Experts Comment on National Change Your Password Day

Experts Comment on National Change Your Password Day

Today is National Change Your Password Day!

Preparing for National Change Your Password Day, we’ve written extensively over the past week about the importance of password security. Your employees and their identities constitute the largest attack vector in your enterprise. How they handle their passwords forms the foundation of your business’ identity security, even if you incorporate multifactor authentication.

Breaches like Collection #1 and Collections #2-5 show the dangers of repeated or weak passwords. Therefore, your employees should take National Change Your Password Day as an invitation. For example, they should abandon their former passwords and embrace better identity security best practices. They should definitely move away from the weak passwords of the past.  

What can enterprises learn from National Change Your Password Day? We spoke with identity management and privileged access management experts for their thoughts on password best practices:     

Joseph Carson, Chief Security Scientist, Thycotic:

“Using a passphrase with a combination of complex characters such as ‘$ymB0LS’ drastically increases your security and protection of personal data. It’ll take some time to upload your credentials into the password manager, but invest the time and use the password generator function to create complex, new passwords for your accounts. The passwords should be at least 16 characters long. As you update all your accounts with the new passwords, set up two-factor authentication on all supported accounts that protect sensitive information.”

“Length matters most. Complexity is important but the size of your password matters more. Most sites and applications set a minimum requirement of 8 characters for your password.”

“Please don’t ever share your passwords with anyone, not even your significant other. While it may seem harmless, sharing your password with a loved one drastically decreases the security of your account. It’s just not worth the risk.”

Chris Morales, Head of Security Analytics, Vectra:

“There is a long-running myth that complex phrases using characters, numbers, and letters is secure. They are not. These are simply hard-to-remember phrases that are quickly forgotten and reused in multiple locations. Even worse, many sites offer easy-to-remember questions with information like mother’s maiden name or favorite pets names to reset a password. This is the kind of information that could be easily obtained using social media.”

“There are a few key considerations we can extract from the above.

  1. Simple phrases make better passwords than complex sets of characters because it is the length, and not the complexity, that matters. “The quick red fox jumped over the lazy brown dog” is a much stronger and infinitely easier to remember password than “1W33$^Adgfi*()tyu”
  2. Sharing passwords in too many sites leads to grief when a simple Netflix account leads to compromise of a bank account login. I actually don’t think a unique password for every single site is realistic, but using a grouping of passwords based on the type of site does work. Sharing passwords between Netflix and Hulu is ok. Sharing passwords between PayPal, your bank account and Netflix is bad.
  3. Don’t answer simple questions like mother’s maiden name and favorite color with real easy to guess answers that anyone can figure out by reading social media. I answer these type of questions with completely unrelated answers that only I know.
  4. Even after following all these practices, the reality is—passwords suck. They are easy to steal and ultimately every password can be cracked with enough time and computing power. The industry needs to move away from simple passwords and focus on more complex authentication that includes something you know, something you have, and who you are. I think the most important rule is to use multi-factor anywhere and everywhere you can. By combining biometrics with a second device along with a password, you raise your chances of being safe even when the password is compromised.”

Shahrokh Shahidzadeh, CEO, Acceptto:

“Addictions can be attached to pretty much anything and everything. From alcohol and drugs to food and gambling. South Korean even had to create a law that treats game addiction like drugs and alcohol. However, there is an addiction that affects billions of people daily and it doesn’t seem to be acknowledged: the addiction to passwords.”

“Dependencies usually start out as something necessary, but they grow into monsters over time. Just like any addiction, it seems that time just keeps flying by and every excuse we can come up with stops us from breaking the cycle. It’s always easier to keep doing the same thing and expecting a different result. Our dependency on passwords is no different.”

“It’s time to take the first steps to break our password addiction. In 12-step programs the first step is to acknowledge the problem, then you are ready to work on the solution. Acknowledging that passwords truly have outlived their effectiveness gives you the freedom to evaluate new AIML-based technologies.”

Thanks to the experts for their time and expertise on National Change Your Password Day!

Ben Canner

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner