World Password Day 2020: Passwordless, Credential Stuffing, and Password Managers

World Password Day 2020: Passwordless, Credential Stuffing, and Password Managers

World Password Day 2020 continues as cybersecurity experts from around the world discuss the topics at the forefront of password security. These include passwordless authentication, credential stuffing attacks, password managers, and more. 

For more on these topics, we consulted with cybersecurity experts. Here’s what they had to say. 

World Password Day 2020: Passwordless, Credential Stuffing, and Password Managers

Fausto Oliveira

Fausto Oliveira is Principal Security Architect at Acceptto. 

“Passwordless is not the future. It’s what we need now. Every year, security incidents continue to occur due to account takeover and the causes are well known. The most relevant of them is credential hijacking which accounts for approximately 80 percent of attacks. In the past, the focus on password complexity encouraged credential re-usage and increased the total cost of ownership (TCO) associated with password resets and Helpdesk calls without improving overall security. 

In general, any binary authentication, such as passwords, two-factor authentication (2FA), and some multi-factor authentication (MFA), including biometrics, are susceptible to fraud due to their binary nature. The industry needs to move away from passwords and start adopting passwordless solutions that do not treat authentication as a single event with a simple yes or no at point of entry, but as a continuum where user good behavior is constantly verified. It’s time to finally make World Password Day a thing of the past.”

Tim Wade 

Tim Wade is Technical Director of the CTO Team at Vectra.

“While passwordless authentication is admirable and authentication systems solely based on passwords have been, and will continue to be, abused it’s important to consider that an effective authentication system must also account for effective credential revocation and replacement as much as credential strength—there are few things more trivially revoked and replaced than the knowledge inside someone’s head.  At the risk of unpopularly defending the merits of passwords, they may continue to have a role to play in strong, robust, multi-factor authentication systems even as they’re replaced as the sole (or even most important) anchor of authentication.”

Joseph Carson 

Joseph Carson is Chief Security Scientist and Advisory CISO at Thycotic. 

“World Password Day is a day to review your password hygiene to ensure you are up to date with the latest best practices.  However,  if you have not combined it with another security control such as two-factor authentication, you’re leaving the door wide open,  putting yourself at risk of identity theft, ransomware, an online account hack, computer viruses, and more.  It is also important when you do change your password to only perform this task from a safe network and not a public location.

This year, review your password best practices. Ensure that you have started to use passphrases to help make your password long and include some complexity as well, although the debate about how frequent you should change your password continues. My recommendation is that it should not be older than one year. It’s best not to wait until you are notified about a data breach as it usually means cybercriminals had access for longer than two hundred days.”   

Bryan Becker

Bryan Becker is Product Manager and Researcher at WhiteHat Security

“The recent credential stuffing campaigns against the World Health Organization and Gates Foundation and breach of children’s site Webkinz reinforce the importance of setting a different username/password combination for every application you utilize as an end-user to protect your own information and your employer’s. It is essential to practice security mindedness as you browse the web to lessen the impact data breaches will have on you and your organization once they occur. Some other tips you can practice to secure yourself online are:

  • Utilize multi-factor authentication on any application that supports it. This can prevent an attacker from gaining access to your account even if they determine your username/password combination.
  • Only log into sites that send your credentials and other sensitive information over SSL. A quick way to determine this is if the URL you are viewing is prefaced with ‘https://’.
  • Whenever you’re checking your email in a web browser and are sent messages with hyperlinks, hover your mouse over the links and verify where the link is really going to take you to by looking at the URL that appears on the lower-left corner of the screen. It’s possible the blue highlighted URL written in the email body is actually a disguised malicious link.

There’s no better time to reinforce taking these precautions than World Password Day, and I hope everyone uses this day to promote better password habits to their employees, colleagues, and even family members. Passwords are essential to keep our digital identities private, and we must do everything we can to make sure they don’t fall into the wrong hands.”

Jay Ryerse

Jay Ryerse is VP, of Cybersecurity Initiatives at ConnectWise

“Passwords are often associated with inconvenience—and for good reason. Employees and consumers alike are overwhelmed by the thought of remembering login details for 100-200 websites and making them difficult for bad actors to guess. That’s why this World Password Day, it’s important to look at the practical solutions to this impractical problem, accelerated by more and more aspects of our lives going online. 

To ensure your personal and work-related accounts, as well as the sensitive data residing within them, remain secure:

  • Use a password manager…but do your research. Some have been breached in the past, and you want to make sure your choice is reliable, safe, and up to date.
  • Use a different, complex password for every website. This reduces your risk of credential stuffing attacks, where hackers take login details harvested from breached websites to log into users’ accounts on other, unaffected sites. A password manager makes this process much easier as it will create lengthy, unique passwords for each site.
  • Remember that the longer the password, the longer it takes for digital adversaries to crack it, thus deterring successful brute force attacks.
  • Avoid overused practices like adding an exclamation point at the end, including phrases associated with family or pets, or using incremental numbers. Hackers use these well-known patterns to guess your password, and you’ll just make their jobs easier.
  • Give only fake answers to security questions that would help you recover your password, so hackers cannot mine that information from snooping on you online. One example would be your mother’s maiden name. With some social media searching, this would be easy to identify, so choose a made-up name only you would know. 
  • Implement multi-factor authentication wherever available to create extra hurdles for cybercriminals 

There will always be varying degrees of account compromise. If someone hacked my LinkedIn, they might post something embarrassing, but it’s easy to change the password and regain control. However, if they broke into my online bank account or used my credit card on Amazon to rack up charges, we’d be looking at significant damage. Wouldn’t it be better to prevent all of these incidents, though? Implementing these best practices across your online presence will do just that—and protect both you and your company on an ongoing basis.”

Thanks again to these identity management experts for their time and expertise on World Password Day, 2020 and on passwordless. You can learn more in our Identity Management Buyer’s Guide or our Privileged Access Management Buyer’s Guide

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner