In today's digital age, passwords are more critical than ever. They are the keys that unlock our online identities and protect our personal information from cybercriminals. With World Password Day taking place on May 4, 2023, it's the perfect time to reflect on the importance of strong passwords and how they can help keep us safe online.
In addition to following password best practices, there are also tools and technologies that can help enhance password security. Password managers, for example, can generate and store strong, unique passwords for each of your accounts, making it easier to maintain good password hygiene.
As we mark World Password Day 2023, let's remember the importance of strong passwords and take the necessary steps to protect our digital identities. By following password best practices and staying vigilant against cyber threats, we can help keep ourselves and our sensitive information safe online.
Don't just take our word for it; we reached out to several industry experts to get their thoughts on
World Password Day. Here's what
they had to say:
++
Thomas LaRock, Head Geek™, SolarWinds
“With cyberattacks on the rise and sophisticated nation state actors capable of penetrating even the strongest and most secure companies, it’s critical for employees to collectively follow best practices.
On World Password Day, it’s important to remember that cybersecurity is not just the responsibility of IT departments, but of all employees. This means deploying additional security techniques such as two-factor authentication and making sure you have good password hygiene.
Human-centric failure points, like passwords, are often used by threat actors to gain initial access and find vulnerabilities within a system. As a result, it’s more important than ever to strengthen secure software development and focus on the people that play a role in ensuring security practices are being met."
++
Katina Kozlowski, Digital Content Manager, Catalogic Software
"Cyber threats never rest, and neither should our commitment to online security. World Password Day serves as a crucial reminder of the importance of protecting our digital lives with strong and secure passwords. Your password is the ultimate key that unlocks access to your personal information, financial data, and online accounts, making it an incredible asset in today's technology-driven world. Treating your password with the same level of security as you would your physical keys, including your house, car, or safe, is vital to unlocking a world of safety.
Take the time to create unique, complex passwords that can't be easily guessed or hacked, and always use Two-factor authentication (2FA) whenever possible. By doing so, you can reinforce your online security and protect yourself from potential cyber threats that could compromise your digital life. Let's act on World Password Day to strengthen our online security measures and ensure that our digital lives remain safe and secure from any potential harm."
++
Darren James, Senior Product Manager at Specops - an Outpost24 Company
"This #worldpasswordday we're reminding IT leaders to stop blaming users for bad passwords, instead use a technology stack that empowers users to implement password best practices.
Choose a password policy software that enforces compliance, blocks the use of known breached passwords, and restricts bad user behaviors like using your own company-name in your password. This way, everyone can breathe a sigh of relief knowing your company's weakest link, passwords, are actually pretty strong."
++
Christopher Rogers, technology evangelist at Zerto, a Hewlett Packard Enterprise company
“While employees are usually discouraged from re-using the same passwords across multiple apps and websites, many organizations have become complacent in enforcing such rules, particularly since the explosion of remote working caused by the pandemic. Taking advantage of this, credential reuse or ‘stuffing’ is when cybercriminals gain access to a set of valid credentials (usually via a data breach) and then use bots to try those same credentials across hundreds of other online accounts. If the credentials have been re-used anywhere, credential stuffing will expose this, giving those same criminals legitimate access to other accounts as well.”
++
Brian Knudtson, Director of Product Marketing Intelligence, 11:11 Systems
"Passwords are thoroughly embedded in our current digital world. While we may finally see the dawn of a passwordless future, we are far from it today, so it’s important to use passwords appropriately. That means using long and complex passwords to make them harder to crack and implementing multi-factor authentication (MFA) to protect our data when the password does get compromised. It is also important that those of us in the IT industry assume that every password and MFA will get compromised eventually. To this end, we should be focused on creating systems that assume compromise, limit access to only what our users need when they need it and provide zero trust in every new interaction."
++
Manikandan Thangaraj, Vice President, ManageEngine
"Despite passwordless authentication being a recent trend, passwords will definitely continue to serve as the simplest and most effective means to secure identities in 2023. They are easy to use, can be changed if needed, and do not demand additional software or hardware to function.
As crucial as they are for identity security, passwords can also be vulnerable to various attacks. Weak and easy-to-remember user passwords are usually the main cause behind these attacks. Additionally, seldom changing passwords and using the same login credentials for multiple online platforms and personas creates a higher risk of falling victim to password attacks.
The only way in which organizations can withstand password attacks is by adhering to the password best practices recommended by regulatory standards. Employing longer passwords, as suggested by NIST, works wonders in defending against sophisticated password attacks. Including all character types and symbols, and avoiding dictionary words, common patterns, and usernames in passwords enhances their complexity and security. Compliance regulations like the GDPR, HIPAA, and the PCI DSS also recommend that companies use multi-factor authentication (MFA) methods to bolster identity security."
++
Rick McElroy, Principal Cybersecurity Strategist, VMware
"Despite
the security industry’s many innovations that were on display at RSA
last week, many organizations are still relying on dated authentication
methods like passwords to protect their networks.
User ID and
passwords can ultimately be the weakest link in an organization’s
cybersecurity strategy, given the efforts by attackers to steal basic
credentials to gain access to company data. Multi-factor authentication
has helped make it more difficult for hackers to exploit these
safeguards, but they continue to be areas of concern.
While
alternative strategies to passwords are coming, it will take some time
before these new methods are accessible to civilians. Until these new
methods are available, security teams should move away from central
stores of identities and continue to leverage multi-factor
authentication to bolster their organization’s security."
++
Joseph Carson, Chief Security Scientist, Delinea
"World Password Day serves as a reminder to reflect and think about your password health. If you’re anything like me, you are not a fan of passwords – having to frequently change them and choose the next great password that is better, longer and more unique than the previous one.
This World Password Day, let’s take a moment and think about how we can remove passwords from our lives and into the background, while making our digital lives safer. A great place to start is by using a Password Manager.
