For World Password Day 2021, we gathered cybersecurity experts to explain how to make stronger, more secure passwords.
Passwords occupy a strange place in authentication discourse. Enterprises continue to rely on them, and they remain the number one authentication factor used and recognized. Yet weak passwords practically invite hackers and other threats in with open arms. A weak password from one employee might be all that separates your business from a devastating cyber-breach.
So you need to encourage your employees and other users to create stronger, more secure passwords. We spoke to cybersecurity professionals on how to do that.
Experts Explain How to Make Stronger, More Secure Passwords
Jenn Markey is Director of Identity at Entrust.
“Our collective hope as an industry is that one day World Password Day will be obsolete as encryption and advanced authentication replace the age-old practice of entering password credentials to access desired information. But until that day comes, organizations must continue ramping up their security tech and training to fill existing knowledge gaps and avoid detrimental breaches.
Requiring a password plus one or more added credentials, also known as multi-factor authentication (MFA), is a good way to prevent unauthorized account access, but going passwordless is so much better. Virtually every data breach can be traced back to compromised passwords, with phishing being one of the most common attacks. Working from home multiplies this risk with insecure workspaces and an increased propensity for bad habits like writing passwords down.
Instead of passwords, business leaders should work with their security and IT managers to implement and deploy high-assurance credential-based passwordless authentication that merges the power of digital certificates with smartphone biometrics to create an employee’s trusted workplace identity, wherever that workplace may be. By eliminating the password, you effectively protect your organization from phishing attacks which minimize the risk of a data breach.”
Dave Wagner is CEO of Zix.
“World Password Day is an excellent time for individuals and businesses to reflect on their current password practices and ensure they are building the safest habits to protect themselves and their company from cyber-criminals. Many are under the assumption that if they are taking the steps to create unique passwords for each platform and application, they are secure. But it’s not enough.
The number of headline-grabbing breaches that have taken place over the last year highlight the critical need for safeguards across the entire company network. While there are a few different ways to protect login credentials beyond a simple username and password, one of the most popular and effective options is two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user’s phone, email address, or through an authenticator app, after entering their username and password. It’s getting easier for cyber-criminals to breach even the most complex password, which is why implementing 2FA is critical.
Email is a common point of attack because it often contains sensitive and valuable communications. Organizations should also consider implementing an email security solution that conducts a security audit to analyze its admins, users, mailboxes, and rules for vulnerabilities such as outdated passwords so they can be resolved before a breach happens. Organizations should use World Password Day to evaluate their internal Password Policies and send reminders to employees and customers alike about the importance of good password hygiene.”
Russell P. Reeder
Russell P. Reeder is CEO of Infrascale.
1. Be Unpredictable
There are two common password attacks – Brute Force and Dictionary attacks. Both generally involve a bot, but can also be done manually, and involve trying a sequence of numbers and/or common words like 123456 – hence trying to crack a password using “brute force” or common “dictionary” words. To minimize this type of exposure, don’t make your passwords predictable.
2. Be Creative
Related to being unpredictable, consider creating a phrase and use the first or second letter of each word, or substitute a special character for letters and/or numbers. If you just don’t seem to have a creative bone in your body, you can always use a password generator. These are guaranteed to spit out some creative, and secure, password options.
3. Be Long
These days when you get asked to create a password, most have a minimum of 10-12 character length. The longer the password, the more possible combination and permutations of the password there are, and thereby the safer they generally are. However, don’t forget tips 1 and 2, because long common words and sequences of numbers are still easier to crack!
4. Be Smart
Believe it or not, one of the more common reasons passwords are compromised is because people share their credentials. Quite simply – never, ever share your password(s)! Also, be mindful of phishing – this is where you receive an email or text message asking for you to confirm your details or take some other action where you need to enter your personal credentials. These types of acts are becoming increasingly sophisticated and can look very legitimate, like an email from your bank. As a good rule of thumb, unless you make a request, don’t ever enter your credentials. Or, if you have any doubts, contact the organization requesting the information directly.
5. Be Fresh
Refresh your passwords regularly. While it may seem onerous, and even if you think you have finally come up with the most secure password ever, one of the best ways to protect your password is to change it up regularly. In addition, you should use different passwords for different logins – yes, a different password for every login. Having a unique password for all your accounts assures that if or when one is compromised the others remain protected. Pro tip: If you can’t remember all your passwords, consider using a secure password manager.
Elena Elkina (she/her) is a Partner at Aleada.
“As the LinkedIn breach continues to showcase, many still use PASSWORD as a password. Single-word credentials are no longer safe. Instead, if you must remember your credentials, use passphrases. The danger with this method is that there is still a potential for re-use. The true recommendation is to use an auto-generated password from a password manager. And of course, any set of credentials should be placed behind MFA. We are still some time away from true passwordless authentication, however many players in the authentication space are taking this challenge on full force.”
Saryu Nayyar (she/her) is CEO of Gurucul.
“Passwords are the bane of the security team’s existence. Users use weak passwords, reuse the same passwords, refuse to change passwords, or simply forget them and need help resetting passwords. I thought self-service password reset options would have alleviated the help desk from resetting user passwords. However, it still turns out 20% to 50% of all IT help desk tickets are still for password resets (according to The Gartner Group).
“We actually have the technology to eliminate passwords altogether, but that would require companies to indulge in passwordless authentication. MFA helps, but users really need to use better passwords. To be effective, passwords must be complex and over 16 characters in length. That’s why passwords fail because people can’t remember 17-character passwords – that are unique for every system. Instead, users should use passphrases they can remember and then append or prepend numbers and characters to make these passphrases complex. “Every good boy does fine +123” works. Pick your favorite song lyric and year. Associate your passphrase with the target system to make it easier to remember. Whatever you do, don’t share your passwords and don’t reuse them. Once a cyber-criminal gains access to one of your target systems by cracking your password, all your other systems are at risk.”
Mathew Newfield is Chief Infrastructure and Security Officer at Unisys.
“Tip # 1: Create your private passphrase rather than using a single word. This is a short statement that has meaning to you but is no longer than three or four words. An example of this would be: Puppies are cute. This will be your private passphrase and should not be shared with anyone.
Tip # 2: Create a password key. This is your decoder! This key can be printed out and stored in your wallet or purse or even kept on your desk in plain sight. Without your private passphrase, it is useless.
Here’s an example password key:
- Use the first and last letter of each word in your passphrase (mix upper/lowercase).
- The letter “A” is substituted with “@” symbol.
- The letter “E” is substituted with the number 3.
- Add a two-letter (uppercase) designation for what you are authenticating to.
- Add a two-letter (lowercase) designation for the current season of the year.
- Add last two digits for the current year.
With your password key you will be able to transform your passphrase – e.g., Puppies are cute – into a complex password as demonstrated below.
Step 1: Use first / last letters of each word in your passphrase. PSAECE
Step 2: Substitute A = @ PS@ECE
Step 3: Substitute E = 3 PS@3C3
Step 4: Add 2 Uppercase letters for authentication type (e.g., NW = network, etc) PS@3C3NW
Step 5: Add 2 Lowercase letters for season (e.g., wr = Winter, sg = Spring, etc.). PS@3C3NWsg
Step 6: Add last 2-digits of current year. PS@3C3NWsg21
Bonus Tip: Periodic password changes are recommended; using this method one can simply change the season and year to maintain password complexity.”
Thanks to these cybersecurity professionals for their advice on how to make stronger, more secure passwords for World Password Day 2021. For more information on stronger, more secure passwords and other identity management best practices, check out the Identity Management Buyer’s Guide or the Solutions Suggestion Engine.