Solutions Review compiles and shares top-tier password best practices for World Password Day 2021.
World Password Day is one of the most prominent tech holidays among cybersecurity professionals. On this day, we discuss how to promote stronger password strategies and best practices…or even whether passwords should be part of the larger authentication discourse in the first place.
Check out just a few of the cybersecurity experts we reached out to for their top-tier password best practices.
Top-Tier Password Best Practices for World Password Day 2021
Tom “TJ” Jermoluk
Tom “TJ” Jermoluk is CEO of Beyond Identity.
“When World Password Day was established in 2013, the world recognized that passwords were a necessary evil, despite being a flawed and insecure method of authentication. But the root of the problem goes back to the foundation of the ‘commercial internet’ in the mid-1990s, when Netscape and others enabled widespread access and consumer accounts, prompting a massive need and meteoric rise in password use, and beginning an era of consumer insecurity and exposure.
Fast forward to today and the problem has ballooned. Verizon’s 2020 Data Breach Investigations Report (DBIR) revealed that 80 percent of breaches use stolen credentials, collected either through database leaks or phishing attacks. And even if you follow recommendations for password hygiene, criminals can still get their hands on your password through a range of means – from fraudulent ‘phishing’ sites to insecure password databases and even commandeering your phone to intercept password reset messages.
The industry has responded by putting an even greater burden – not to mention blame – on consumers, to compensate for what can only be described as a complete systemic failure and an unwillingness to upset the market apple cart by refusing to fix the foundational issue. Complexity and user frustration are ever-increasing with forced password resets, cumbersome password creation requirements, and extra steps for multi-factor authentication (MFA). In summary, consumers must expect and demand better of their internet security and end the ‘stupid user’ blame game. The industry itself is headed in this direction with corporations and groups advocating for the eradication of passwords – but the industry is not moving fast enough, and the technology exists to make change now.”
Tim Bandos is CISO at Digital Guardian.
“While a lot of the coverage about passwords focuses on business users, it’s really important not to overlook children and teens in this discussion. They will typically make some of the same types of common mistakes as adults when creating and using online passwords, but there are several that stand out the most for this age group.
One of the worst is sharing credentials with friends, boyfriends/girlfriends, etc. At that age, relationships tend to be shorter in duration and some kids end up using the shared access against each other such as posting inappropriate messages on social media accounts or conducting surveillance over account activity. This type of password-sharing behavior may even stem from early childhood when parents would share their credentials with their kids for accessing devices or online sites. This should be avoided at all costs.
Secondly, kids and teens are exposed to devices everywhere they go from the library, to school, to over a friend’s house, etc. It’s important to avoid entering your credentials on untrusted devices that you do not own, control, or completely trust. Devices in public places should only be used for anonymous web browsing and not for logging into any of your online accounts since passwords can be easily stolen from these types of computers.
Finally, it’s important to avoid using personal information when creating any of your passwords. Young kids, and even adults for that matter, want to generate a password that is easy enough to remember. So they’ll use their name, birthdate, address, phone number, etc. These are all details that can be either easily guessed or end up further exposing you if a website is ever compromised.”
Dr. Mohamed Lazzouni
Dr. Mohamed Lazzouni is CTO of Aware.
“2020 saw a huge spike in cyber-crime following the COVID-19 pandemic, and as 2021 progresses the vulnerabilities continue to surge across all sectors. World Password Day was born to popularize some of the best practices in password protection, mainly the need to change passwords, use different ones for different applications, and choose complex compositions using letters, symbols, and numbers.
However, the benefits of varied, long, and complex passwords add to the burden and the anxiety of the user. Luckily, many technologies have progressed significantly to lower the friction without compromising on security. As an example, biometric authentication gained considerable adoption amongst users to simply use face or voice biometrics to unlock devices or sign in into accounts.
If users must continue to use passwords, they should ensure they are following password hygiene in order to remain resilient to attacks on their personal information – many of which are not difficult to implement.
- First, choose challenging passwords using a combination of letters, symbols, and numbers.
- Second, make them long enough and, where applicable, follow the guideline of the site providing password strength feedback.
- Do not use the same password across multiple accounts. This way, if a password associated with a lower-risk account is breached you prevent the attacker from carrying out additional breaches on higher-risk accounts that hold information such as financial records safeguarded by an often-used password.
- Be cautious of anyone reaching out to “verify” contact information. Knowing definitively who you are providing your information to is critical.
- Look for security options that include biometrics (face, voice, fingerprint) during verification processes.
- Avoid sharing sensitive information over e-mail or other non-encrypted methods.”
- Beware of phishing attacks where password reset requests are disguised through websites and phone calls impersonating legitimate businesses or government agencies.
- And if you suspect you have been a victim to identity theft immediately notify the concerned parties and authorities to report the incident.”
Tim Sadler is CEO and Co-Founder of Tessian.
“World Password Day is a great reminder to take inventory of our passwords, including where they are stored, whether you reuse them for multiple accounts, and their complexity. Tessian’s recent report found that 77 percent of people reuse passwords, and 21 percent use predictable cues like their favorite football team, their pet’s name, or birthdays when crafting passwords. The problem? These personal details are likely to be found on people’s social media channels, making it easy for hackers to scan publicly available information to try to crack passwords or even answer the security questions.
To prevent account takeover and business email compromise, CISOs and their teams should help educate employees about their social media footprint, cybersecurity best practices, and how to spot impersonation attacks. They should also reinforce the need for strong passwords that don’t include names or names of pets, birth dates, location, or other information that’s easy to find online. Even better, use a password manager like 1Password to randomly generate impossible-to-hack passwords. And while it can be tempting to reuse passwords that are easy to remember, never reuse or duplicate any passwords for personal or professional accounts. A bad actor could guess just one password and gain access to multiple accounts.”
Corey Nachreiner is CTO of WatchGuard Technologies.
“World Password Day has served as an annual reminder that we all need to practice better password security for nearly a decade. And yet, 80 percent of breaches began with brute force attacks or lost or stolen credentials last year. Attackers add millions of new usernames and passwords every day to the billions already available on the dark web. This has been the trend for years now, so at a certain point we have to ask if daily headlines on the latest security breaches and hacks aren’t enough of a cue to practice good password hygiene, is there much value in World Password Day?
Yes, it’s a helpful prompt to use best practices like changing passwords for your accounts regularly, choosing strong passwords or passphrases with at least 16 characters, using a unique password for every account, and leveraging password managers to keep track of them all. But these password security policies should be basic table stakes at every organization by now and should be required and reinforced all year long.
I believe that a ‘World MFA Day’ would be a more powerful and effective observance when it comes to strengthening corporate and individual security. Authentication is the cornerstone of good security, and multi-factor authentication means users must provide at least one additional token on top of their password to log into an account. These authentication tokens are typically something you are (biometric fingerprint or facial scans), something you have (like a hardware key or mobile phone) and something you know (like a password). MFA allows you to ensure that even if an attacker gains access to one of these tokens, like a user password, they’ll be unable to log in without the second (and sometimes third) authentication token. It’s an absolute no-brainer when it comes to addressing the widespread and persistent issues around poor password security and should be a primary focus for both businesses and individual users. So let’s make World MFA Day a reality in 2021!”
Thanks to these cybersecurity professionals for their time and top-tier password best practices for World Password Day 2021. For more top-tier password best practices and more, check out the Solutions Review Identity Management Buyer’s Guide or the Solutions Suggestion Engine.