A Password Manager will let you know when your password needs to be changed, when it’s weak, or when it’s reused. Even better, when used in conjunction with multi-factor authentication (MFA), it takes away the tedious take of choosing – and remembering – your next great password.
Let’s use this World Password Day to move passwords out of our lives, into the background, and make our digital world a safer place."
++
"In today’s digital world, security breaches are becoming more frequent (and more expensive), making it critical for every business to implement secure, reliable authentication methods. While passwordless might not sound safer, it’s actually a more secure and user-friendly way to authenticate, creating significant business value.
The rise of passwordless authentication is transforming the way we secure our digital lives, and momentum is continuing to grow. Aviad would be happy to further discuss best practices for passwordless approaches, while remaining cautious of the downfalls.
This includes:
- Examples of ways companies can use passwordless capabilities to enhance systems
- Creating and maintaining a secure environment with passwordless authentications paired with additional measures, resulting in a comprehensive and well rounded security system
- The business case for passkeys and passwordless, and how these options benefit user management and support multiple units of a business"
++
Geethika Cooray, Vice President & General Manager IAM at WSO2 "It is a myth that companies have to choose between providing a high level of security and low levels of friction when it comes to requiring the use of passwords, especially as we begin to move into a passwordless world. In fact, adaptive authentication, which has been around for a while, allows companies to choose how much friction to add to suspicious activities depending on certain factors that may raise red flags.
For example, if a user accesses an application from an unfamiliar IP address or if someone logs into an application from San Francisco, then one hour later, logs in from New York, this would be flagged as a potential fraudulent activity. Another more advanced form of detecting fraudulent activity is how a user enters their password. Systems are able to detect the differences between how a user usually types out their passwords, including the speed, and can also tell if a password has been pasted in. Additionally, there are behavioral metrics that can be tracked such as how fast the user is moving their mouse or how the phone is being held. Depending on the vendor’s threshold for risk, the company can decide how much friction to add to each scenario.
In the world of Amazon, there is no need to log a consumer out of their account. Once the system detects potential fraudulent activities, such as adding a new address and purchasing a big ticket item, that is when additional challenges can be presented — for example, requiring the CVC of a credit card before processing the purchase.
Although the technology has been around for quite some time, there are still laggards in the space who have yet to adopt adaptive authentication. Companies are pushing to differentiate themselves from their competitors and this feels like a low hanging fruit that should be taken advantage of."
++
Jeremy Ventura, Director, Security Strategy & Field CISO at API security firm ThreatX "Credential stuffing has become one of the most common and significant threats facing organizations today. Brute force attacks are still one of the go-to methods for attackers to infiltrate corporate networks. Having strong and complex passwords is essential to protect yourself and your organization from cybercriminals. When someone gains unauthorized access to an account, sensitive and PII data can potentially be left open for bad actors to use and/or sell online. And for organizations, unauthorized account access allows cybercriminals to infiltrate internal servers while potentially compromising a network. The aftermath is brand reputational damage - including credibility and revenue flow. This is why instituting secure, strong passwords from the lowest level to the C-suite is paramount to ensure protection in today’s digital world.
Tips for picking a strong, complex password:
- Extend the length of your password and make it complicated. Don’t make it easy for criminals to guess
- Use multifactor authentication to secure your accounts
- Don’t reuse the same password for different accounts. If one account is compromised, so can any account with the same password
- Use a secure password management system"
++
Ian Leysen, CEO, CSO, and Co-Founder, Datadobi "World Password Day serves as an important reminder to individuals and businesses alike about the critical importance of password security in protecting sensitive data. World Password Day is also a reminder that as the frequency of data breaches and cyber-attacks continue to rise, we cannot rely on passwords alone.
From a business perspective, relying solely on passwords to protect critical data is an especially risky proposition. The next step must be to employ data governance policies that designate what constitutes critical data that must be protected. However, even with these policies in place, protecting data that you cannot find is impossible. Businesses need a technology solution that enables them to locate and organize all critical data, and then take appropriate action to secure it. This may involve creating an immutable copy, moving it to a more secure environment, creating a "golden copy," and/or transferring the data to a storage solution that can be air-gapped for even greater protection from online threats. This tailored approach is much smarter than relying on broad security measures that may not be effective in all situations.
To sum it up, combining strong passwords with data governance policies and a technology solution to enforce those policies is an unbeatable approach to data protection and security. In doing so, businesses can safeguard their sensitive information – especially from the growing threat of cyber-attacks, consequently enabling them to comply with regulations, as well as protect their intellectual property, reputation, and bottom line."
++
Don Boxley, CEO and Co-Founder, DH2i"World Password Day is a day to acknowledge the pivotal role that passwords play in our digital lives. It is also a day that reminds us how prevalent cybercrime has become, and while creating strong and unique passwords and regularly changing them is critical, passwords must be considered a first-line, not the only-line, of defense.
Historically, VPNs were considered a reliable line of defense against cyber threats, but their popularity is rapidly declining due to their limitations in terms of security, slow connection speeds, bandwidth constraints, configuration and management complexity, and high cost. On the other hand, Software-Defined Perimeters (SDP) are gaining popularity as a safer and more efficient alternative. Advanced implementations of SDP allow users to establish direct connections with application-level Zero Trust Network Access (ZTNA) tunnels, eliminating the involvement of third-party vendors in the data stream. With SDP, users have direct access to the data endpoints they need, without any intermediaries. In comparison to VPNs, only SDP can prevent lateral network attacks, enhance data transfer rates by up to 3x, and offer complete control over the data stream.
Bottom-line, bullet-proof passwords combined with SDP provide unparalleled security to eliminate cyber threats. Passwords act as the first line of defense, while SDP's advanced security features ensure only authorized users access the network and data endpoints, reducing the risk of cyberattacks, data breaches, and lateral network attacks on World Password Day, and all year round."
