This part 1 of our #WorldPasswordDay series.
World Password Day is an important annual event that raises awareness about the importance of creating and using strong passwords to secure our online accounts. With more and more of our personal and professional lives taking place online, the risks associated with weak passwords have become more significant than ever. Cybercriminals are constantly finding new ways to steal passwords and gain unauthorized access to sensitive information, making it essential for individuals and organizations alike to take proactive steps to protect themselves. World Password Day serves as a reminder that we all have a responsibility to safeguard our online identities and encourages us to adopt good password practices to keep our digital lives secure.
We heard from security and identity management experts from around the industry on how critical strong password security is for organizations and end-users alike:
Dylan Owen, Associate Director, Cyber Protection Services, Raytheon Intelligence & Space
“As organizations continue to grow, populating networks and systems with an increasing amount of users, repetitive passwords have increased dramatically. This ultimately heightens the risk of systems being infiltrated and sensitive data being exposed. Because it can be costly and unfamiliar to switch to potential security alternatives, organizations tend to stick to their typical password protection measures, thus promoting password reuse. However, there is a high pay-off to taking proactive steps now, in ensuring that passwords are secure before it is too late. Multi-factor authentication with a physical device/token is a simple and highly effective step that an organization should consider utilizing. Reducing the problems that often come with password authentication and authorization and eliminating the need to memorize or keep track of passwords, this security measure makes it easy for the user, while also keeping data highly protected. Providing a password manager can also be considered, providing users with complex, unique passwords for each system. This would also avoid the need to remember or write down passwords, as they would be stored securely in the password manager.”
Fran Rosch, CEO, ForgeRock
“Our industry has been talking about the vulnerability of weak passwords for years, yet data breaches are still a major concern, and organizations underestimate the risks associated with relying on passwords to protect valuable information. Closely monitoring password activity is critical to ensuring that attackers haven’t slipped through a company’s security. For example, if an employee gets locked out of the system and does not request help from their IT team, that person’s credentials are now at risk.
Abolishing weak passwords by going passwordless significantly helps enterprises reduce risk and stop threats at scale. As identity theft and breaches reach unprecedented levels, organizations need to take advantage of technology that strengthens security. This includes the adoption of passwordless solutions that incorporate things like biometrics, authenticator apps, tokens, and certificates, as well as AI-based access management. As we reflect on World Password Day, it’s clear that unless we eliminate passwords altogether, we will continue to live in a lose-lose situation where online experiences will remain frustrating for users and attackers continue to keep stealing our information.”
Rick McElroy, Principal Cybersecurity Strategist, VMware
“Despite the security industry’s many innovations that were on display at RSA last week, many organizations are still relying on dated authentication methods like passwords to protect their networks.
User ID and passwords can ultimately be the weakest link in an organization’s cybersecurity strategy, given the efforts by attackers to steal basic credentials to gain access to company data. Multi-factor authentication has helped make it more difficult for hackers to exploit these safeguards, but they continue to be areas of concern.
While alternative strategies to passwords are coming, it will take some time before these new methods are accessible to civilians. Until these new methods are available, security teams should move away from central stores of identities and continue to leverage multi-factor authentication to bolster their organization’s security.“
Will LaSala, Field CTO, OneSpan
“While World Password Day began as a reminder to strengthen passwords, it’s critical to recognize that passwords have since become a core part of our digital identities and the key to determining known and unknown users online. Every time you type in your password online, you share part of your digital identity, opening up opportunities for your sensitive data to be compromised. With a strong and secure password, you can help reduce the likelihood of breaches – but as Web3 adoption nears and cyber attacks rise, this is no longer enough.
Web3 will usher in a new online world where consumers interact with businesses in different ways, creating new security threats. To prepare for this, we must ensure that people are who they say they are and are not bad actors performing advanced identity fraud, such as deepfake attacks. The key to securing and protecting our online identities amidst Web3 is continuous identity verification throughout every digital interaction or transaction. While solutions like MFA, biometrics, and token-based authentication have emerged, they are not continuous or woven throughout the entire transaction lifecycle, putting identities at risk.
This World Password Day serves as an important reminder about the deep correlation between passwords and identity. With so much sensitive data and high-value transactions now conducted online, upholding the integrity of your digital identity should be a top priority – and this starts with password protection.”
Fayon Atkinson, Risk + Response Manager, Corvus Insurance
“With World Password Day approaching, it’s important to call attention to how critical it is for organizations to have the proper authentication controls in place to protect against threat actors stealing user credentials and logging directly into their systems to initiate a cyber-attack. Here are a few things users can do today to ensure they’re sufficiently protected:
Implement Multi-Factor Authentication (MFA): This comprehensive approach adds an extra layer of security and protects against unauthorized access, data breaches and password-based cyber-attacks.
Use complex passwords: Complex passwords make it more difficult for threat actors to guess. This includes making them longer, using special characters, and using uncommon passphrases
Use a password manager: Leveraging a password manager helps users create, manage and store passwords. It can be very convenient and it serves as a way for users to implement all the practices mentioned above in one application.
Use a unique master password for your password manager: This password should be unique to you and should not be reused for other systems or apps. If a breach occurs, an attacker could use that master password to hack into your network and steal sensitive information.
Securely store keys: In order to regain access to your password vault if you forget your master password, you will need a secret key. Ensure that you are securely storing your secret key as well as a recovery key that you get when you set up your online password vault.
Every industry needs to take a step forward and commit to implementing the appropriate precautions to keep users and organizations safe and secure by protecting their passwords. Without that commitment, organizations will continue to give hackers the upper hand. However, as we know, adversaries' tactics continue to grow and evolve, so ongoing monitoring and re-assessment of your organization's security posture is crucial.”
Jenn Markey, VP Product Marketing, Payments & Identity, Entrust
“According to a recent survey, 6% of global consumers believe passwords are the most secure method of online authentication, and over half need to reset passwords once a month or more because they forget them. It’s no surprise that passwords are becoming obsolete - they are no longer the most secure option, hard to remember and easy to steal.
Too many organizations either still rely on a single-factor authenticator like the password or enable relatively weak multi-factor authentication (MFA) with an over-reliance on one-time passcodes. The future is digital − consumers are increasingly seeking new, digital verification methods that allow them to securely share their identity credentials seamlessly and quickly. This is the promise of decentralized identity, which, if realized, would enable consumers to only share the identity information they want, when they want to. Decentralized identity would remove reliance on centralized third parties, and on passwords, allowing consumers to retain control of their key identity credentials themselves, creating an easier and more secure approach to daily verification that can be used across industries for travel, online transactions and more.
In the next two years, decentralized identity will become even more prominent in our everyday lives – and enterprises need to get their infrastructures ready to make that change today. Ultimately, as digital adoption goes up, friction goes down and we are able to give consumers the control and convenience they desire without the need for a password.”
###