Today is World Password Day, 2020. Celebrated the first Thursday in May, World Password Day offers users, employers, and security researchers the opportunity to reflect on the most common authentication factor. Moreover, it asks everyone to reconsider how they follow password best practices, and often how they don’t.
Frequently, the editors of Solutions Review express cynicism concerning passwords and password best practices. Unfortunately, passwords rarely offer businesses or users adequate authentication security. Hackers can easily purchase cracking software from underground markets or just guess at passwords from social media feeds. Users frequently repeat passwords, which creates a security vulnerability all on its own.
However, it appears passwords are here to stay; certainly almost all users recognize and can interact with passwords. Perhaps on this World Password Day, 2020, we can find the password best practices that fit with modern demands.
We spoke to several security experts about World Password Day, 2020, and their recommendations for password best practices.
Password Best Practices for World Password Day, 2020
Charles Poff is CISO at SailPoint.
“World Password Day is still worthy of celebration and education around good password hygiene remains crucial. While many may dream of a passwordless world, passwords will remain a critical method of authentication for years to come. The rise of biometrics is certainly a good thing and may take over in some verticals like the government, but when it comes to everyday users and basic enterprise employees, passwords will remain a reality. Like biometrics, multi-factor authentication (MFA) is mentioned as another cause of the eventual death of the password. However, with today’s MFA processes, passwords are often one of the methods of authentication presented as evidence of user identity. This isn’t likely to change anytime soon.
Passwords are still an integral part of our everyday lives, so they won’t be gone as quickly as some may think. It’s critical that we continue to provide education here to decrease the number of individuals and organizations who fall victim to cybersecurity attacks as a result of poor password hygiene.”
Bil Harmer is CISO of SecureAuth.
“Driven by digital transformation, the lines between home and work are rapidly disappearing, yet people are still struggling to keep their personal and work identities separate. While people may use different usernames for their work and personal accounts, 44 percent of people have admitted to using their personal passwords at work. For the average person, passwords are difficult to keep straight so no matter how much security professionals, like myself, warn the public of the new and evolving threat landscape, the harsh reality is people will continue to do what’s easiest for them and their productivity.
Criminals are playing the long game. It’s important to remember, even if passwords are encrypted, Once they have stolen a database of credentials, they can use brute force against them and find out what they are. Ultimately, the victim will have no advanced warning, which is why we need to move beyond passwords and instead rely on an elevated form of continuous authentication that incorporates risk-based analysis techniques. This can be everything from biometrics, geographic location analysis, and device recognition to IP reputation-based threat services and user behavior analytics.”
Ben Goodman is CISSP and SVP of Global Business and Corporate Development at ForgeRock.
“Passwords and usernames have been the primary method for authenticating users for years. However, as users create more accounts for social media profiles, email addresses, financial services portals, online gaming profiles, corporate accounts, and more, they often opt to reuse the same password and username combination to save the pain of remembering multiple sets of credentials. Even with a password manager, there is still a password and username combination being used to login to applications, which means it can still be attacked by a bad actor who gains access to the information.
Password challenges can be solved by leveraging technology that provides a passwordless user journey. With the use of biometrics or push notifications, organizations can bring the same effortless authentications users have experienced on their smartphones with technologies like FaceID from Apple or Samsung’s Ultrasonic Fingerprint scanner, to every digital touchpoint while ensuring security. By adopting a passwordless approach, organizations provide users with frictionless, secure digital experiences.”
Tim Steinkopf is CEO of Centrify.
“This World Password Day is unlike any other, as the pandemic and a 100 percent remote workforce makes business anything but usual. But for cyber-attackers, it’s just another day at the office. In fact, all evidence points to them ramping up their activities to take advantage of uncertain, confusing times, such as a reported 600 percent increase in phishing attacks since February. Now is the time to be more resilient and vigilant than ever, including taking advantage of biometrics and other stronger factors of authentication that are finally getting us closer to killing the password.
For privileged accounts, organizations should stop using shared or root passwords stored in a password vault and instead authenticate privileged users and grant them access based on their own identities and their assigned entitlements. Finally, enable machines with trust verification so they can protect themselves from illegitimate users who might seek access to them because they have a legitimate password. We all know passwords are not a modern form of authentication – the modern threatscape demands we move past them when stronger solutions are available.”
Csaba Galffy is Senior Advisor at One Identity.
“A compromised password is always costly—and the stakes are now higher than ever. That remote access you just rolled out created a whole new attack surface for your organization. Potential attackers now don’t have to deal with the physical security of your office buildings, and as long as they have the correct login data, they can access the corporate network with all its riches. Considering the billions of login data stolen from various organizations in gigantic data breaches, we recommend changing passwords for all remote workers as the work-from-home program is rolled out.
And with the recent revolution in password policy guidelines, now is the best time to implement these in your organization too. If you want to know more about the recent shift in password security, here’s a short summary: industry recommendations, like the NIST-published Digital Security Guidelines and the Microsoft Security Baseline now recommend dropping password expiration policies, removing complexity rules, and asking for longer passwords.”
Thank you to these identity experts for their time and expertise on World Password Day, 2020. Learn more in our Identity Management Buyer’s Guide.
- The Best Books for Identity Security Available Now - September 16, 2021
- Authentication Apps: Best of 2021 and Beyond from Solutions Review - September 15, 2021
- Authentication Platforms: Best of 2021 and Beyond from Solutions Review - September 14, 2021