Experts from various sectors share their insights on the evolving landscape of password security, highlighting the urgent need for robust measures in combating cyber threats.
Narayana Pappu, CEO at Zendata
I would like to start with three stats and one technique: The average user in a developed country has between 100 and 150 accounts. Studies have shown that 53% of users use the same password across multiple accounts, and there is a 27.7% chance of an organization experiencing a data breach in the next two years. Credential stuffing (using leaked passwords from one account to gain access to other accounts) is a common technique used by hackers, creating a huge exposure for both users and companies. Along with using different passwords across different platforms, changing passwords often, and enabling 2FA, users can protect themselves by logging in with OAuth-based logins (login with Facebook/google, etc., that tend to have better security) instead of creating a separate account. Logging in using email or text (works similar to 2FA) and considering password alternative login solutions like Beyond identity that have gotten significant adoption in the least few years. Companies should consider adaptive authentication methods that consider factors like device reputation, IP address, and user behavior that can help detect and prevent unauthorized access attempts.
Patrick Harr, CEO at SlashNext
For years, strong passwords have been a cornerstone of cybersecurity. However, in today's era of increasingly sophisticated attacks, they are no longer enough to guarantee protection for our personal and corporate data. While creating complex passwords and changing them regularly remains essential, even the most diligent practices can't fully prevent hackers from breaching accounts and systems.
The landscape of cyber threats has become even more complex with the emergence of generative AI tools, and in turn, has made hacking passwords easier than ever. SlashNext’s 'The State of Phishing Report 2023,' highlights this alarming trend, revealing a 1,265% increase in malicious phishing emails since the launch of ChatGPT in November 2022. AI is now being used to create more convincing phishing attempts, which can trick users into revealing their login credentials. The report also reveals a 967% rise in credential phishing attacks specifically from Q4 2022 to Q3 2023, indicating a significant shift towards tactics that exploit stolen passwords.
In fact, just a few weeks ago, an employee at LastPass, a password manager software firm, was targeted in a fraudulent scheme, in which criminals used deepfake technology to impersonate LastPass’s CEO. Hackers were clearly targeting the company because it could have granted them access to hundreds of thousands of user accounts.
All that said, it is crucial that your passwords, and more importantly, your private data stay protected. Multi-Factor Authentication (MFA) can effectively protect against “credential harvesting,” where hackers gather stolen passwords to launch attacks. This can be as easy as a user providing his/her password, then entering an accompanying numeric code from an SMS text. In addition, changing your passwords often and using different passwords across accounts can minimize the chances of being hacked.
In the face of an AI-based attack, however, these protections might not be enough. Using security tools with AI technology is important to stop AI-fueled attacks that are aiming to steal your credentials. You have to fight AI with AI.
Krishna Vishnubhotla, Vice President Product Strategy, Zimperium
As crucial as they are for mobile security, passwords can also be vulnerable to various attacks. One of the biggest problems we’ve seen is the increasing occurrence of password reuse and how it exposes organizations to serious breaches. Simply put, when users repeat passwords for both corporate and personal logins, the organization is at risk. Hackers understand this, which is why they are increasingly using mobile phishing campaigns via SMS, messenger apps and even fake QR codes to harvest passwords.
The only way in which organizations and individual users can withstand password attacks is by adhering to the password best practices such as switching up the passwords you're using, employing longer passwords, including all character types and symbols, and avoiding common passwords in general. Multi-Factor Authentication (MFA) also adds an additional layer of security to better protect systems and end-users from compromise.
Chad Graham, Manager of Cyber Incident Response Team (CIRT), Critical Start
World Password Day is a great opportunity to brush up on our digital security habits. It's a friendly nudge for everyone, tech-savvy or not, to strengthen their passwords. Instead of the usual mix of characters and numbers, consider creating a passphrase—a short, memorable sentence that’s tough to guess but easy for you to remember. Remember, a good passphrase is just the start: avoid using the same one across different sites and turn on multi-factor authentication to add an extra layer of security. For those who juggle multiple passwords, a password manager can be a handy tool, though a good old-fashioned notebook works too, if it’s kept secure and physical!
Darren Guccione, CEO & CO-Founder, Keeper Security
Despite decades of advice to enterprises and consumers about following password best practices, Verizon's recent Data Breach Index Report found that 74% of data breaches involve the human element - including stolen credentials, phishing attacks, misuse or simple user error. Stolen or weak passwords remain a leading cause of breaches, and poor password practices abound for both consumers and enterprise users alike. Recent research reveals that 52% of enterprise IT teams struggle with frequently stolen passwords, while additional research shows that 3 in 4 consumers are at risk of being hacked due to poor password practices.
