This is part of a running commentary series for #WorldPasswordDay 2021.
Each year on the first Thursday in May, World Password Day strives to encourage users to elevate their password security strategy.
We heard from cybersecurity experts on what strong password security looks like and what the future of passwords holds. Ed Williams, Director at Trustwave SpiderLabs:
“We use passwords for one reason and one reason only, to protect ourselves, our data and our information. So why are we still so bad at them?
With the sheer number of services we all use daily, I definitely think there is a tendency to be lazy when it comes to passwords. And our own previous research would support that, highlighting words such as P@ssword1 as the most commonly used password, as well as finding people neglecting the use of special characters or using the exact same passwordfor every account they have.
Despite passwords being so simple, there’s still a lot of education to be done. For example, did you know that a password made up of eight characters takes an average of one day to crack, whereas one with 10 characters would take an average of 591 days? That’s just two more taps of the keyboard and you’ve enhanced your security by 591%.
As humans, we struggle with randomness and all too often use guessable patterns when creating passwords, be it a base word, a year appended to the end, or character substitution, e.g. ‘Dr@gon2021’.
Passwords may not seem like much compared with other impressive security solutions or tools, but a well-thought-out password really could make the difference between your data and that of your organization, being vulnerable or secure. Why not use today as a reminder to check your password security and make the life of a hacker more difficult?”
Keith Hollender, Global Cybersecurity Practice Lead at Morgan Franklin Consulting:
“World Password Day is a great new channel to help raise awareness in the cybersecurity community and general workforce. The necessity of proper authorization and authentication to access critical data continues to become increasingly essential to organizations. As the remote workforce continues to expand, leaders must focus on launching secure remote access programs as quickly as possible.
Additionally, compliance regulations around data access are more apparent and stringent than ever before. Enabling Multifactor Authentication (MFA) is critical to strengthen password use and help ensure users authenticate themselves to securely access systems and data. It is also imperative to have an MFA device registration governance program and periodically audit MFA settings to verify that users are registered with only known devices.”
Jon Clemenson, director, Information Security, TokenEx:
“Despite technology trends moving toward risk-based authentication, passwords are likely to remain in play for some time. Considering this, World Password Day provides the perfect opportunity to reiterate strong password policies that are vital to both personal and business security. Cybercriminals often reuse credentials from password dumps found online, commonly referred to as credential stuffing, to access sensitive data. That tactic combined with using simple passwords does not provide appropriate data protection. We ask users not to repurpose passwords across websites, and instead, institute lengthy and unique complex passwords whenever possible in conjunction with two-factor authentication.
Further, malware and other attack methods can completely bypass passwords, which is especially concerning during remote work. Before cyber thieves can advance on your credentials, we recommend using password managers to auto generate strong passwords, or moving to biometric or physical keys for authentication, which are more secure than using passwords. For sensitive data like credit card numbers or other personal info, businesses can remove that data from systems entirely using tokenization. That way, if a hacker does access company systems, they won't steal any useful information.
Finally, to rise above being a ‘low hanging fruit’ target for a malicious actor, good password hygiene practices like not sharing or reusing passwords are vital. Investing the time to take one extra step to secure your data is invaluable when compared to the fallout of a data breach.”