- World Password Day is celebrated on the first Thursday of May each year to raise awareness about the importance of password security, the most prominent threats, and best practices for users to follow.
- This year, Spiceworks got in touch with technology leaders worldwide to discuss the impact of poor password habits and potential solutions for better personal and organizational security.
Passwords have become a key aspect for almost all activity being conducted online. Computer users, especially professionals, have to use multiple passwords on a daily basis. However, creating and managing numerous complex passwords is a challenge that can be often overlooked.
However, the ramifications of poor password habits can include data theft and even complete account takeovers. Let’s take a look at some of the key threats and best practices essential for individuals and organizations.
1. Alina Bizga, Commercial Support Representative and Partner Support Specialist, Bitdefender
“Passwords are like keys that unlock our digital lives and open the doors to tremendous amounts of personal data. These keys are highly valuable in the hands of a criminal, who can use them to inflict tremendous financial, reputational, and even physical harm.
Here’s the really bad news, though: billions of compromised, leaked or decrypted passwords are already circulating freely around the internet. And each compromised password could threaten someone’s safety and privacy.
Every day we read of new data breaches, hacks and credential-stuffing attacks that drain users’ accounts of money and sensitive info — and compromised passwords are where it all begins.
There’s no room for an “I’ll do it tomorrow” attitude when it comes to the security of our digital assets. A proper cyber hygiene regime fostered by good password management and small additional safety measures such as enabling 2FA or MFA can spell the difference between target and victim.
Here are three essential tips you should consider when setting up a new password or changing an existing unsecured one:
- The more complex, the better: keep passwords unique for every online account and use a passphrase with a combination of letters, numbers, and symbols (at least 16 characters long).
- Never use your name, birthday, pet name, phone number, hometown, or other identifiers in your password.
- Don’t use consecutive letters or numbers in your password.
It’s best to nurture a vigilant stance toward phishing and other social engineering schemes meant to steal personal data and credentials and immediately change any compromised, leaked, exposed, shared or reused passwords to prevent further damage.
For even more peace of mind, you can add a password management tool to help you generate and secure your online accounts with the convenience of auto-fils, cross-platform synchronization, and even protection against phishing attacks.”
See More: What Is Data Exfiltration and How To Prevent It
2. Don Boxley, CEO and Co-founder, DH2i
“World Password Day is a day to acknowledge the pivotal role passwords play in our digital lives. It is also a day that reminds us how prevalent cybercrime has become. While creating and regularly changing strong and unique passwords is critical, passwords must be considered a first line and not the only line of defense.
Historically, VPNs were considered a reliable line of defense against cyber threats. But their popularity is rapidly declining due to their limitations in terms of security, slow connection speeds, bandwidth constraints, configuration and management complexity, and high cost.
On the other hand, software-defined perimeters (SDP) are gaining popularity as a safer and more efficient alternative. Advanced implementations of SDP allow users to establish direct connections with application-level zero trust network access (ZTNA) tunnels, eliminating the involvement of third-party vendors in the data stream.
With SDP, users have direct access to the data endpoints they need without any intermediaries. Compared to VPNs, only SDP can prevent lateral network attacks, enhance data transfer rates by up to 3x, and offer complete control over the data stream.
The bottom line is that bullet-proof passwords combined with SDP provide unparalleled security to eliminate cyber threats. Passwords act as the first line of defense, while SDP’s advanced security features ensure only authorized users access the network and data endpoints, reducing the risk of cyberattacks, data breaches, and lateral network attacks on World Password Day and all year round.”
3. Steve Santamaria, CEO, Folio Photonics
“Cybercrime is a growing threat to individuals and businesses alike. Hackers are constantly looking for ways to exploit weaknesses in our digital security, steal our personal and sensitive information, and hold it for ransom.
One of the most common ways cybercriminals gain access to our accounts and information is through weak or easily guessable passwords. World Password Day serves as a reminder that using strong and unique passwords is critical to protecting our digital presence. But it’s not enough. Hackers are becoming more sophisticated in their tactics, and relying solely on passwords for protection is like leaving your front door unlocked in a high-crime area.
To truly safeguard our digital assets, we need to employ multiple layers of data protection. This includes things like two-factor authentication, encryption, and regular system updates. But even those measures may not be enough. That’s why having a secure, tamper-free data archive that uses WORM media is so important. It can safeguard your assets while helping you recover from a ransomware attack or other data loss event, subsequently reducing the impact that this disaster has on your business operations.
But to truly take your cybersecurity to the next level, you may need to consider air-gapping your data archive. Air-gapping your data means physically disconnecting it from the internet or any network connection, making it virtually impossible for cybercriminals to access it.
When an air gap is combined with WORM media, it becomes the ultimate protection and should sit at the base of any cyber-resilient infrastructure. While this has often been used in the most sensitive, highest security environments, it is becoming increasingly commonplace to see other organizations deploying it as well.”
4. Rob Price, Director, Field Security Office, Snow Software
“World Password Day focuses the mind of many an IT professional on reviewing existing policies and plans for the future. Good practice and discipline are essential for maintaining password safety and embracing technologies that utilize physical characteristics for authentication – biometrics – as an additional stopgap.
Both passwords and biometrics have their advantages and disadvantages. Passwords are easy to set up and use and can be changed frequently to enhance security. However, they are more easily compromised if they are easy to guess or share with others. Biometrics, while more difficult to compromise, can be expensive to set up and maintain, and there are concerns about privacy and the collection and storage of personal data.
We use biometrics more and more throughout everyday life without noticing the handoff of the security check. Being conscious of the layers of security in your digital life will set you up for security success: Biometric passwords for devices you trust to act as your security broker, password keepers (sometimes with biometric logins) and multi-factor authentication.
A current challenge is a hand-off between devices while maintaining security; password keepers and even biometrics will eventually become seamless to maintain a higher level of security.
AI brings an additional layer of concern around security, as it can brute force not just passwords but email addresses as well. Email addresses are much more secure than passwords – there have been estimates that it is 36 times easier to guess a password than an email address due to the number of permutations in existence. Using resources like haveibeenpwned.com to check for security breaches and data loss is a great personal exercise.
Ultimately, the choice between passwords and biometrics depends on the level of security needed and resources available.”
5. Jasson Casey, CTO, Beyond Identity
“Successful cyberattacks are often described as complex, but the truth is that they are almost always unsophisticated. Passwords have long been a primary target for threat actors and represent the weakest link in an organization’s security chain.
For over a decade, the Verizon Data Breach Investigations Report and, more recently, the Crowdstrike Global Threat Report made it apparent that adversaries use compromised credentials as the initial attack vector in more than 75% of all attacks.
Passwords can be guessed or obtained through social engineering tactics or easily stolen while unencrypted. The fact is, there is no such thing as a “strong” password. This is only important if the adversary has to unencrypt passwords.
However, malware is more than happy to steal a 4- or 4,000-character password in the clear, regardless of whether it contains numbers and special characters. Add the painstaking burden for employees of regularly changing (and remembering) passwords, and it’s astounding so many organizations still rely on this antiquated and completely insecure authentication method.
Passwordless, phishing-resistant multi-factor authentication significantly reduces risks that come with passwords, making it virtually impossible for attackers to gain access through traditional methods. Organizations don’t have to compromise their security or convenience.
Today they can switch to a modern, secure, phishing-resistant MFA that leverages the combination of biometrics and passkeys based on the Fast Identity Online (FIDO) standards. Each year, we ‘celebrate’ World Password Day, and then cybercriminals continue to exploit password-based authentication. Only by adopting passwordless, phishing-resistant MFA technologies can organizations make it much more difficult for adversaries.
Ask yourself this: Why would you not start the journey to a passwordless future and shut the proverbial front door adversaries use in the vast majority of attacks? So think of today as ‘World Password-less Day’ and begin removing the single largest vulnerability facing your organization.”
