Today is World Password Day. It is a day designated to remind us of the importance of this first line of defense against ransomware, spyware, and other bad actors. This was especially true over this past year during which the World Health Organization reported a fivefold increase in cyber attacks.
Yet, contrary to prevailing advice on picking strong passwords, Security.org’s second annual report on America’s password habits and strategies revealed that 14 percent of us used “COVID” in our passwords; 21 percent used “Trump” or “Biden” and 20 percent used a curse word.
Most people are not aware of just how insecure those passwords really are. If you take a look at the most commonly used passwords, it’s interesting to note how fast these passwords can be hacked.
But even strong passwords are not a guarantee, which is why most cybersecurity experts emphasize the need for additional measures or, if sticking with passwords, offer some advice on how passwords should be chosen correctly. Here’s some advice from industry experts for this year’s World Password Day:
What the industry says about passwords
Surya Varanasi, CTO of Nexsan, a StorCentric Company, and JG Heithcock, GM of Retrospect, a StorCentric Company, would like to offer the following thoughts on why stopping with a stron password is not enough.
Surya Varanasi:
“Few would argue that creating strong passwords must remain a priority. However, even after creating a seemingly impenetrable password using every best practice possible, undiscovered threats might still be able to penetrate them and expose your environment to unnecessary risk.
But if your organization has data that is too important to lose, too private to be seen and too critical to be tampered with then you must take the next step to thwart cyber-criminals. This can be accomplished by employing a strategy that enables you to unobtrusively offload data from what is likely expensive primary storage (cost savings is another bonus here) to a cost-effective storage solution that is engineered specifically to be regulatory compliant and tamper-proof from even the harshest ransomware attacks. And since backups have become the latest malware targets, the storage platform should include “unbreakable backup” meaning it includes an active data vault that creates an immutable copy, which makes recovery of unaltered files fast and easy – so there’s zero operations disruption and never any need to pay ransom.”
JG Heithcock:
“A global survey conducted by Gartner found that 88% of business organizations mandated or encouraged employees to work from home (WFH) as a result of the COVID-19 pandemic. With millions of workers around the world now having to access their organization’s data remotely, data protection was put under increased pressure. For many, the answer was to employ a strong password — oftentimes, requesting that employees do so employing a random mix of no less than 15 characters. Undeniably, this was a step that could not be ignored. Unfortunately, many learned the hard way that this was not enough to stop today’s increasingly determined and aggressive cyber-criminals. And given that research, such as that from the Harvard Business School, shows that the WFH paradigm will likely endure, it is clear that stronger measures must also be taken.
In 2021 and beyond, multi-layered data protection strategies – such as those employing strong passwords combined with thorough backup practices – will help to ensure you, your data and your organization remain protected in the event of a simple accident, cyber-attack or any other disaster.”
Strong passwords are only the first step
Good password hygiene is an essential way for businesses and individual users to protect the health of their data; especially in light of the FBI estimated 4,000 ransomware attacks being carried out on a daily basis. With World Password Day in mind, Don Boxley, CEO and Co-Founder of DH2i, says:
“While few would argue the necessity of choosing a strong password, many continue to ignore (or perhaps are unaware) how best to do so and instead choose the types of easy-to-guess, predictable passwords that have plagued data security since the beginning of digital login credentials. However, the truth is that when it comes to data security, even the most complicated, random and continuously changing password is rarely enough.
This is why so many in the industry are now turning to software defined perimeter (SDP) solutions to replace their outdated VPNs. With SDPs, users are able to construct lightweight, discreet, scalable, and highly available “secure-by-app” connections between edge devices, on-premises, remote, and/or cloud environments. Contrary to VPN design, SDP solutions were engineered specifically for the way we work and live today — which when combined with effective passwords, will provide virtually impenetrable protection now and into the future.”
Oliver Cronk, Chief IT Architect, EMEA at Tanium argues that protecting company assets using password is still a valid way to go forward, if done correctly:
“I recommend that organisations should rethink their approach to creating complex passwords, as length has been shown to be more efficient than complexity. Having a few long, random words separated by a dot can be more secure than choosing a complex password with a mixture of numerical and alphabetical, upper-case and lower-case characters.
Passwords are just one piece of the puzzle, so I suggest supplementing strong password policies with multi-factor authentication and authentication apps. By encouraging employees to stick with one good, unique password and supporting this by requiring the user to provide two or more verification factors, the user has less reason to change their password regularly. This method can be more effective than simply forcing users to change their password every 90 days. Finally, screening password resets against commonly used, expected or compromised passwords is another measure that isn’t incorporated by organisations as much as it should be.”
Ditch passwords altogether
Dirk Geeraerts, EMEA Regional Director for Access Management solutions at Thales, goes a step further and suggests ditching passwords altogether:
“With more employees working remotely than ever before due to COVID-19, businesses are at greater risk from a cyber-attack with workers accessing systems outside of the usual company network. As such, this year’s World Password Day is in fact a timely reminder for businesses to drop passwords forever – they are no longer good enough and are the prime resource for hackers to gain access. Instead, companies should rollout access management solutions such as passwordless authentication which verifies users through other methods like their IP address or if they are accessing through a device or operating system associated to them. This will overcome the inherent vulnerabilities of text-based passwords, while improving levels of assurance and convenience.
“No single solution is enough though, so organizations should also be looking to adopt a Zero Trust model in their approach to authenticating users and certifying their authorization to access data. This strategy, based on the principle, “Never Trust, Always Verify”, views trust as a vulnerability and requires employees to only access data they’re authorized to do so, while ensuring they verify who they are each time they want access.”
Finally, Joseph Carson, Chief Security Scientist & Advisory CISO at Thycotic, offers some helpful advice on how to choose a password.
“It is World Password Day, which means it is time to reflect on your current password hygiene and determine if your password choices are putting you at serious risk of becoming a victim of cybercrime. According to the UK National Cyber Security Centre (NCSC), 15% of the population use pets’ names, 14% use a family member’s name, and 13% pick a notable date. In fact, the weak password problem is so severe that the UK recently proposed new internet and IoT reforms that would make using “password” as your password illegal.
Passwords remain one of the biggest challenges for both consumers and businesses around the world. Thanks to the SolarWinds security incident in late 2020, we were all reminded that a poor password choice can not only impact your own organization but all connected organizations as well. This was likely one of the biggest supply chain cyberattacks in history — all stemming from poorly-created passwords.
If you are a consumer, start by using a password manager today. If you are a business leader, you should move beyond password managers straight into privileged access security. Rotating and choosing passwords is one of the biggest causes of cyber fatigue, so organizations can reward employees with privileged access security solutions that will eliminate one of their biggest work headaches and introduce security solutions that they will want to use. Privileged access security is one of the few security solutions that will transform your employee password experience into one that will make them more productive — and you’ll never need to create unique, complex passphrases for every account as privileged access management (PAM) will do that for them. It’s time to increase security and ease stress by moving passwords into the background with a modern PAM solution.”
This article is part of our World Password Day Special – read more about passwords here.