World Password Day 2022 – Commentary

Despite employees knowing the risk of bad password habits, many continue to recycle the same passwords out of convenience. However, 95% of organizations suffering credential stuffing attacks had between 637 and 3.3 billion malicious login attempts throughout the year, highlighting the need for more education on password practices. 

Experts Comments

May 06, 2022
Pete Caldecourt
Director of Product Management
Quest

The problem with passwords is we expect users themselves to be the security measure. We expect them to set unique and complex passwords whilst also being able to remember them all. However, human nature is to opt for convenience, which is why each year we see ‘password’ and ‘12345’ cited as some of the most common terms in use. Cybercriminals understand human nature and know that people will continue making the same mistakes with passwords, no matter how many times they are warned.

.....Read More

The problem with passwords is we expect users themselves to be the security measure. We expect them to set unique and complex passwords whilst also being able to remember them all. However, human nature is to opt for convenience, which is why each year we see ‘password’ and ‘12345’ cited as some of the most common terms in use. Cybercriminals understand human nature and know that people will continue making the same mistakes with passwords, no matter how many times they are warned. Therefore, threat actors continue to leverage tactics such as password spraying, credential stuffing and brute force attacks, because they work.

As passwords aren’t disappearing anytime soon, we need to reduce the reliance on and responsibility of the individual user. Adding multi-factor authentication continues to be a powerful security measure as part of an overall Zero Trust approach, provided it is implemented in a bespoke and thoughtful way that doesn’t leave users frustrated. It is also encouraging to see a continuing upward trend in the adoption of password managers which take the human element out of the equation, implementing complex and unique passwords without the user needing to remember them.

  Read Less
May 06, 2022
Steve Wilson
Chief Product Officer
Contrast Security

Every time a corporate user depends on a password to get access to a service, your IT team has failed at their jobs. Updating practices to include modern identity management technologies means your users don't have to remember passwords anymore and that criminals gain nothing from stealing them. This is why it is absolutely critical to enforce a company-wide policy of leveraging a password manager and mandate multifactor authentication (MFA). Even if a user is successfully phished for a

.....Read More

Every time a corporate user depends on a password to get access to a service, your IT team has failed at their jobs. Updating practices to include modern identity management technologies means your users don't have to remember passwords anymore and that criminals gain nothing from stealing them. This is why it is absolutely critical to enforce a company-wide policy of leveraging a password manager and mandate multifactor authentication (MFA). Even if a user is successfully phished for a password, your data stays safe.

  Read Less
May 06, 2022
Larry Maccherone
DevSecOps Transformation
Contrast Security

Enterprises should be developing and implementing password policies based on research not intuition, folklore, and anecdote. If you had done that, you’d have stopped rotating passwords arbitrarily over a decade ago and you’d now drop the requirements for special characters in exchange for longer passwords and using passphrases (with no special characters). These passwords are easy to remember and often faster to type, which is a better user experience, while making user accounts safer.

.....Read More

Enterprises should be developing and implementing password policies based on research not intuition, folklore, and anecdote. If you had done that, you’d have stopped rotating passwords arbitrarily over a decade ago and you’d now drop the requirements for special characters in exchange for longer passwords and using passphrases (with no special characters). These passwords are easy to remember and often faster to type, which is a better user experience, while making user accounts safer. CyLab created a great password research piece – https://www.andrew.cmu.edu/user/nicolasc/publications/Tan-CCS20.pdf

  Read Less
May 06, 2022
Rod Simmons
VP of Product Strategy
Omada

A habit that compromises security is creating bad passwords. I have done many password hash analyses between breached databases and current or historical passwords, and my experience has shown that not only are many users bad at creating passwords, but their techniques are also painfully similar to their peers inside the company. It is shocking how many people use company jargon and industry terms in passwords.

.....Read More

A habit that compromises security is creating bad passwords. I have done many password hash analyses between breached databases and current or historical passwords, and my experience has shown that not only are many users bad at creating passwords, but their techniques are also painfully similar to their peers inside the company. It is shocking how many people use company jargon and industry terms in passwords.

  Read Less
May 06, 2022
Sanjay Gupta
SVP at Mitek
Mitek

Passwords need to be put to rest. What once was a string of characters believed to be top secret has become every cybercriminal’s haven. World Password Day is one that needs to evolve given passwords’ vulnerability. 