6. Astrid Gobardhan, Group Data Protection Officer, VFS Global
“A recent survey on password psychology, conducted by LastPass, found a wide disconnect in how people interpret safe and unsafe behavior concerning their online security. They found that while an overwhelming majority of those surveyed know that using the same password across multiple accounts is a security risk, only 1 in 10 (12%) routinely update their credentials or, at the very least, use different passwords across their logins.
The survey also found that this behavior is cross-generational – and that there is little to separate those growing up during the digital age (Gen Z) from late adopters (Millennials) in terms of password hygiene.
This suggests there is still a long way to go in improving security behaviors and mitigating risks when we’re online. However, in the main, this doesn’t need to be complex or disruptive to our experience.
Here are a few simple and easy-to-introduce suggestions that can help keep you and your information safe when you’re online:
Use a strong password. Ultimately, “it’s stronger when it’s longer” on the subject of passwords. And one of the best ways to keep your personal information and data safe when you’re online is to ensure your password comprises letters and numbers and is at least eight digits and characters in length.
Perform password updates. While this may seem like a daunting task to perform, routine password updates can be made easier by using the same basic pattern and adding different combinations. This can make your credentials, in lieu of a password manager, easier to remember and will also guard your information against third-party data breaches.
View multi-factor authentication as your own personal firewall. This is now, increasingly, a feature that is used by many companies, including VFS Global. This function can also be used at a day-to-day level by ‘opting in’ to two-stage authentications across personal items, including your email account and on mobile applications, which prompt you for logins or biometrics when they launch.
Consider using a password manager: many users will already have a password manager built into their web browser or phone, which is a good starting point. However, it might also be worth considering using a standalone program, which isn’t tied exclusively to a single browser or device, so you can have a more convenient digital experience.
New threats will continue emerging as we move into an increasingly digital world. However, by using World Password Day and other notable annual reminders as an opportunity to re-evaluate our safety when we’re online, we will be better placed to thwart attacks from those who may want to access our online information and digital devices.”
7. Neil Jones, Director of Cybersecurity Evangelism, Egnyte
“On World Password Day, it’s important to remember that despite growing cybersecurity and data protection vigilance, weak passwords, such as 123456, password, and qwerty, are still far too commonplace. This is concerning because easily-guessed passwords can be a treasure trove for cyber-attackers.
The good news is that there are several ways organizations can enhance their password management programs, which include:
- Utilizing multi-factor authentication (MFA).
- Establishing mandatory password rotations and requiring employees to change passwords and passphrases routinely.
- Re-visiting your company’s account lockout requirements to ensure that users’ access is immediately disabled after multiple failed login attempts.
For maximum protection, educating your employees about the significance of password safety is critical, especially reminding them that passwords should never be shared with anyone, including your closest business colleagues. Finally, family members should never be permitted to access your business devices.”
8. Didi Dotan, CTO, Oort
“Passwords alone are inadequate because they can be easily guessed or stolen. As an industry, we’ve adopted MFA to add another layer on top of passwords to make it more difficult for attackers. But not all second factors are equal, and attackers are bypassing the weaker methods like SMS and email. According to Oort’s State of Identity Security Report, more than 40% of workers have no strong form of MFA.
In a bid to overcome widespread password exposure and weaknesses in MFA, we’re seeing more and more organizations adopting passwordless solutions. But progress is too slow; less than 2% of workers use these phishing-resistant forms of authentication. We’ve made progress, but there’s plenty more to do.
If we get to 100% passwordless, there will still be opportunities for attackers. They will likely shift from targeting the technology to the registration and reset processes targeting the weakest link — humans.”
9. Todd Caroll, Chief Information Security Officer and SVP of Cyber Operations, CybelAngel
“Scanning for emails associated with CybelAngel’s clients in 2022, we found 50% of them came with an unhashed password. We also see that many of the exposed emails in different breaches either share the same password or a close variation of another exposed password. Although the National Institute of Standards and Technology (NIST) password guidelines released in 2022 indicated that password rotation and forced changes are not necessary practices, the data and behavior suggest otherwise.