++
Steve Santamaria, CEO, Folio Photonics
"Cybercrime is a growing threat to individuals and businesses alike. Hackers are constantly looking for ways to exploit weaknesses in our digital security, steal our personal and sensitive information, and hold it for ransom. One of the most common ways that cybercriminals gain access to our accounts and information is through weak or easily guessable passwords. World Password Day serves as a reminder that using strong and unique passwords is critical to protecting our digital presence. But it's not enough. Hackers are becoming more sophisticated in their tactics, and relying solely on passwords for protection is like leaving your front door unlocked in a high-crime area.
To truly safeguard our digital assets, we need to employ multiple layers of data protection. This includes things like two-factor authentication, encryption, and regular system updates. But even those measures may not be enough. That's why having a secure, tamper-free data archive that uses WORM media is so important. It can safeguard your assets while helping you recover from a ransomware attack or other data loss event; subsequently, reducing the impact that this disaster has on your business operations.
But to truly take your cybersecurity to the next level, you may need to consider air-gapping your data archive. Air-gapping your data means physically disconnecting it from the internet or any network connection, making it virtually impossible for cybercriminals to access it. When an air gap is combined with WORM media, it becomes the ultimate protection and should sit at the base of any cyber-resilient infrastructure. While this has often been used in the most sensitive, highest security environments, it is becoming more-and-more commonplace to see other types of organizations deploying it as well.
So, if you're not taking cybersecurity seriously, it's time to wake up and smell the coffee. The threat of cybercrime is real and growing. If you don't take steps to protect your digital presence, you could be the next victim. So, use World Password Day as a reminder to take action and employ multiple layers of protection to safeguard your digital assets."
++
Dan Conrad, AD Security & Management Team Lead, One Identity
"World Password Day was created as a cybersecurity reminder to use strong passwords or change old or unsecure ones. If we're honest, it's been an overdue reminder for longer than any of us in security thought necessary. It can seem obvious to some, but many businesses are still dealing with the most basic of breaches because they aren’t using best practices. Organizations need to be accountable for having - or not having - password and identity security practices that secure their critical assets. If critical assets aren’t explicitly protected by MFA (and admin privileges aren’t protected in the same way), or if someone can get data by typing in “Password1”, that’s a serious oversight, and an unacceptable risk to the business.
In the future, I’d love to see World Password Day become World Secure Authentication Day, World MFA Day or even World Passwordless Day as our strategies for identity security evolve. If we can all get on board with basic best practices and rigorous education, we might just get there.
While passwordless technology continues to mature, here are a few tips for implementing modern password strategies:
- Just get MFA - and ideally, implement it via an authenticator app.
- Avoid basic keyboard patterns, or adding just one character to your password; those are easier to crack.
- Move on from periodic password rotation. It’s been shown to have little to no impact on security. Instead, use randomized phrases and characters (that people can manage and remember) in combination with MFA for a better bet.
- Protect usernames as diligently as you do passwords to prevent password spray attacks. If an attacker can get a list of known usernames for your organization and authentication does not require MFA, these attacks can be very effective."
++
"World Password Day serves as a timely reminder for individuals and organizations alike to revamp their security posture by ensuring one of the internet’s most hackable tools remains secure. Many people are under the assumption that if they have unique passwords, they are automatically secure. This is unfortunately not the case.
While using different passwords across applications, enabling two-factor authentication and regularly changing your passwords are important steps to prevent being hacked, it is not enough in today’s rapidly-changing threat landscape. Many organizations frequently use password expiration emails to remind users to update their passwords. Threat actors take advantage of this as an all-too-common phishing tactic to obtain credentials. In addition to the standard password security measures, organizations must implement proper employee training to recognize phishing emails and keep their passwords away from the hands of cybercriminals."
++
Vittorio Bertocci, Principal Architect at Okta
"It’s 2023. Celebrating “World Password Day” honors a 60-year-old technology. Passwords are a bad habit we should help the world break free from, even if we know it will take years to do so. We should take a page from the many holidays that have evolved over time and institute a “World Passwordless Day”, during which we collectively come together as an industry to raise awareness about the dangers of passwords. Together we can help users, developers and administrators alike to learn about what options they have to migrate to passwordless, and how much better their life can be without passwords."
++
Thomas Richards, Principal Security Consultant for Synopsys Software Integrity Group"Humans often default to weaker and shorter passwords because they’re easier and more convenient to create. Without policies to require stronger passwords, we’re setting ourselves up to be exposed to a number of digital threats.
Strong passwords are the foundation of internet security, and must be taken seriously. I recommend that passwords be as long as possible, and include a variety of symbols, numbers, and upper- and lower-case letters. It’s also a good idea to use three- or four-word sentences, which can greatly reduce the chance of a password being cracked. I also recommend always enabling multi-factor authentication on any app or platform that offers it. Multi-factor authentication, coupled with a strong password, can create a strong defense against attackers.
Usernames and passwords have always been at the core of digital authentication, and I don’t see that ending anytime soon.Multi-Factor Authentication (MFA) also adds an additional layer of security to better protect systems and end-users from compromise, but strong passwords are still essential for security.
Password compromises can often be blamed on inadequate software development practices or vulnerable software. Additionally, poor password hygiene can occur when technical controls aren’t effectively and responsibly implemented, such as a requirement for strong and effective passwords.
In today’s digital world, password managers can be an extremely effective tool to manage and secure sensitive login information. Password managers provide secure storage, feedback if a password is considered weak, and can generate complex passwords as needed. All of these aspects can help to reduce the risk of a compromise."
++
Brent Johnson, CISO at Bluefin"NIST no longer recommends frequently changing passwords as this tends to cause users to choose weaker and easier to remember passwords over time. Users should always enable multi-factor authentication (MFA) wherever possible on accounts. Utilize MFA authenticator apps or hardware devices such as YubiKey instead of texting options which are vulnerable to SIM swapping attacks.
