Isn’t it ironic that in 2022, we’re still using one of the most broken systems for authentication ever? Even Julius Caesar hated passwords and preferred his own cipher to communicate instead. However, within organisations of all sizes, passwords remain commonplace.
We all know the basics – a vital mixture of upper case, lower case, numbers and punctuation marks – but even with these combinations, threat actors can and have continued to find success from infiltrating networks through poor password protection. With passwords as our primary level of protection against unauthorised access, it is essential that business leaders and employees alike understand the ins and outs of password security – that’s what World Password Day is all about.
To gather this advice and learn more, Cyber Protection Magazine spoke to seven security experts to coincide with the day.
Don’t be predictable
The most well-known rule of password security is to use a variety of different characters, numbers and special symbols – it’s typically the criteria when you create a password on many websites. However, as Neil Jones, Director of Cybersecurity Evangelism at Egnyte explains, “for as long as I can remember, easily-guessed passwords such as 123456, qwerty, and password have dominated the global listing of most commonly-used passwords.”
Patrick Beggs, CISO at ConnectWise, shares further insight into common password trends: “Research has found that women typically include personal names in their passwords while men often use their hobbies. And experienced hackers also know the common vowels, numbers, and symbols that often appear in passwords.”
Using these common passwords or patterns that cybercriminals can easily catch on to puts your data at risk. Especially in the past two years, we have seen a significant increase in online threats. Sascha Giese, Head Geek at SolarWinds explains how “with so many more people working remotely—and therefore outside of the relative security of their offices—every sector has seen cybercriminals attempt to take advantage. For the public sector, the risks of an attack are arguably higher than in the private sector, as public services from hospitals to transport could be shut down within minutes of a successful attack.”
Wherever you are – in the office, at home or out and about – we must always be cautious of sharing information that could put our personal data at risk. Egnyte’s Jones stresses that “not a day goes by where I don’t hear another customer in a public setting like a pharmacy or a supermarket vocally share his/her email address and/or personal or business phone number, to obtain affinity club credit for a transaction or to earn a discount. That private contact information – combined with weak password administration – can represent a data breach just waiting to happen.”
To avoid the worst happening, make sure your passwords are “complex and unique, making them hard to guess and preventing unauthorised access,” advises Gregg Mearing, Chief Technology Officer at Node4. “Our top tip to help users manage their password security is to use three random words or a phrase that is meaningful to only the user.”
“Randomness is your friend, so don’t re-use passwords and try to use all possible character types to make a unique and long password that goes beyond the minimum requirements,” adds Mike Hendrickson, VP of Tech & Dev at Skillsoft.
Protect your password
Aside from following the above tips to ensure that your password is difficult for threat actors to guess, there are multiple tools available to help you manage and protect your passwords.
“Password managers like LastPass, Dashlane and Keepass are must-have tools for everyone helping to protect our passwords, and ultimately our digital lives,” recommends Richard Barretto, Chief Information Security Officer at Progress. “I don’t know any of my 100 passwords – neither should you. Mine are all stored in my password manager. I strongly recommend that a password manager solution should be everyone’s first choice to generate passwords on your PC, MAC, and mobile devices.”
Similarly, regardless of the strength of the password, “a two-step verification (2SV) – also known as two-factor authentication (2FA) or multi-factor authentication (MFA) – should be used where possible,” Node4’s Mearing adds. “This provides an extra layer of security so that, should your password be leaked in a data breach, access to your personal information is still denied.”
Andy Swift, Technical Director – Offensive Security at Six Degrees agrees that “no matter how complex your password is, it is still susceptible to a brute force attack unless it is backed up by multi-factor authentication. So whenever you’re accessing a web application, a VPN through a laptop at home, or any point of contact between the internet and your IT infrastructure, make sure multi-factor authentication is in place to minimise the risk of illicit access and data breach.”
Premium password practices
Whether you take Julius Caesar’s approach and work in code or stick to the typical defence offered by passwords, make sure that your systems and data are strongly protected. World Password Day serves as a reminder of the best password practices, so take time today to update your passwords if you haven’t for a while: pick something complex and unique for your new one, use a password manager, and set up multi-factor authentication.