Passwords as part of a stolen or leaked credential have been and always will be a monetized commodity on the dark web and other forums. What we need to do is make sure we are using different passwords so they may not be tested against other known accounts (social media, banking, etc.). Passwords are part of our lives and not going away. Complex passwords, not reused, combined with MFA, can slow down an attacker.”
10. Jeremy Ventura, Director, Security Strategy and Field CISO, ThreatX
“Credential stuffing has become one of the most common and significant threats facing organizations today. Brute force attacks are still one of the go-to methods for attackers to infiltrate corporate networks.
Having strong and complex passwords is essential to protect yourself and your organization from cybercriminals. When someone gains unauthorized access to an account, sensitive and PII data can potentially be left open for bad actors to use and/or sell online. And for organizations, unauthorized account access allows cybercriminals to infiltrate internal servers while potentially compromising a network.
The aftermath is brand reputational damage, including credibility and revenue flow. This is why instituting secure, strong passwords from the lowest level to the C-suite is paramount to ensure protection in today’s digital world.”
11. Ian Leysen, CEO, CSO, and Co-founder, Datadobi
“World Password Day serves as an important reminder to individuals and businesses alike about the critical importance of password security in protecting sensitive data. World Password Day is also a reminder that as the frequency of data breaches and cyber-attacks continue to rise, we cannot rely on passwords alone.
From a business perspective, relying solely on passwords to protect critical data is an especially risky proposition. The next step must be to employ data governance policies that designate what constitutes critical data that must be protected. However, even with these policies in place, protecting data you cannot find is impossible.
Businesses need a technology solution that enables them to locate and organize all critical data and then take appropriate action to secure it. This may involve creating an immutable copy, moving it to a more secure environment, creating a “golden copy,” and/or transferring the data to a storage solution that can be air-gapped for even greater protection from online threats. This tailored approach is much smarter than relying on broad security measures that may not be effective in all situations.
To summarize, combining strong passwords with data governance policies and a technology solution to enforce those policies is an unbeatable approach to data protection and security. In doing so, businesses can safeguard their sensitive information, especially from the growing threat of cyber-attacks, consequently enabling them to comply with regulations, as well as protect their intellectual property, reputation, and bottom line.”
See More: Why Load Balancers Should Be Part of Your Security Architecture
12. Ed Skoudis, President, SANS Technology Institute
“Weak passwords are a component of one of the most common attack vectors a penetration tester can leverage to breach an organization. For organizations of any size or sector, strong and secure passwords are a critical line of defense against malicious attackers and evolving TTPs. However, the complexity of ensuring that passwords are impenetrable can often lead to a false sense of security while countless vulnerabilities are left unchecked.
Three simple steps to quickly improve password effectiveness are:
- Think of them as “passphrases” rather than “passwords.” Combining a series of words, as opposed to just one or two words, instantly makes it more difficult for attackers to breach the account.
- Leverage special characters within passwords and passphrases, especially spaces. Many people don’t realize that including spaces is a simple way to remain one step ahead of attackers.
- Utilize enhanced multi-factor authentication mechanisms, such as SMS text messages, especially for email and collaboration channels like Slack and Microsoft Teams.”
See More: EDRs Don’t Stop Cobalt Strike: What Does?
13. Mike Kiser, Director of Strategy and Standards, SailPoint
“At least half of all cyberattacks are identity-based. Therefore, protecting against data loss and theft must encompass ALL the identities within an organization, including third-party and temporary employees. Securing a dynamic workforce can be done most effectively by continuous access and permission monitoring and automated onboarding/offboarding through the use of AI and ML.
Since the implications of lax security are broad and costly, ranging from financial losses and reputational damage to mitigation costs and regulatory fines, operating under the mantra “giving people only the right amount of access at the right time” is business critical. It only takes one set of compromised credentials to give hackers the key to the (data) kingdom.”
Did this article help you understand how to improve your password security? Let us know on Facebook, Twitter, or LinkedIn. We’d love to hear from you!
Image Source: Shutterstock