While not all experts agree on the use of password managers and centralizing passwords in one place, many — myself included — would argue a strong master password in conjunction with multi-factor authentication enforced is a secure choice for most users. Some experts argue password managers are prime targets for hackers and to avoid putting all your eggs in one basket. However, for most use cases, the pros simply outweigh the cons. The ability to generate strong and unique passwords for every account, coupled with synching passwords to multiple devices and simply not having to remember all of one’s passwords, is a great option. Users also have the option of adopting a hybrid model and keeping their few most important account passwords elsewhere."
++
Anthony Cusimano, Director of Technical Marketing, Object First"As
a victim of identity theft, World Password Day means a lot to me.
Remembering password best practices can be the difference between living
in ignorant bliss and getting into a screaming match with your bank as
you go through an existential crisis trying to prove you are who you say
you are.
Here are some tips I live by every day: Create
complex and unique passwords that are difficult to guess or crack, using
a combination of letters, numbers, and symbols, avoiding commonly used
phrases or personal information. Never use the same password across
multiple accounts. It's also essential to change your passwords
regularly, use two-factor authentication wherever possible, and never
share your passwords with anyone (and if you must share a Netflix
account, doubly ensure it isn’t a password you have used anywhere else).
Following these practices can help make sure your accounts and
information remain secure and protected against many threats you would
rather not deal with."
++
Neil Jones, Director of Cybersecurity Evangelism, Egnyte"On World Password Day, it’s important to remember that despite users’ growing cybersecurity and data protection vigilance, weak passwords, such as 123456, password, and qwerty, are still far too commonplace. This is concerning because easily-guessed passwords can be a treasure trove for cyber-attackers.
The good news is that there are several ways organizations can enhance their password management programs, which include:
- Utilizing Multi-Factor Authentication (MFA).
- Establishing mandatory password rotations and requiring employees to change their passwords and passphrases on a routine basis.
- Re-visiting your company's account lockout requirements to ensure that users' access is immediately disabled after multiple failed login attempts.
For maximum protection, educating your employees about the significance of password safety is critical, especially reminding them that passwords should never be shared with anyone including your closest business colleagues. Finally, family members should never be permitted to access your business devices."
++
Darren Guccione, CEO and Co-Founder, Keeper Security"Along with evaluating personal password hygiene, World Password Day is a fantastic opportunity for IT security teams to consider their password and secrets management policies. This is a pervasive problem, as our 2022 UK Cybersecurity Census report found that nearly a third of organizations allow their employees to create their own passwords and share passwords using insecure means.
We recommend strong, unique passwords or passphrases for each account that are at least 12 characters with upper and lowercase letters, numbers and special characters. To achieve this, it is essential to use a password manager as a first line of defense. This will help employees use high-strength random passwords for every website, application and system. A password manager will drastically reduce the chances of a compromise that can hurt a company’s reputation or brand. To add an additional layer of security, we also recommend enabling MFA, such as an authenticator app, to protect against remote data breaches.
Password managers can also help colleagues securely share passwords and access to accounts. Some common mistakes include sharing passwords through unencrypted emails or messages, storing passwords in a spreadsheet or text file and making the passwords less complex so they are easier for multiple people to remember. Another key advantage of a password manager is that it makes it easier for teams to protect their shared accounts with MFA."
++
Mandy Andress, CISO,
Elastic
"While 'World Password Day' serves as a good reminder for
organizations and individuals to continuously evaluate their password security,
we should aim to one day celebrate 'World Passwordless Day." Improving
basic security hygiene is crucial to better security outcomes, but the reality
is that passwords do not adequately protect against today's increasingly
sophisticated cyberthreats. And while multi-factor authentication (MFA) remains
a strong tool in an organization's security arsenal, it has also been increasingly
by-passed as we've recently seen with several high-profile attacks at companies
like Uber, Microsoft and CircleCI.
One approach organizations can take is to use biometric or
physical token MFA. They should also consider asking their external vendors to
provide more robust authentication integrations. Incorporating these changes
helps us ensure that certain attacks are less likely to succeed as we work
towards expanding 'passwordless' security."
++
George Gerchow, CSO and SVP of IT, Sumo Logic
"Password managers are regularly used to keep vital work and personal data and information secure in one location. However, password managers are now hacked all the time. They leak credentials in clear text and fail to clear out master passwords. Both these vulnerabilities have been exploited several times. The risk is significant as once a password manager is compromised, bad actors gain access to all end-user credentials stored in the master repository.
The world doesn’t need to say goodbye to password managers altogether. Users need to take extra steps to improve access controls and logging to help avoid situations like the LastPass breach where a single compromised account leads to a major security incident.
To make password managers more secure, organizations must leverage single sign-on (SSO), more resilient forms of multi-factor authentication (MFA) and change the master password regularly to help reduce risk. Passphrases and biometrics are both great alternatives to password managers as both are more difficult to crack and have proven to improve account security for all accounts. No solution is 100% perfect but staying ahead of the latest threat vectors will help organizations prioritize password safety."
++
Alex Rodriguez, Information Security Analyst, MorganFranklin Consulting
"As a cybersecurity analyst, I understand the importance of protecting our personal information in today's digital age. One of the most crucial steps we can take towards better cybersecurity hygiene is developing strong password habits. However, with the increasing number of online accounts we use, it can be challenging to create and maintain unique and complex passwords for each one.
10 Key Strategies for Better Password Security:
- Create Strong Passwords: Strong passwords are harder for attackers to crack using brute-force or dictionary attacks. For example, a password like "P@$$w0rd123!" uses a combination of uppercase and lowercase letters, numbers, and special characters, making it more difficult to guess or crack than a simple word or phrase. Aim for password length of at least 12 characters.
- Avoid Predictable Patterns: Using easily guessable information such as "password123" or your pet's name makes it easier for attackers to target you. Instead, opt for random phrases like "JellyFishBicycle93" or a combination of unrelated words, such as "AstronautPineappleFestival." You can even use a whole sentence as a password as well, “_WhereDidMyCarKeysGo?ICantFindThemAgain!349888_.”
- Use Unique Passwords for Different Accounts: Reusing the same password means that if one account is breached, others are at risk too. By using unique passwords, you limit the potential damage from a single breach. Your email password should be different from your online banking password.
