In today's digital age, passwords play a crucial role in securing our personal and sensitive information online. That's why it's important to change your password regularly, especially on special days such as Change Your Password Day. This day is a reminder for all of us to take our online security seriously and update our passwords.
Having a strong password is essential for protecting your online accounts from hackers and cybercriminals. Unfortunately, many people still use weak passwords that are easily guessable. Common passwords include "123456", "password", or even the user's name. These types of passwords can be easily cracked by hackers, putting your sensitive information at risk.
To stay protected, it's recommended that you use a unique and complex password. This means using a combination of uppercase and lowercase letters, numbers, and symbols. You should also avoid using easily guessable information such as your name, date of birth, or pet's name.
In addition to having a strong password, it's important to change it regularly. This helps to reduce the risk of your password being cracked or guessed over time. It's recommended that you change your password at least once every three months, or even more frequently if possible.
Change Your Password Day is an important reminder for us to take our online security seriously. It's an opportunity to review our current passwords and make sure that they are strong, unique, and changed regularly. By doing so, we can help protect ourselves and our sensitive information from cybercrime. So, make sure to celebrate this day by changing your password and keeping your online accounts secure.
Here's what the experts have to say:
--
Joseph Carson, Chief Security Scientist and Advisory CISO at Delinea
"Celebrated each year to help raise password awareness, Change Your Password Day serves an important reminder to each and every citizen to create stronger passwords and utilize different passwords for all accounts. For many citizens, a password can be the difference between keeping their sensitive data protected and safe from criminals. Make sure passwords are strong and consider using a passphrase instead of a password. A strong passphrase is something that is unique for each account, long and easy to remember. In addition, try moving your passwords into the background by using a password manager. Enabling multi-factor authentication for your most important and sensitive accounts is also good practice."
++
Mike Parkin, senior technical engineer, Vulcan Cyber
"As computing power has gone up, the requirements for a password to be considered “secure” have gotten longer and more complex to the point where users are tired of dealing with them. Pass-phrases are easier to remember, but who wants to type a fill sentence every time they log in?
Because the industry best practice is a different secure password for each site a user visits, password managers make sense. However, a local password manager relies on the local environment itself being secure. If the enterprise is enforcing “different complex 18+ character password on each system” then yes, the users are going to want a password manager. But as recent breaches have shown, there’s a risk associated with keeping all the keys in one place as well.
That’s one reason multi-factor authentication, especially physical-token based, is worth the time and trouble to implement. Deploying a password manager enterprise-wide is going to be a balancing act between convenience, usability, security, and user acceptance. Personally, I still use a “code and key” system, where you have a base “code” that can be written down, and a “key” you remember that can easily convert what you write into the actual password. It’s an old technique, but it works well and isn’t susceptible to a 3rd party breach like a cloud-based password manager can suffer from."
++
Theresa Lanowitz, Head of Cybersecurity Evangelism, AT&T Business
"Security hygiene is one of the biggest steps anyone can take to protect themselves, their business, and their data. As we move to more types of edge devices that are not keyboard driven, we should expect multi-factor authentication (MFA) to come via biometrics. While the use of biometrics to authenticate identity is not new, advancements in digital twins and deepfakes mean there is a need to secure our own physical identities as well.
Consider autonomous vehicles that have built-in MFA in key fobs. IoT devices are frequently ‘set and forget’ with the default password that may be as simple as ‘1234’ or ‘password’. It is easy for cyber adversaries to either guess or have knowledge of what the default password could be for such devices. This means the adversary can execute DDoS attacks or gain access to the network by moving laterally via the entrance through an IoT device with a default password. It makes sense that passwords, MFA, and device authentication are utilized in new endpoints such as autonomous vehicles since there are no direct inputs into vehicle networks—however, it also means endpoint detection and response (EDR), managed detection and response (MDR), and extended detection and response (XDR) are seen much more often as a requirement."
++
Glenn Mulvaney, VP of Cloud Operations, Clumio
"Implementing enforceable password practices is just one critical component of what should make up an organization’s security hygiene. Businesses must implement a series of technical mitigations to effectively bolster their arsenal of cybersecurity and data protection with continuous engagement and education for employees.
While multiple layers of security are a must, organizations must prioritize training employees on security hygiene such as proper password management, as well as the ability to identify and report malverts, spear phishing, trojans, and malware. CISOs themselves need to think about security hygiene holistically in response to expanding threats. This should include engaging employee training alongside limiting permissions to the principle of least privilege, multi-factor authentication, credential rotation, encryption of sensitive data, periodic decoy tests, and interactive communications.
While cybersecurity tools have gotten more sophisticated, security hygiene simply hasn’t kept up. Change Your Password Day should serve as a reminder for security executives and business leaders to refocus practices surrounding security hygiene and reinforce cyber policies that include ensuring strong password practices are enforced."
++
Will LaSala, Field CTO, OneSpan
"Changing passwords is an important part of a strong security practice, especially if your organization may have been compromised in a data breach or related cyberattack. However, changing your passwords is just the first step. At the bare minimum, companies need to utilize effective multi-factor authentication (MFA) solutions. Furthermore, these solutions must be designed to separate the generation of the one-time password (OTP) in a secure way where only the user can generate and use that OTP. If SMS, email or voice-based authentication is used, it allows the OTP to be placed within an unprotected communication channel, in clear text, where anyone can read or hear the value and intercept the message.
In the face of these threats, it is recommended that employer IT groups switch to using stronger two-factor authentication (2FA) like hardware and software token generation apps or Fido technology, where these types of attacks can be thwarted. For businesses that process high-value transactions, MFA and 2FA might not be enough and organizations should consider passwordless authentication devices which provide stronger defenses against phishing and other attacks that exploit weaknesses in lesser forms of MFA."
++
Dylan Owen, Associate Director, Cyber Protection Services, Raytheon Intelligence & Space
"As passwords proliferate across networks and systems that users have to access, this increases the risk of password reuse, which also increases the risk to a company’s data. Because organizations like to stick with the familiar, along with increased deployment and support cost for alternative security initiatives, organizations are likely to continue to use passwords, despite the argument that decreasing risk exposure would pay for itself in the long run.
Instead, organizations should utilize multi-factor authentication with a physical device/token to simplify the problems that arise with using passwords for authentication and authorization, while reducing the amount of “friction” for a user. They wouldn’t need to remember or write down all those passwords or be tempted to reuse the same one for multiple systems. That said, if an organization can’t afford to do this and has to stick with passwords, then providing a password manager to users would be a step in the right direction. This would cut down on password reuse, and instead, generate complex, unique passwords for each system. Users also wouldn’t need to remember or write down their passwords, as they would be stored securely in the password manager."
++
Duncan Greatwood, CEO, Xage Security
"Passwords have proliferated in critical infrastructure - guarding industrial control systems, remote access connections, workstation and jumpbox accounts, and more. Sectors including energy, utilities, defense, transportation, and manufacturing are relying on a patchwork of passwords. This “Change Your Password Day”, my message to cybersecurity and operational leaders is that the time has come to transition from unmanaged identities, static passwords, inconsistent access control, single points of cybersecurity failure, and no-factor or single-factor authentication to consistent, managed, multi-factor authentication and resilient multi-layer access protection.
Attacks on real-world operations can cause major system shutdowns, impacting crucial services and community safety, as well as the operators’ bottom lines. These complex environments, filled with distributed, legacy technologies are notoriously hard to secure. Many industrial operators have a combination of new and legacy control devices and systems. The unfortunate truth is that operators may be unable to enforce even single-factor password-based authentication consistently. Even when machines do have passwords, common practices of credential reusage, password weakness, lack of password management, and lack of role-based access control are major pitfalls, leaving industrial organizations open to attacks. Device-level single-factor authentication and passwords are not enough to protect these critical operations.
There is an urgent need for innovative security solutions that can keep critical infrastructure systems secure and online. The answer is not as simple as changing a password or even upgrading to multi-factor authentication (MFA). There is an escalating trend of MFA fatigue attacks (also referred to as MFA bombing attacks), not to mention that some of the industrial systems are not inherently equipped to support MFA.
To bring the password patchwork under control, critical infrastructure needs identity-based multi-layer MFA and access control designed specifically for real-world operations. They need identity and managed access control that combines Zero Trust approaches with non-disruptive deployment options such as an overlay mesh to protect a mix of new and legacy assets. With this approach, compromise of an individual authentication factor (such as during an MFA fatigue attack) doesn’t allow the hacker to infiltrate further assets, systems, or applications. Instead, operators can enforce granular access control down to an individual operational site or even a singular OT asset, which allows user and app access solely to specified authorized devices. Ultimately, layered MFA and access enforcement empower organizations with critical infrastructure to deploy defense-in-depth. This keeps crucial systems online by blocking or containing breaches by nation-state actors or hacker groups, simplifying security management across the operation."
##