This is part of a running commentary series for #WorldPasswordDay 2021.
Each year on the first Thursday in May, World Password Day strives to encourage users to elevate their password security strategy.
We heard from cybersecurity experts on what strong password security looks like and what the future of passwords holds. Glenn Veil, VP, engineering, Wisetail:
"Passwords play a critical, ongoing role in different aspects of our lives. In our personal lives, they provide a layer of defense against fraud and identity theft. In the workplace, they defend us against a breach of sensitive company or customer data. At Wisetail, we implement policies, standards and guidelines around credential security, but the key is to create awareness and sensitivity in our employees through education and training.
Here are some tips we recommend to protect yourself and your business from cyberattacks:
1. Educate your people on the importance of credential security and provide them with the tools to protect credentials
2. Create an environment where your people are comfortable highlighting security issues or cases where practices are not being followed so you can continue to improve your credential security
3. Utilize multi-factor authentication to reduce the damage that can be done by weak or exploited passwords
4. According to NIST's 2021 security recommendations, it's important to keep your passwords long but not too complex. Theoretically, if the password is long enough, the chance of a hacker figuring out the correct sequence is low.
Follow these best practices beyond World Password Day, and your entire team will play a part in creating obstacles for digital adversaries and protecting your data."
Josh Odom, CTO, Pathwire:
"As we reflect on cyber hygiene practices for World Password Day, we recognize that for many years users were encouraged to create strong passwords using random combinations of characters that are difficult for humans to remember, but easy for computers to guess. This is the opposite of the intended purpose and often leads to inherently poor habits such as writing down passwords or reusing ones that are easier to remember. Some websites utilize a password strength meter, but this can also be tricky and lead users to making weaker passwords instead of stronger ones. While we’ve engineered these meters to score the passwords we create, they are better used against ones that a computer can create because humans are too predictable, even when we try our best not to be.
To overcome these persistent password weaknesses, utilizing a password manager that generates passwords from a large set of characters to achieve a desired level of entropy is one of the best options currently for creating strong and unique passwords. Still, other options available such as security keys, authenticator apps, or any available multi-factor authentication methods beyond using just a password should be considered for security. Finally, resources like haveibeenpwned.com which check for exposed passwords, are reliable compared to inventing and using your own strength-checking algorithms."
Wes Spencer, CISO, Perch Security, a ConnectWise Solution:
“Here’s a riddle for you: what’s the one thing we all have, all hate and never remember? Yep, a password. Isn’t it ironic that in 2021, we’re still using one of the most broken systems for authentication ever? Even Julius Caesar hated passwords and preferred his own cipher to communicate instead.
Why is this? Well, passwords are like underwear. You see, you should never share them, never hang them on your monitor, and honestly, no one should ever see them. So how do we go about living in a password-required world? First, remember that long passwords are always better than complex ones. This is because the human brain is hardwired to be extremely poor at creating and remembering complex passwords. In fact, a long 16-digit password is far more secure than a short 8-character complex password.
Second, never reuse a password. Ever. Most successful breaches occur when a stolen password from one platform is leveraged against another system that shares the same password. At Perch Security, we’ve dealt with many breaches that occurred this way. It’s a true shame. The best way to avoid this is by using a reputable password manager and keeping it locked down. The password manager can handle the creation, storage and security of every password you use.
Lastly, never rely on your password alone. All reputable platforms today should support multi-factor authentication. We should be religious about this.
If you’ll follow these three things, your life with passwords will be much better. And perhaps one day, we’ll get rid of this pesky, broken system for good.”
Ralph Pisani, president, Exabeam:
“World Password Day 2021 is more important than ever as organizations grapple with the new reality of ‘work from anywhere’ and the fast adoption of the hybrid workplace trend. Cybercriminals will capitalize on any opportunity to collect credentials from unsuspecting victims. Just recently, scammers began preying on people eagerly awaiting vaccinations or plans to return to the office as a means to swipe their personal data and logins, for instance.
The most common attack technique that I often see in the breach reports that I read is stolen credentials. This is a never ending battle between the security industry and cybercriminals, but there are ways organizations can protect themselves against credential theft.
Through a mix of educating staff on complex password best practices, security awareness training and investing in machine learning-based security analytics tools, organizations can make it much more difficult for digital adversaries to utilize their employees’ usernames and passwords for personal gain. Behavioral analytics tools can swiftly flag when a legitimate user is exhibiting anomalous behavior indicative of compromised credentials. This approach provides greater insights to SOC analysts about both the impacted and malicious user, which results in a faster response incident time and the ability to stop adversaries in their tracks, before they can do damage.
The pandemic increased the velocity of digital transformation, and cybercriminals are clearly becoming more advanced in parallel. Thus, we must stay hyper vigilant in protecting credentials this World Password Day and beyond.”