- Employ a Password Manager: Password managers generate, store, and autofill complex passwords, so you don't need to remember them. This makes it easier to maintain unique and strong passwords for each account. Online password managers store your passwords on a remote server, allowing you to access them from any device with an internet connection. Offline password managers store your passwords locally on your device and require you to manually transfer them to other devices.
- Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring a secondary verification method, such as a code sent to your mobile device or an authentication app like Google Authenticator. This makes it more difficult for attackers to access your accounts, even if they obtain your password.
- Be Cautious with Security Questions: Attackers can use publicly available information (that is easily accessible) to guess security question answers. To mitigate this risk, choose questions that are not easily guessable or searchable. Treat answers like additional passwords by using unique, non-obvious responses. For example, instead of using your actual mother's maiden name, you could use a random word or phrase like "BreakfastBuscuits."
- Public Wi-Fi Caution: When using public Wi-Fi networks, avoid logging into sensitive accounts or conducting financial transactions. If you must use public Wi-Fi, consider using a VPN to encrypt your data and protect your information from potential eavesdroppers.
- Device and Software Updates: Enable automatic updates on your devices and applications, or regularly check for available updates manually. Updating software helps patch known vulnerabilities and provides better protection against potential threats.
- Using a VPN: Download and install a reputable VPN service on your devices. VPNs help protect your data by creating a secure, encrypted connection between your device and the internet. This is particularly useful when using public Wi-Fi or accessing sensitive information from an untrusted network.
- Cybersecurity Education: Stay informed by following reputable cybersecurity news sources, blogs, or podcasts. Sign up for newsletters or join online communities to learn about emerging threats and best practices for protecting yourself online. Familiarize yourself with common phishing techniques, so you can recognize and avoid potential scams."
++
Tyler Moffitt, Sr.
Security Analyst & Community Manager, OpenText Cybersecurity
"The spate of recent password
manager breaches have likely left many companies and consumers feeling overwhelmed.
Passwords aren't perfect. While they may still exist to some extent in the next
five to ten years, alternative authentication methods, such as biometrics
(e.g., fingerprint or facial recognition), hardware tokens, and behavioral
analytics, are becoming more common and may eventually supplement or replace
passwords altogether.
In the meantime, it's crucial that
we remain vigilant and proactive in securing digital footprints. A robust
password manager, combined with multi-factor authentication and ongoing
cybersecurity education, can significantly reduce the risk of account
compromise and other online threats. This World Password Day, it's important
for all to reflect on their digital security and to consider the varying cyber
resilient solutions available to better enhance digital security.
Improving Password Behavior:
"To better bolster password
effectiveness, passwords should be updated regularly. Many people use the same
passwords for an extended period, which increases the risk of exposure or hacking,
or short, simple passwords. To check the strength of their passwords, users can
input their passwords into this site to see if it is already known and guessed
first in hacks: https://haveibeenpwned.com/.
It is very common for people to
reuse the same passwords across multiple accounts. This practice increases
vulnerability because if one account is compromised, all accounts with the same
password are at risk.
Another very common mistake people
make is solely relying on passwords. Using multi-factor authentication (MFA)
adds an additional layer of security by requiring something other than a
password, such as a fingerprint or a code sent via text message. SMS texts are
the least secure MFA method but are better than nothing."
Password Best Practices
Here are recommended best practices
people should abide by to maximize their online security:
-
Use strong,
unique passwords: Create long passwords that include a mix of upper and
lowercase letters, numbers, and special characters. Remember - Length is
Strength! Using spaces will help with length and you can use favorite lyrics or
lines in music and movies for ease in remembering.
-
Use a password manager: A password manager can
help generate and store strong, unique passwords for each of your accounts.
-
Update passwords regularly: Change your
passwords periodically, especially for sensitive accounts like email or online
banking.
-
Enable multi-factor authentication: When
available, use MFA to add an extra layer of protection.
-
Be cautious with password recovery questions:
Choose questions with answers that are difficult to guess or use false answers
that only you know.
-
Keep passwords confidential: Never send
passwords through email or text messages."
++
"Our industry has been talking about the vulnerability of weak passwords for years, yet data breaches are still a major concern, and organizations underestimate the risks associated with relying on passwords to protect valuable information. Closely monitoring password activity is critical to ensuring that attackers haven’t slipped through a company’s security. For example, if an employee gets locked out of the system and does not request help from their IT team, that person’s credentials are now at risk.
Abolishing weak passwords by going passwordless significantly helps enterprises reduce risk and stop threats at scale. As identity theft and breaches reach unprecedented levels, organizations need to take advantage of technology that strengthens security. This includes the adoption of passwordless solutions that incorporate things like biometrics, authenticator apps, tokens, and certificates, as well as AI-based access management. As we reflect on World Password Day, it’s clear that unless we eliminate passwords altogether, we will continue to live in a lose-lose situation where online experiences will remain frustrating for users and attackers continue to keep stealing our information."
++
"While World Password Day began as a reminder to strengthen passwords, it’s critical to recognize that passwords have since become a core part of our digital identities and the key to determining known and unknown users online. Every time you type in your password online, you share part of your digital identity, opening up opportunities for your sensitive data to be compromised. With a strong and secure password, you can help reduce the likelihood of breaches – but as Web3 adoption nears and cyber attacks rise, this is no longer enough.
Web3 will usher in a new online world where consumers interact with businesses in different ways, creating new security threats. To prepare for this, we must ensure that people are who they say they are and are not bad actors performing advanced identity fraud, such as deepfake attacks. The key to securing and protecting our online identities amidst Web3 is continuous identity verification throughout every digital interaction or transaction. While solutions like MFA, biometrics, and token-based authentication have emerged, they are not continuous or woven throughout the entire transaction lifecycle, putting identities at risk.
