Passwords are the critical gatekeepers to our digital identities, allowing us to access online shopping, banking, social media, private work and life communications. However, as data breaches of countless organisations that we trust continue on a daily rate, World Password Day provides an important reminder to companies and individuals alike of basic IT security.
From enabling two-factor authentication to regularly updating logins, this World Password Day we spoke to industry experts to gain their insight on how to ensure critical data can be secured.
The workplace is changing, so must your passwords
Over this last year the global shift to remote working has meant IT leaders have the added responsibility of managing the growing risk of data breaches, with a large proportion of employees working remotely.
Neil Jones, cybersecurity evangelist at Egnyte, explains how remote work can lead to employees accessing unsanctioned devices, apps and networks, particularly when they experience issues with work-related IT resources. “This broadens the attack surface for bad actors and leaves few checks in place for careless behaviour that can result in data leaks.”
This World Password Day, he shares some practical steps that you can take to protect your valuable information, while embracing today’s work-from-home environment:
- Educate your employees on password safety – Teach your users that commonplace passwords such as “123456,” “password” and their pets’ names can put your data and their personal reputations at risk. Remind users that passwords should never be shared with anyone.
- Institute two-factor authentication – IT administrators should require additional login credentials during the users’ authentication process, to prevent potential account breaches. This can be as simple as a user providing their password, then entering an accompanying numeric code from an SMS text.
- Set passwords for personal devices – Personal devices are on the rise in a remote-work environment and are particularly vulnerable to data theft, so encourage your employees to password-protect them.
- Change your Wi-Fi password regularly – Remember that potential hackers are often working from home, just like us. If you haven’t updated your Wi-Fi password recently, do it immediately.
- Establish mandatory password rotations – Greatly reduce exploitation of default and easily-guessable employee credentials by making your employees change their passwords regularly.
- Update your account lockout requirements – Prevent brute force password attacks by immediately locking out access points after several failed login attempts.”
“World Password Day 2021 is more important than ever as organisations grapple with the new reality of ‘work from anywhere’ and the fast adoption of the hybrid workplace trend,” adds Ralph Pasini, president of Exabeam.
“Through a mix of educating staff on complex password best practices, security awareness training and investing in machine learning-based security analytics tools, organisations can make it much more difficult for digital adversaries to utilise their employees’ usernames and passwords for personal gain. Behavioural analytics tools can swiftly flag when a legitimate user is exhibiting anomalous behaviour indicative of compromised credentials. This approach provides greater insights to SOC analysts about both the impacted and malicious user, which results in a faster response incident time and the ability to stop adversaries in their tracks, before they can do damage.”
Multi-factor authentication (MFA) is a critical defence against credentials theft, requiring additional layers of verification before access is granted. However, Gary Cheetham, CISO at Content Guru, explains that “without the most fundamental defence of all – good cyber hygiene – credentials theft and a resulting data breach is only a matter of time.
“It is essential that business leaders empower and encourage employees to maintain cyber hygiene – the basics of cyber security. Security leaders simply cannot overlook the importance of educating the rest of your employees to keep the organisation watertight. Regular training on cyber security and the hygiene aspects using engaging and accessible resources is the best way to cultivate a highly secure workforce.”
Tim Bandos, CISO at Digital Guardian, adds that while a lot of the coverage about passwords focuses on business users, it’s really important not to overlook children and teens in this discussion. “They will typically make some of the same types of common mistakes as adults when creating and using online passwords, but there are several that stand out the most for this age group.
“One of the worst is sharing credentials with friends, boyfriends/girlfriends, etc. At that age, relationships tend to be shorter in duration and some kids end up using the shared access against each other such as posting inappropriate messages on social media accounts or conducting surveillance over account activity. This type of password-sharing behaviour may even stem from early childhood when parents would share their credentials with their kids for accessing devices or online sites. This should be avoided at all costs.”
Advice to remember
“Here’s a riddle for you: what’s the one thing we all have, all hate and never remember?,” concludes Wes Spencer, CISO of Perch Security, a ConnectWise Solution. “Yep, a password. Isn’t it ironic that in 2021, we’re still using one of the most broken systems for authentication ever? Even Julius Caesar hated passwords and preferred his own cipher to communicate instead.
“Why is this? Well, passwords are like underwear. You see, you should never share them, never hang them on your monitor, and honestly, no one should ever see them. So how do we go about living in a password-required world? First, remember that long passwords are always better than complex ones. This is because the human brain is hardwired to be extremely poor at creating and remembering complex passwords. In fact, a long 16-digit password is far more secure than a short 8-character complex password.
“Second, never reuse a password. Ever. Most successful breaches occur when a stolen password from one platform is leveraged against another system that shares the same password. At Perch Security, we’ve dealt with many breaches that occurred this way. It’s a true shame. The best way to avoid this is by using a reputable password manager and keeping it locked down. The password manager can handle the creation, storage and security of every password you use.
“Lastly, never rely on your password alone. All reputable platforms today should support multi-factor authentication. We should be religious about this.
“If you’ll follow these three things, your life with passwords will be much better. And perhaps one day, we’ll get rid of this pesky, broken system for good.”