Instead, we should move towards a password-less future – one that relies on our unique features such as voice, face, and fingerprints to gain digital access conveniently and securely. Besides physical biometrics, there now exists newer tools like behavioural biometrics which

.....Read More

Passwords need to be put to rest. What once was a string of characters believed to be top secret has become every cybercriminal’s haven. World Password Day is one that needs to evolve given passwords’ vulnerability. 

Instead, we should move towards a password-less future – one that relies on our unique features such as voice, face, and fingerprints to gain digital access conveniently and securely. Besides physical biometrics, there now exists newer tools like behavioural biometrics which verifies identities by assessing their behaviour to create a unique digital fingerprint. 

 However, while biometrics is the next step forward, its adoption is stalled by people’s fear and lack of understanding of the tech. Passwords have also become too ingrained into our society, making it hard to convince people to change their habits.  

The key to a password-less future starts with education. We need to help people understand how biometrics work and why it can never be stolen or misused. Passwords alone are not enough and as our youths of today demand security and speed, we need to introduce a quicker, seamless authentication option that promises protection against fraudsters.

 

  Read Less
May 06, 2022
David Lindler
CISO
Contrast Security

One of the most common security requirements I still see being used in organizations is forced password expiration. NIST has explicitly stated for 4 years now (SP 800-63B Section 5.1.1.2) that memorized secrets should not be required to be changed arbitrarily and only force a change if there is evidence of compromise. If you make one change to your password policy, remove this arbitrary requirement.

How many passwords have you forced yourself to remember? How many renditions of the same

.....Read More

One of the most common security requirements I still see being used in organizations is forced password expiration. NIST has explicitly stated for 4 years now (SP 800-63B Section 5.1.1.2) that memorized secrets should not be required to be changed arbitrarily and only force a change if there is evidence of compromise. If you make one change to your password policy, remove this arbitrary requirement.

How many passwords have you forced yourself to remember? How many renditions of the same password (e.g. Password1, Password12, Password1!) are you using? A password manager will simplify your life and allow you to create and store passwords securely, and at the same time, you will never have to even know what those passwords are. Get yourself a password manager today.

  Read Less
May 06, 2022
Amir Nooriala
CCO
Callsign

The role of passwords has evolved but still has a long way to go. Passwords and PINs are easily compromised, and people can be manipulated into divulging confidential information. It’s also no secret that most people re-use their passwords across multiple accounts, with new research by NordPass revealing '123456' and 'password' are among the most popular passwords used by CEOs.

When log-in credentials become public knowledge through all-too-common data breaches, bad actors can harvest them and

.....Read More

The role of passwords has evolved but still has a long way to go. Passwords and PINs are easily compromised, and people can be manipulated into divulging confidential information. It’s also no secret that most people re-use their passwords across multiple accounts, with new research by NordPass revealing '123456' and 'password' are among the most popular passwords used by CEOs.

When log-in credentials become public knowledge through all-too-common data breaches, bad actors can harvest them and use bots to try their luck at every login screen they can find – with an alarming success rate. These are some of the reasons password protection is becoming an outdated method of authentication because it can compromise user ID.

Instead of relying heavily on passwords as a secure way to authenticate users, businesses should consider building other authentication methods into their customer security strategies. For example, behavioural biometrics analyses user behaviour against thousands of contextual data points to make sure the user is who they say they are.

Put simply, behavioural biometrics works to positively identify genuine users so they can enjoy online experiences safely. It gives consumers quick access to online services such as banking and retail, while building digital trust. Passwords and PINs aren’t consigned to history, though - they can still play a role as long as they are supported by other forms of authentication. Whilst we at Callsign can offer traditional knowledge-based authenticators such as PIN and password, we always recommend layering these with behavioural biometrics to guarantee the appropriate level of protection that consumers deserve.

  Read Less
May 06, 2022
Sarah Munro
Senior Director of Biometrics
Onfido

In and amongst the frustrations over creating, changing and remembering passwords (with the average person having 100 passwords), we often overlook the significant security risk they pose. In fact, as many as 81% of the total number of company breaches in 2020 can be traced back to stolen or weak passwords.

Despite the security risks, password hygiene remains poor. Today, most passwords remain simple, with 23 million account holders using “123456”, while one in five still readapt one, core

.....Read More

In and amongst the frustrations over creating, changing and remembering passwords (with the average person having 100 passwords), we often overlook the significant security risk they pose. In fact, as many as 81% of the total number of company breaches in 2020 can be traced back to stolen or weak passwords.

Despite the security risks, password hygiene remains poor. Today, most passwords remain simple, with 23 million account holders using “123456”, while one in five still readapt one, core password to meet different password strength requirements. On top of this, only 29% of us think creating a password that is hard to hack is a top priority. Not only does this mean that passwords can be easily hacked, but leaves those who reuse passwords across different online accounts vulnerable to multiple breaches.

And yet, passwords remain the de facto standard for user access and authentication for online applications. This World Password Day, it’s time to realise they are an insufficient form of digital authentication. Instead, businesses should find and pursue alternative, more effective ways to protect online accounts and seek assurance in their customers’ identities. For instance, a digital identity-led approach in the form of identity document checks and biometrics, can enable businesses to remove the need for passwords altogether, increase the level of user security and enhance the overall experience. According to our data, 70% of consumers already report that they would be open to using biometrics to authenticate themselves instead of a password.

  Read Less
May 02, 2022
Manoj Srivastava
General Manager
ID Agent and Graphus

World Password Day is a good reminder for IT professionals to take a closer look at the security of their environment. Though having the right security solutions in place is crucial, it’s often the small habits that can make or break an organization’s security posture. One of the most important things an organization can do is foster a security-first culture that provides employees with the “why” behind aspects like multi-factor authentication (MFA) and frequent password changes that

.....Read More

World Password Day is a good reminder for IT professionals to take a closer look at the security of their environment. Though having the right security solutions in place is crucial, it’s often the small habits that can make or break an organization’s security posture. One of the most important things an organization can do is foster a security-first culture that provides employees with the “why” behind aspects like multi-factor authentication (MFA) and frequent password changes that can often seem like a hindrance to their productivity. Short, frequent security awareness training around topics like the importance of strong passwords and why to use a password manager can help break employee bad habits that threaten the entire IT environment.

When assessing their technology stack, IT professionals should look for identity and access management (IAM) solutions that combine single sign-on (SSO), MFA and password management to ensure better protection against cyberthreats. Organizations should discourage reuse of passwords and set strong password requirements for the solutions that employees use daily to avoid the use of some of the most common passwords like 123456 or password—which unfortunately are still frequently used, according to data from ID Agent.

  Read Less
May 06, 2022
Rashid Ali
Enterprise Sales Manager UK & Nordics
Wallix

World Password Day marks the perfect occasion to look back and reflect on how password practices have evolved and discuss the importance of passwords to safeguard our digital identities. Passwords are go-to access points for cybercriminals, and far too often many continue to choose common themes such as their family name, or a favorite pet – making it too easy for any cybercriminal to guess.

One reason for this is that strong passwords are often seen as a trade-off between security and quick and

.....Read More

World Password Day marks the perfect occasion to look back and reflect on how password practices have evolved and discuss the importance of passwords to safeguard our digital identities. Passwords are go-to access points for cybercriminals, and far too often many continue to choose common themes such as their family name, or a favorite pet – making it too easy for any cybercriminal to guess.

One reason for this is that strong passwords are often seen as a trade-off between security and quick and easy access. Employees find them hard to remember and observe them as time-consuming to use, having to constantly update terms and sign in and out of various applications. But there is a solution. Technologies are now available that can offer password encryption, such as password managers streamlining the process, and vault managers which help with storing and remembering. In addition, organisations can also take steps to bolster password security by implementing privileged access management. Using this process, they can ensure that even if a password is stolen, malicious actors have limited access to sensitive information, helping to safeguard the organisation and limit potential damage.

However, in order to really improve password security, we need to bring individual users and organisations together. To get started, companies need to have a password policy in place, credentials need to be safeguarded, and extra security measures for password protection must be implemented. This should form part of any company’s cyber security policy and we also need to see greater general awareness around how to create a strong password and why this is important. Passwords should be seen as the gatekeepers of our digital identities and only by deploying the right tools and strategy we can avoid any cybercriminal trespassing.

  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.