This World Password Day serves as an important reminder about the deep correlation between passwords and identity. With so much sensitive data and high-value transactions now conducted online, upholding the integrity of your digital identity should be a top priority – and this starts with password protection."
++
Jenn Markey, VP Product Marketing, Payments & Identity, Entrust
"According to a
recent survey, 6% of global consumers believe passwords are the most secure method of online authentication, and over half need to reset passwords once a month or more because they forget them. It’s no surprise that passwords are becoming obsolete - they are no longer the most secure option, hard to remember and easy to steal.
Too many organizations either still rely on a single-factor authenticator like the password or enable relatively weak multi-factor authentication (MFA) with an over-reliance on one-time passcodes. The future is digital − consumers are increasingly seeking new, digital verification methods that allow them to securely share their identity credentials seamlessly and quickly. This is the promise of decentralized identity, which, if realized, would enable consumers to only share the identity information they want, when they want to. Decentralized identity would remove reliance on centralized third parties, and on passwords, allowing consumers to retain control of their key identity credentials themselves, creating an easier and more secure approach to daily verification that can be used across industries for travel, online transactions and more.
In the next two years, decentralized identity will become even more prominent in our everyday lives – and enterprises need to get their infrastructures ready to make that change today. Ultimately, as digital adoption goes up, friction goes down and we are able to give consumers the control and convenience they desire without the need for a password."
++
Fayon Atkinson, Risk + Response Manager, Corvus Insurance "With World Password Day approaching, it’s important to call attention to how critical it is for organizations to have the proper authentication controls in place to protect against threat actors stealing user credentials and logging directly into their systems to initiate a cyber-attack. Here are a few things users can do today to ensure they’re sufficiently protected:
1. Implement Multi-Factor Authentication (MFA): This comprehensive approach adds an extra layer of security and protects against unauthorized access, data breaches and password-based cyber-attacks.
2. Use complex passwords: Complex passwords make it more difficult for threat actors to guess. This includes making them longer, using special characters, and using uncommon passphrases
3. Use a password manager: Leveraging a password manager helps users create, manage and store passwords. It can be very convenient and it serves as a way for users to implement all the practices mentioned above in one application.
4. Use a unique master password for your password manager: This password should be unique to you and should not be reused for other systems or apps. If a breach occurs, an attacker could use that master password to hack into your network and steal sensitive information.
5. Securely store keys: In order to regain access to your password vault if you forget your master password, you will need a secret key. Ensure that you are securely storing your secret key as well as a recovery key that you get when you set up your online password vault.
Every industry needs to take a step forward and commit to implementing the appropriate precautions to keep users and organizations safe and secure by protecting their passwords. Without that commitment, organizations will continue to give hackers the upper hand. However, as we know, adversaries' tactics continue to grow and evolve, so ongoing monitoring and re-assessment of your organization's security posture is crucial."
++
"As organizations continue to grow, populating networks and systems with an increasing amount of users, repetitive passwords have increased dramatically. This ultimately heightens the risk of systems being infiltrated and sensitive data being exposed. Because it can be costly and unfamiliar to switch to potential security alternatives, organizations tend to stick to their typical password protection measures, thus promoting password reuse. However, there is a high pay-off to taking proactive steps now, in ensuring that passwords are secure before it is too late. Multi-factor authentication with a physical device/token is a simple and highly effective step that an organization should consider utilizing. Reducing the problems that often come with password authentication and authorization and eliminating the need to memorize or keep track of passwords, this security measure makes it easy for the user, while also keeping data highly protected. Providing a password manager can also be considered, providing users with complex, unique passwords for each system. This would also avoid the need to remember or write down passwords, as they would be stored securely in the password manager."
++
"Stolen credentials are involved in many cyberattacks. Estimates from researchers are as high as 80%. These credentials may be stolen by the attacker themselves, or bought on the dark web. Cybersecurity measures such as multi-factor authentication, FIDO2/passwordless authentication, automated credential rotation, and more have made it harder for attackers, but, for every defensive method, attackers develop new tactics, techniques, and procedures (TTPs) to continue their campaigns of theft and destruction. MFA-fatigue attacks are the latest craze, but they won’t be the last identity and credential focused attack tactic.
This World Password Day, organizations need to remember the importance of defense-in-depth and recognize that it starts with secure identity and access management as the first step. There have been great advancements in the field of IAM, including multi-factor authentication (MFA) and passwordless login, but these are only part of the picture for an identity-first defense in depth strategy. By controlling, at a granular level, the access that each individual has, you limit the damage that can be done even if one of those credentials are compromised."
++
Janer Gorohhov, CPO & Co-Founder, Veriff
"Securing one’s digital identity is key to maintaining trust throughout one’s online experience – but when the average user is forced to juggle dozens of online accounts, each with their own password, some inevitably slip through the cracks and open up vulnerabilities to fraudsters and threat actors. This becomes particularly worrying in the context of employee offboarding. In fact,
nearly half of all former employees admit to still have working passwords from their previous employers, indicating a massive – and too-often overlooked – hole in many businesses’ security plans. All it takes is a single compromised password to allow a threat actor to slip through undetected, masquerading as a legitimate user who’s long forgotten about their valid credentials.
Alternative identity verification options, like facial recognition and document scans, are employed worldwide across every sector – from onboarding new hires, social media users and gamers to verifying a customer’s age for restricted purchases. Customers are
already on board with alternative authentication methods; it’s up to businesses to make proper use of them. But as useful as these solutions can be for user and employee adoption, many employers neglect to stray from usernames and passwords, leaving errant digital identities of people who have long forgotten to maintain them open to attack – and by extension, leaving entire companies vulnerable by way of someone who’s no longer working for the company. It’s time for businesses to rethink their security standards and consider adding an extra layer of security to the typical username and password to keep access to their data in the correct hands."
++
Danny de Vreeze, Vice President, Identity and Access Management, Thales"The average consumer has hundreds of passwords, and despite continued warnings, these passwords are consistently reused, weak and easily hackable. Stolen credentials are one of the leading entry points for cyberattacks, and 37% of respondents to the 2023 Thales Global Data Threat Report (DTR) reported experiencing a breach in the past 12 months, many of which have led to time and money lost for enterprises and individuals alike.
