Today is World Password Day, an annual event designed to raise awareness of the importance of strong online security and promote better password habits.
Hardly a day goes by without news of a new data breach, with 80% connected in some way to passwords, according to Verizon’s 2019 Data Breach Investigations Report. Yet poor password habits remain a key issue for the cybersecurity industry, with two of the most commonly used passwords still being “123456” and “password”.
Earlier this week, LastPass by LogMeIn released its third Psychology of Passwords report. According to the research, 80% of respondents were concerned about having their passwords compromised, yet 53% haven’t changed their passwords in the last 12 months.
This is especially significant during the current situation, as cybercriminals look to capitalise on the Covid-19 pandemic.
A lack of strong passwords can be a valuable tool for cyberattackers. Once a password appears on the dark web, cybercriminals can carry out credential stuffing attacks, trying the same password on multiple websites in the hope that a user has reused it, or password spraying, trying commonly used passwords on a large number of accounts.
However, those in the cybersecurity industry have been giving the same advice concerning password re-use, and the importance of strong, unique passwords and two-factor authentication for years. Yet many do not heed such advice, with 66% of people mostly or always using the same password despite 91% knowing that this is bad, according to LogMeIn.
The cybersecurity issues stemming from weak passwords has led some to call for the removal of passwords from the authentication process, with the use of password alternatives such as biometrics, authentication tokens or multi-factor authentication now being explored by some organisations.
Organisations such as the FIDO Alliance are working to standardise, certify passwordless technology and increase adoption in order to reduce an “over-reliance on passwords” in favour of authentication methods that are far harder to compromise.
However, while alternative methods of authentication are gaining traction, passwords still dominate, and will likely be around for a while. On World Password Day, what advice would those in the cybersecurity industry give to ensure that they are as secure as possible?
Don’t ignore suspicious activity
“The number of large-scale data breaches and the fact that users regularly re-use passwords is a real issue for businesses today. Against this background, static passwords simply cannot provide effective corporate protection. Businesses are now turning to a range of dynamic authentication methods that can analyse baseline user activity to detect potential intrusions, suspicious behaviours, and anomalous actions. It is essential that this approach to user authentication can extend to all cloud applications too. For example, if a user logs into Office 365 from the UK and then shortly after logs into Salesforce from Germany, this should be flagged as anomalous activity. The IT teams should be notified and the user should be asked to re-authenticate.”
Raif Mehmet, AVP EMEA at Bitglass
Ensure that remote working is done securely
“Security researchers recently identified 267 million Facebook user profiles for sale online for just $500. The sheer volume of passwords available for cyber threat actors to purchase online is hard to comprehend, but the financial barrier of entry for cyber criminals looking to purchase this valuable data is lower than ever.
“Ensuring passwords are strong, difficult to guess and changed regularly is basic cybersecurity hygiene, but it can be easy to forget. This is particularly important at a time when many employees will be creating new accounts for remote working and collaboration tools. It’s vital that organisations do all they can to educate and upskill employees on good cybersecurity practice. Training should be part of an organisation’s culture, with all employees – regardless of department or seniority – regularly accessing educational resources that will help them protect their organisations’ critical data and systems from common cyber threats.”
Agata Nowakowska, Area Vice President at Skillsoft
Government organisations must be extra vigilant
“For individuals seeking to protect their personal information and secure their online accounts, a strong password is a critical first line of defence. But, if you are a commercial, nonprofit or government organisation, a password, regardless of how unique or how often it is updated, will barely scratch the IT security surface. The only true protection for an organisation’s high value data is to aggressively lock it down using a hardened storage solution that has been engineered with the understanding that attempts at corruption or deletion can come from anyone, anywhere and at any time. The solution must be capable of recognising and rejecting every such attempt, regardless of whether it’s from a virus, ransomware, spyware, user mistakes, software error – or a new threat that hasn’t even been discovered yet.”
Mihir Shah, CEO, Nexsan
Use a reliable password manager
“This year’s World Password Day feels especially significant as we see organisations wrestle with the logistics and cyber security implications of managing significant remote working deployments. We can all do ourselves a favour by utilising complex passwords, storing them appropriately, and backing them up with multi-factor authentication.
“We’re all expected to use incredibly complex passwords to keep our Personally Identifiable Information safe, and rightly so. But there’s no way we’ll remember them all without some help. Use a reliable password manager and resist the urge to go back to using ‘Monday1’ for everything. And remember that no matter how complex your password is, it is still susceptible to a brute force attack unless it is backed up by multi-factor authentication. So whenever you’re accessing a web application, a VPN through a laptop at home, or any point of contact between the internet and your IT infrastructure, make sure multi-factor authentication is in place to minimise the risk of illicit access and data breach.”
Andy Swift, Head of Offensive Security, Six Degrees
Cybersecurity training is key
“As more services move to the cloud and breaches become larger and frequent, individuals and enterprises cannot afford a lack of foresight when it comes to password security. This is where businesses have a role to play: by implementing strong cyber hygiene practices that include awareness training of the risks, they can help their staff better understand how they can keep themselves safe online. Poor cyber hygiene practices are simply not something any business can afford today, particularly as they rely on distributed workforces.”
Kiri Addison, Head of Data Science for Threat Intelligence and Overwatch at Mimecast
Multi-factor authentication is the “only cure”
“So much personally identifiable information (PII) has been exposed in breaches over recent years that it is quite easy for hackers to use our identities against us. Everyone, in some form, is vulnerable to attack. In particular, the rich amount of compromised passwords and rise in cloud based applications will leave companies more vulnerable to compromise than ever before. Should a cybercriminal attain an employee’s credentials, they could log into their email, and then use the information gain to access more company services and applications – all with the company and victim being none the wiser. The consequences of this – combined with the impending GDPR – could be detrimental to an organisation. The only cure is multi-factor authentication (MFA). As a result, in 2018, we will see an unprecedented rise in enforcement of MFA as a barrier to breaches.”
Jan van Vliet, VP EMEA at Digital Guardian