recognise the value of strong security and doing the small things, like implementing MFA, right.

What can companies be doing to improve password hygiene? For starters, ensure that users cannot use a simple dictionary word as their password, and enforce different controls so they cannot re-use the same password multiple times. It is important to apply rules on length of passwords and the variety of characters used, in addition to looking out for poor security practices such as missing MFA or lack of role-based access control."

Tom Bridge, Principal Product Manager, JumpCloud

"Passwords are ubiquitous for users, but are they effective? On their own, I would argue no. While it is possible to put together password policies to help users secure their access, passwords are not enough on their own. It’s great to encourage users to adopt pass phrases or non-standard formats that include multiple character types in order to have stronger passwords in place, but this is not all that you should be doing to improve both access and security.

Alongside raising awareness of good password policy on this day, companies should think about identity more generally too. This can make it easier to support your employees around remote and hybrid work, as well as improving your work processes overall. For small businesses, consolidating how you manage your users’ access and accounts can help you deliver the services that those users need to work efficiently wherever and whenever they want.

To achieve this, you should deploy multi-factor authentication alongside any passwords that they use. This is an opportunity to look at other ways to improve your efficiency around identity, like using single sign-on to simplify the process. At the heart of authentication is how you connect users to the services and applications that they need every day, and how you can make work easier for them. Passwords and identity management should not get in the way of how people work; they should serve the business in making remote work happen more easily.

The pandemic made remote work - and managing remote user identities - more important to how work happens in business. This process has to continue, so that businesses can keep the value from those changes."

Brian Spanswick, Chief Information Security Officer, Cohesity
 
"With more than 22 billion connected devices online and cyber attacks on the rise, your data has never been at greater risk,” said Brian Spanswick, chief information security officer, Cohesity. “On World Password Day, it’s critical that IT managers, SecOps personnel, and, for that matter, all business workers, remember to prioritize password hygiene today and year around. Using a password manager is an effective way to ensure secure passwords, and taking steps to choose a unique password that’s regularly updated and varied from device to device can mean the difference between a normal day and a devastating data breach — where you potentially not only expose your data, but put your company at risk as well."

Greg Stuecklin, VP and GM of North America at WSO2

“Improved security is key to driving better digital experiences and gaining a competitive edge, according to 90% of the 500 IT decision-makers who participated in a recent survey sponsored by WSO2. So, on World Password Day, maybe it’s time to ask why we still require consumers to remember complex passwords instead of giving them easier, securer alternatives.
 
Eliminating passwords altogether once sounded like a bold idea. That’s no longer the case, especially when you consider Verizon’s 2021 Data Breach Investigations Report (DBIR). It observed that vulnerabilities with credentials, like a username and password, accounted for over 84% of all data breaches.
 
Easier, more effective ways to authenticate users exist, and if companies are serious about security, those ought to take priority. Modern authentication measures replacing password log-ins include alternatives that apply the Fast ID Online 2.0 (FIDO2) standard to biometrics, security keys, and plug-in authenticators to uniquely identify consumers while providing a simple, single sign-on passwordless experience.
 
The other piece of the puzzle is multi-factor authentication (MFA), which can prevent up to 90% of security breaches. Many consumers already type in a verification code they’ve received in a text—or better and more secure via one-time-push (OTP)—as a second way to confirm their identity. Now imagine protection provided by combining a fingerprint or device ID with the code: fast, easy, and much harder to hack.
 
So, on World Password Day, let’s make a pledge to free consumers from passwords and instead give them advanced alternatives that make it easier than ever to protect their data and yours.”

Payal Chakravarty, Head of Product, Security & Risk at Coalition

"Poor cyber hygiene can lead to disastrous outcomes for organizations and yet, best practices are often ignored. 

However, employees can and should take simple steps to proactively protect themselves and their companies from attacks. For example, by using unique, varied and strong passwords as well as multi-factor authentication (MFA).

Passwords are like physical keys, and these keys to the kingdom must be protected at all times. In terms of choosing the strongest password, there’s a misconception that using a mix of capital and lower-case letters, numbers and symbols is best practice. The fact is, hackers and the software they use know to guess with that in mind. Rather, a randomly-generated password or a long passphrase — something like MyFav0riteCak3IsChocolat3WithP3anutButt3rFr0st1ng! — would take thousands of years for an attacker to guess and is easier to remember.

Password managers are an effective way to manage all your passwords across devices with a single account. They offer features such as generating one-time password codes used in the MFA process, encrypted note-taking, and secure password sharing within your organization.

This World Password Day is a good reminder to make cyber hygiene a top priority, especially while most employees continue to work from home or in hybrid roles and thus, are more vulnerable to attacks."

Geoff Bibby, SVP, OpenText

"World Password Day is an excellent time for individuals, channel partners and businesses to reflect on their current password practices and ensure they are building the safest habits to protect themselves and their company from cybercriminals. Many are under the assumption that if they are taking the steps to create unique passwords for each platform and application, they are secure. But it's not enough.
 
The number of headline-grabbing breaches that have taken place over the last year highlight the critical need for safeguards across the entire company network. While there are a few different ways to protect login credentials beyond a simple username and password, one of the most popular and effective options is two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user's phone, email address or through an authenticator app, after entering their username and password. It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical.
 
Email is a common point of attack because it often contains sensitive and valuable communications. Organizations should also consider implementing an email security solution that conducts a security audit to analyze its admins, users, mailboxes, and rules for vulnerabilities such as outdated passwords so they can be resolved before a breach happens. This is especially true for ensure partners so that they can ensure the customers they support are protected against today's cyberthreats and vulnerabilities. Organizations should use World Password Day to evaluate their internal Password Policies and send reminders to employees and customers alike about the importance of good password hygiene."

##

Published Thursday, May 05, 2022 8:01 AM by David Marshall
Filed under: , ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<May 2022>
SuMoTuWeThFrSa
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234