The good news is that we’re seeing improvements across the board on awareness of these risks — and solutions to mitigate them. We’re seeing a renewed focus on staff training, strong authentication implementation and changing security policies around access management, all designed to reduce human error and improve weak password practices. In fact, 28% of respondents to the DTR believed that identity and access management (IAM) was the best defense against security risks. As we look to shift towards more secure authentication, these are the critical stepping stones to ensuring weak passwords are a threat of the past."
++
"Traditional passwords were a quintessential step in developing the different methods we use to access our accounts today. World Password Day serves as a reminder to organizations that although passwords were reliable in the past, it is time to bolster security solutions with more secure and robust authentication methods, like biometric authentication, to ensure that the user accessing an account is the authorized user. For example, Netflix’s seemingly controversial new password sharing policy is a best practice that all organizations should follow. Most organizations and consumers do not realize the risk that comes with sharing passwords. If a user shares their password and the person they shared their password with falls victim to a cyberattack, that password is now compromised and can lead to the cybercriminal potentially accessing their data or their company’s data. This inadvertently causes costly data breaches and damages consumer trust.
For consumers, sharing a password may seem like a harmless way to help friends or family save money, but the best practice when it comes to passwords is to never share them. Consumers fail to realize that although they trust these individuals with their passwords, cybercriminals may gain access to their devices along with usernames and passwords that could lead to identity theft, financial fraud and phishing attacks. Today’s acknowledgement of World Password Day highlights to consumers and organizations alike the need to implement newer, more secure methods of authentication to safeguard their data."
++
Ricardo Amper, CEO and Founder of Incode Technologies"This isn't a reminder to change your password - this is a call to dramatically revolutionize everyone's day-to-day lives.
Machine Learning, quantum computers, fingerprint biomarkers - we're living in the future, and the next generation of passwords is finally at our disposal. AI is mature enough for us to skip past band-aid fixes and leapfrog to the end all be all: biometrics. With your unique identity markers, yesterday's hard-to-remember framework can be fully transformed - say goodbye to the 85 different passwords supplemented by tokens and MFA codes accessed via app or SMS for full control over who accesses your account. It's no longer a matter of time before your account is hacked: your face is the best defense against cybercriminals' man-in-the-middle or phishing attempts, since it's entirely unique to your own identity. We can bypass the easily broken, friction-filled system to create lasting Trust between people and the organizations that serve them.
On this World Password Day, we echo last year's call for biometrics as the future of passwords and challenge organizations to rethink the way they serve people. Supplementing biometrics with AI creates a more secure, accurate, and seamless means of verifying someone's identity instead of or alongside passwords. This unprecedented turning point is an opportunity to reimagine everything from lines at the DMV to how we connect with each other online.
We have the ability to eliminate friction but, most importantly, create global equity and social and economic mobility through self-sovereign identities."
++
Patrick Harr, CEO, SlashNext "Every May, we recognize World Password Day as an international effort to empower individuals and businesses to keep their data safe and enable better password habits. Passwords have been basic cyber hygiene for decades But, sadly, they are no longer enough to keep our personal and corporate information safe amid today’s rising attacks. If you don’t use strong passwords or if you are constantly using the same ones across all your devices, you’re putting your data and devices at risk. Proper password hygiene is of course critical, but even following password best practices to the letter can’t prevent hackers from obtaining access to accounts and systems.
According to SlashNext’s The
State of Phishing Report 2022, 76% of the attacks found in 2022 were credential harvesting, which is still the number one cause of breaches, as demonstrated in the high-profile breaches in 2021 and again in 2022 with Twilio, Cisco, and Uber, all starting with credential theft.
Additionally, given the rise of new AI tools like ChatGPT, hacking passwords has become easier than ever. According to a study by Home Security Heroes, almost 51% of all common passwords can be cracked easily in less than a minute by AI. Apart from this, 65% of the common passwords were cracked by the AI in less than an hour, whereas 81% of the passwords took less than a month.
In this case, using security tools with AI technology is important to stop these AI-based attacks that are aiming to steal your credentials. You have to fight AI with AI.
It’s also common knowledge (although often ignored) that you should never use the same password for different accounts, since hackers who obtain a legitimate password will try it across different systems in hopes of gaining access to more critical data. You should also change passwords routinely to limit the amount of time a hacker can spend in accounts in the case it was compromised.
Overall, World Password Day reminds us how important it is to make cyber hygiene a top priority, especially in this new hybrid work environment which has made employees more vulnerable to attacks."
++
"The time for protecting data solely with passwords has come and gone. Today’s rapidly accelerating business environment necessitates strong multi-factor or passwordless authentication and a transition to new adaptive and autonomous approaches to access. Adaptive access allows an organization to reduce the risk of breaches by granting just the right access at the right time for the right duration. Autonomous access frees an organization from the expense of today’s largely manual approaches to managing access and allows them to accelerate with the pace of business, confident that data is protected."
++
Chris Vaughan, AVP Technical Account Management, Tanium"Passwords have been one of the basic building blocks of cyber hygiene for decades. The fact is, however, that they are no longer a sufficient security method in the face of increasingly sophisticated attacks. Last year, hackers launched an average of
50 million attacks on passwords per day, or about 580 per second. It is therefore hardly surprising that about
60 percent of data breaches are due to compromised login data.
It has long been known that the classic password is no longer sufficient and is no longer sustainable on its own. The big technology companies like Microsoft, Google and Apple are already in the process of saying goodbye to passwords altogether and using high-tech solutions like biometric logins and facial recognition software. But it will not be possible to implement this change so quickly across the board - so passwords will probably remain with us for a while yet. And with the average cost of a data breach estimated at $4.2 million, we must continue to use them to maintain a minimum level of security.