These alarming statistics underscore the importance of following password best practices such as creating strong, unique passwords for every account, and enabling Multi-Factor Authentication (MFA) wherever possible. Utilizing a zero-knowledge, zero-trust password management solution can help enterprise and consumer users prevent successful data breaches stemming from phishing and password-based attacks, among other common cyber attacks.
At the enterprise level, a Privileged Access Management (PAM) solution that enforces least privilege access, and enables IT and security leaders to easily manage and secure passwords, secrets and remote access, is critical to prevent and mitigate the effects of insider and external password attacks. If a cybercriminal does gain access to an organization’s networks, PAM platforms minimize the blast radius by preventing lateral movement.
Against this backdrop, World Password Day must no longer be a day of awareness. It must be a day of action and commitment to adopting solutions that keep all users safe and enforce cybersecurity best practices.
Lionel Litty, Chief Security Architect, Menlo Security
Any discussion of passwords these days inevitably devolves into how awful passwords are and the need to either supplement or replace them. The good news is that for once there is a robust solution - phishing resistant authenticators, meaning Passkey or Yubikey-type dongles, either in addition to a password or replacing the use of a password entirely. Data shows that using these goes a long way toward addressing many credential phishing scenarios. If your organization does not mandate these yet, this should be at the top of your To-Do list. Proper support for phishing resistant authenticators should also be on your security team's checklist when reviewing new and existing vendors.
Devin Ertel, CISO, Menlo Security
Passwords are becoming increasingly outdated and vulnerable to sophisticated cyber threats. Many experts believe that a passwordless future is not just a possibility but an inevitability. Passwords today need a more secure authentication method. As we strive towards a passwordless world, bridging the gap with FIDO (Fast Identity Online) options for the second factor can significantly enhance security. FIDO offers a user-friendly approach to authentication, reducing the reliance on passwords and mitigating the risk of unauthorized access.
Matthieu Chan Tsin, Head of Cybersecurity Services, Cowbell Cyber
Staying ahead of malicious actors in today’s evolving cyber threat landscape requires a robust strategy built on layered cybersecurity solutions and strategic partners. This World Password Day serves as a reminder that companies and individual users should focus on enhancing their defenses by adhering to fundamental best practices. This involves maintaining good password hygiene and adopting Multi-Factor Authentication (MFA).
Using weak or reused passwords is risky. Cybercriminals can guess weak and/or reused passwords in seconds to gain unauthorized access to sensitive information and wreak havoc on organizations. However, organizations can decrease their risk exposure by implementing MFA, password managers, and security assessments.
Working with a cyber insurance provider is a practical and strategic way for companies to improve their cyber preparedness and response plans. Cyber insurance providers can help prevent and address cyber incidents and ransomware attacks, including those from password-based attacks.
As cyber threats escalate and evolve worldwide, businesses and individuals must shore up their cyber defenses to prevent potentially devastating consequences. World Password Day is a reminder of the critical role passwords and MFA play in securing an organization's digital infrastructure and highlights the importance of security protocols and proactive measures to mitigate cybersecurity risks and their impact.
John Anthony Smith, CSO and Founder, Conversant Group
In today’s escalating threat environment, it’s easy to overlook cybersecurity fundamentals. World Password Day serves as an important reminder that while having strong password safeguards may seem basic, they are often the first line of defense threat actors surpass to infiltrate an organization’s systems and ultimately cause significant damage. Some of the best ways to implement a proactive approach to password management include prioritizing length of passwords over complexity, limiting password management vaults to only one IT-sanctioned tool (blocking all others), and applying password hygiene.
While complexity is important when it comes to password creation, it's secondary to length in ensuring resilience against attacks. While most platforms require 8-10 characters, passwords with a minimum of 16 characters are much stronger in ensuring cyber safety. Additionally, while password managers seem efficient, they are hotbeds for cyberattacks. Use only one organization-sanctioned and IT-approved password vault and block access to all other types of password managers. Critical credentials like break-glass accounts should never be stored in these vaults. Instead, consider writing down and storing these passwords in a physical safe with restricted access. Such critical passwords should be even longer, around 30 characters in length.
Regular password rotation is essential to mitigating potential breaches. User accounts should be required to rotate credentials every 90-180 days and administrative accounts at least every 30 days. Implementing stringent account lockout policies, such as locking accounts after five failed login attempts with an indefinite lockout period, reinforces defense mechanisms against unauthorized access. It's critical that only IT personnel have access to unlock these accounts.