Solutions Review compiles and shares expert password best practices for World Password Day 2021.
World Password Day is one of the most prominent tech holidays among cybersecurity professionals. On this day, we discuss how to promote stronger password strategies and best practices…or even whether passwords should be part of the larger authentication discourse in the first place.
Check out just a few of the experts we reached out to for World Password Day.
Expert Password Best Practices for World Password Day 2021
Ian Pitt is CIO of LogMeIn.
“This year’s World Password Day serves as another reminder that passwords play a pivotal role in protecting business information and enhancing overall security efforts. While organizations and individuals understand the importance of strong passwords, many continue to neglect password best practices leaving their organizations vulnerable to cyber-attacks. In fact, a large majority of people understand the risks associated with reusing the same password across multiple accounts, yet they still do it. As we approach a post-pandemic world and enterprises allow long-term remote work, cyber-criminals will continue to target those with poor security behaviors. Given this, companies need to encourage employees to improve password behaviors to increase the organization’s overall security. Below are some password best practices to ensure data is effectively protected.
- Give your passwords a safe home: Selecting the right password manager offers a safe, secure digital vault to store usernames and passwords.
- Generate unique passwords: Be sure to create strong and unique passwords for personal and business accounts, to decrease the chances of hackers compromising information.
- Implement multi-factor authentication: Turn on MFA when possible, to decrease hackers’ chances of accessing important information such as email and bank accounts.
- Update Software: Be sure to keep all home devices such as computers, mobile devices, or routers updated with the latest software, so others cannot tap into your network.”
Tyler Reese is Manager of PAM Strategy at One Identity.
“World Password Day this year is a reminder for organizations to acknowledge the gaps created by passwords and consider alternatives and the concept of a passwordless future. The most notorious breaches of the last year have all involved weak or compromised credentials, showcasing that passwords are still the easiest way for cyber-criminals to access a network. Stolen passwords are now more difficult than ever for IT teams to flag as a threat and can allow an unauthorized user to access a system undetected for a long period of time. Best practices such as enforcing the principle of least privilege, implementing multi-factor authentication, and educating employees on strong password hygiene will strengthen enterprises’ cybersecurity posture.
However, as long as the concept of requiring a person to remember multiple passwords is a major part of an organization’s security strategy, the risk still remains. Instead of solely relying on passwords, enterprises should implement multi-factor authentication to protect accounts from password compromises.
Organizations should also investigate behavioral biometrics technologies for identity access and authentication purposes. Using machine learning to identify a baseline of user behavior, systems can flag when users deviate from their typical behavior and take immediate action, shortening the time it takes to detect and remediate an incident. Combining consistent messaging to employees, access and authentication practices, auditing and behavioral biometrics creates a strong cybersecurity defense for enterprises, and will be fundamental to the industry’s step towards a passwordless future.”
Aaron Cockerill is Chief Strategy Officer at Lookout.
“Passwords need to go. We should not be celebrating World Password Day, we should celebrate the day no one ever needs to remember a password ever again. And That day is coming. But in the meantime, there is a lot of support to help us with systems that still require them. Password managers and even browsers now notify you when passwords are repeated or stolen, and they suggest longer and stronger passwords that they remember rather than you having to. And increasingly your password can be strengthened by things like second factors and biometrics. Increasingly, identity will be established using intelligent devices like your smartphone, leveraging both encryption and biometric sensors, and passwords will become a thing of the past. The challenge then is to know that your smartphone is safe.”
Chris Morales is Chief Information Security Officer at Netenrich.
“Good password security is not relying on a password for security. It is concerning that the cybersecurity industry still gives a false sense of hope as an excuse to continue to force a poor user experience on everyone. Passwords are stolen in large files and databases from poorly configured apps by the millions, or auth tokens are compromised for account takeover. For that reason, all passwords are useless regardless of strength.
It is insane “what you know” is still the primary means of validating identity for online systems which then provide complete access to a broad set of resources with no further validation. That would be like giving my house keys to a random man on the street who claims to be my mom and can prove it by telling me the name of my dog when I was a kid. Even worse if my mom is standing right next to me but doesn’t remember that dog’s name so I trust the stranger but not her. Password complexity is the equivalent of expecting the stranger to give me a whole list of random facts as proof. Does not matter how much he knows. Still not my mom.
Sounds ridiculous right? The cybersecurity industry has built an authentication system that can only be considered inhumane and with a singular value of infuriating everyone. People are the victims, not the cause of breaches.
User access should be adaptive based on level of need and risk. A person should be allowed the appropriate level of access to the appropriate resources at the appropriate time. Most importantly, access should be fluid and not require an incomprehensible amount of user input or predetermined knowledge.
For authentication, the number of variables is more important than the level of complexity of those variables. No reason a password is anything more than a 4-to-6-digit pin. Authentication can be based on who you are (biometrics) what you know (pin) what you have (device/token) and where you are authenticating from (geolocation). Even then, authentication is not trust. Trust is situational awareness. What do you need, why do you need it, when do you need it, and what is your current operating environment? The operating environment is a measure of the risk of providing that access even when the need is justified and the identity asking is authenticated.
There is a combination of local authentication methods combined with remote risk analytics here. Totally doable and the outcome is less intrusive on the end-user so we can stop blaming people for human error as to why a breach occurred. To err is human.”
Mike Puglia is Chief Strategy Officer at Kaseya.
“The average adult has more than 20 passwords they use, so it’s not surprising that 39 percent of people say most of their passwords across both their work and home applications are identical. There are billions of passwords available on the dark web, and password reuse makes it even easier for hackers to use stolen credentials to conduct phishing attacks and spread ransomware. In addition to reusing passwords, individuals often pick words or number combinations that are easy to remember. When we did a scan of nearly three million passwords found on the dark web in 2020, we saw that 92 of the top 250 most common passwords were first names or variations of first names.
Every year since the 1990’s, there is some proclamation that passwords are going away – they aren’t. We’ve made great strides in areas like thumbprints, tokens, facial recognition, but don’t expect passwords to disappear in the next few years.
According to the Verizon Breach Report, the number one malware variant isn’t ransomware—it’s password dumpers. Password dumpers are favored by cybercriminals because passwords get attackers so much more – it makes it easier to propagate ransomware, steal data, and gain entry for long term access. It’s also become so much easier for attackers to use those passwords. Adversaries no longer have to target millions of individual organizations one by one – they can simply attempt logins against the major cloud and SaaS sites, especially since almost every company has some employee accounts on Google, Microsoft or Amazon. The access to targets supporting 95% of the world’s organizations are a click away from any location.
The bar is now ridiculously low for attackers. It requires minimal technical ability, and the financial cost to carry attacks out is negligible. Simply buying credential lists and attack kits yields 0.2%-0.5% success rates, and the attacks can be run by anyone. Additionally, today’s targets are centralized into a small number of environments that everyone uses. As long as the success rates remain high and the cost and effort remains low, these attacks will continue to increase.
In 2001, I recall walking around with an RSA MFA token on my belt. Though 20 years later MFA is still not ubiquitous, the next few years will bring significant changes. The next five years will bring password plus MFA for all logins, with password only being the exception. It’s already happening with consumer accounts – banks, phones, even gaming systems- and now we are seeing it roll out across all business applications. Though MFA cannot stop 100% of attacks, it raises the effort and costs required for adversaries to be successful. It is the only way we start to lower the number of breaches.”
Thanks to these cybersecurity professionals for their time and their expert password best practices for World Password Day 2021. For more expert password best practices and other authentication and identity management best practices, check out the Identity Management Buyer’s Guide or the Solutions Suggestion Engine.