But there are ways to additionally secure the use of the classic password. The German Federal Office for Information Security (BSI) recommends choosing a
secure password that meets certain quality requirements. In addition, these passwords should be managed with a password manager and secured by multifactor authentication (MFA). This best practice has become commonplace for employees, consumers and businesses alike. MFA effectively protects against credential stuffing, where hackers misappropriate stolen passwords for attacks. While this is a good first step, it is necessary but not sufficient to ensure complete security. In honor of World Password Day, it is therefore advisable to change passwords and put traditional cyber hygiene habits to the test."
++
Michelle Stark, sales and marketing director at Fasthosts "There are constant reminders on every platform with account creation that you should use a password unique to that specific site, complete with advice on which complex chain of numbers, letters and special characters you should use. Password managers have become an increasingly popular way to keep track of these many different codes, and while we expected to see growth in searches in recent years, the speed and scale of the growth has been staggering.
“It’s not like any of these services have only just started either, and while searches for them have been steadily increasing year on year, the impact of the various lockdowns beginning in 2020 is clear, as it’s from this point on that we see this explosion in rapid growth. The amount of new accounts being created for both personal and business use, from video call services to online gaming providers, meant all of a sudden people had a bunch of new passwords to remember, and very unique ones at that if they wanted to keep themselves secure.
“It makes sense why people would flock to password management and generation services to not just create a new, strong password, but also keep track to prevent countless wrong password attempts and reset emails later down the line. With more of our data and details being online thanks to this shift too, it’s a safe assumption to make that people were taking their digital safety far more seriously and therefore creating more elaborate passwords that were unique to specific accounts and services. After all, if you were using the same password for everything, you wouldn’t need a manager to keep them all together."
++
Mike Puglia, chief strategy officer and general manager of security products, Kaseya"Passwords are extremely important – so it’s critical to make sure you have a strong one that is unique per system or application – but at the end of the day, passwords are only one of many tools designed to keep your information safe. Today, passwords alone are no longer sufficient. Everyone needs to be using Multi-Factor Authentication (MFA) to protect accounts from any bad actors that may get access to your password. This adds an additional layer of protection for accounts by requiring your password and another factor such as a one time code or push notification to your phone.
And, equally as important, don’t ignore the notice to update or patch your systems. These updates may not seem significant, but they typically include security fixes that cybercriminals would try to exploit to access your systems - bypassing your passwords completely."
++
Jason Lohrey, CEO of Arcitecta"The days of using simple, easy-to-remember passwords are over. World Password Day is focused on adding strong authentication to your passwords to prevent identity theft. Multifactor authentication has become the de-facto standard for protecting people’s data using a password and incorporating things like push notifications that send a code to your smartphone and must be entered to access the application.
This layered approach to securing data and applications is important, but it is not enough. Workflow-based multifactor authentication needs to be part of our first line of defense. Storage and data protection systems need to have multifactor protections within their workflows, so if someone wants to access, delete, or modify critical data, they will be authenticated with an additional factor. These permissions can be elevated and lowered depending on the sensitivity of the information. This approach will strengthen an organization’s first lines of defense and protect valuable data from being compromised."
++
Carla Roncato, Vice President of Identity, WatchGuard Technologies"World Password Day falls on May the 4th this year; or “May the 4th Be With You!” for those who also recognize this date as the annual celebration of Star Wars Day. For the 2023 observance of the latter, fans around the world (including myself) will rejoice as Carrie Fisher (aka “Princess Leia”) is honored with a posthumous star on the Hollywood Walk of Fame. And while the light of this dedication cannot be diminished, the day of the calendar week that these two annual holidays share for 2023 also illuminates a darker connection – one that, too, warrants our attention as cybersecurity professionals and practitioners. So, what do Star Wars and passwords have in common to that end? If R2-D2 isn’t available, you can simply ask ChatGPT, which will tell you that hundreds of thousands of people continue to use Star Wars references as part of their passwords today (e.g., Yoda, Chewbacca, Han Solo, Darth Vader, Boba Fett, ewok, and so on).
Year after year, studies like the annual Verizon Data Breach Investigations Report consistently rank the human element as one of the top factors driving breaches – with 82% of breaches involving the human element, according to the latest findings for this year alone. Whether it’s the use of stolen credentials, phishing, misuse, or simply an error, people (and their passwords) continue to play a very large role in incidents and breaches alike. But as much as many of us would like to go ahead and ditch passwords altogether, they aren’t going to become a thing of the past anytime in the foreseeable future. Even with companies like Microsoft, Apple, and Google announcing support for password-less authentication solutions, it will take many more years for applications, services, and systems to adopt and modernize to the new protocols. For this reason, on this World Password Day, we should all pause and think about how we can adopt better password hygiene, do away with outmoded password management practices, and leverage modern authentication technologies to keep our accounts and identity information safer online.
First, it’s time to do away with easy, often reused passwords. (Seriously, we mean it this time.) Strong passwords (at least 16 random characters) or long passphrases are better, and they should be unique for every login. While that might sound onerous, it leads to my second recommendation: start using a password manager. Password managers make it much easier to auto-generate and securely vault complex passwords. Plus, with a password manager, there is only one password you’ll have to remember: the master password for your vault. Third, and perhaps most importantly, use multi-factor authentication (MFA) wherever possible. Right now, MFA is the best way to slow down an attacker. By combining multiple factors of authentication, like something you are (biometric fingerprint or facial scans), something you have (such as a hardware key or mobile phone) and something you know (like a password), even if an attacker gains access to a password with one technique such as email phishing, they’ll have to employ a second technique to be able to take over the account. No authentication system is completely resistant to the tools and techniques that a highly motivated attacker has at their disposal, but MFA is a significant deterrent to a single, guessable, or compromised password.
Hopefully someday–in our galaxy, in the not-too-distant future–we can look back in wonder (and maybe even a little confusion) at how we’d ever commemorated a World Password Day at all... Until then, May the Force and the 4th Be With You in 2023."
##