World Password Day 2022 – Commentary

Despite employees knowing the risk of bad password habits, many continue to recycle the same passwords out of convenience. However, 95% of organizations suffering credential stuffing attacks had between 637 and 3.3 billion malicious login attempts throughout the year, highlighting the need for more education on password practices. 

Subscribe
Notify of
guest
10 Expert Comments
Most Voted
Newest Oldest
Inline Feedbacks
View all comments
Manoj Srivastava
Manoj Srivastava , General Manager
InfoSec Expert
May 2, 2022 10:06 pm

World Password Day is a good reminder for IT professionals to take a closer look at the security of their environment. Though having the right security solutions in place is crucial, it’s often the small habits that can make or break an organization’s security posture. One of the most important things an organization can do is foster a security-first culture that provides employees with the “why” behind aspects like multi-factor authentication (MFA) and frequent password changes that can often seem like a hindrance to their productivity. Short, frequent security awareness training around topics like the importance of strong passwords and why to use a password manager can help break employee bad habits that threaten the entire IT environment.

When assessing their technology stack, IT professionals should look for identity and access management (IAM) solutions that combine single sign-on (SSO), MFA and password management to ensure better protection against cyberthreats. Organizations should discourage reuse of passwords and set strong password requirements for the solutions that employees use daily to avoid the use of some of the most common passwords like 123456 or password—which unfortunately are still frequently used, according to data from ID Agent.

Last edited 2 months ago by Manoj Srivastava
Sarah Munro
Sarah Munro , Senior Director of Biometrics
InfoSec Expert
May 6, 2022 12:22 pm

In and amongst the frustrations over creating, changing and remembering passwords (with the average person having 100 passwords), we often overlook the significant security risk they pose. In fact, as many as 81% of the total number of company breaches in 2020 can be traced back to stolen or weak passwords.

Despite the security risks, password hygiene remains poor. Today, most passwords remain simple, with 23 million account holders using “123456”, while one in five still readapt one, core password to meet different password strength requirements. On top of this, only 29% of us think creating a password that is hard to hack is a top priority. Not only does this mean that passwords can be easily hacked, but leaves those who reuse passwords across different online accounts vulnerable to multiple breaches.

And yet, passwords remain the de facto standard for user access and authentication for online applications. This World Password Day, it’s time to realise they are an insufficient form of digital authentication. Instead, businesses should find and pursue alternative, more effective ways to protect online accounts and seek assurance in their customers’ identities. For instance, a digital identity-led approach in the form of identity document checks and biometrics, can enable businesses to remove the need for passwords altogether, increase the level of user security and enhance the overall experience. According to our data, 70% of consumers already report that they would be open to using biometrics to authenticate themselves instead of a password.

Last edited 1 month ago by Sarah Munro
Amir Nooriala
Amir Nooriala , CCO
InfoSec Expert
May 6, 2022 12:23 pm

The role of passwords has evolved but still has a long way to go. Passwords and PINs are easily compromised, and people can be manipulated into divulging confidential information. It’s also no secret that most people re-use their passwords across multiple accounts, with new research by NordPass revealing \’123456\’ and \’password\’ are among the most popular passwords used by CEOs.

When log-in credentials become public knowledge through all-too-common data breaches, bad actors can harvest them and use bots to try their luck at every login screen they can find – with an alarming success rate. These are some of the reasons password protection is becoming an outdated method of authentication because it can compromise user ID.

Instead of relying heavily on passwords as a secure way to authenticate users, businesses should consider building other authentication methods into their customer security strategies. For example, behavioural biometrics analyses user behaviour against thousands of contextual data points to make sure the user is who they say they are.

Put simply, behavioural biometrics works to positively identify genuine users so they can enjoy online experiences safely. It gives consumers quick access to online services such as banking and retail, while building digital trust. Passwords and PINs aren’t consigned to history, though – they can still play a role as long as they are supported by other forms of authentication. Whilst we at Callsign can offer traditional knowledge-based authenticators such as PIN and password, we always recommend layering these with behavioural biometrics to guarantee the appropriate level of protection that consumers deserve.

Last edited 1 month ago by Amir Nooriala
David Lindler
David Lindler , CISO
InfoSec Expert
May 6, 2022 12:31 pm

One of the most common security requirements I still see being used in organizations is forced password expiration. NIST has explicitly stated for 4 years now (SP 800-63B Section 5.1.1.2) that memorized secrets should not be required to be changed arbitrarily and only force a change if there is evidence of compromise. If you make one change to your password policy, remove this arbitrary requirement.

How many passwords have you forced yourself to remember? How many renditions of the same password (e.g. Password1, Password12, Password1!) are you using? A password manager will simplify your life and allow you to create and store passwords securely, and at the same time, you will never have to even know what those passwords are. Get yourself a password manager today.

Last edited 1 month ago by David Lindler
Sanjay Gupta
Sanjay Gupta , SVP at Mitek
InfoSec Expert
May 6, 2022 1:49 pm

Passwords need to be put to rest. What once was a string of characters believed to be top secret has become every cybercriminal’s haven. World Password Day is one that needs to evolve given passwords’ vulnerability. 

Instead, we should move towards a password-less future – one that relies on our unique features such as voice, face, and fingerprints to gain digital access conveniently and securely. Besides physical biometrics, there now exists newer tools like behavioural biometrics which verifies identities by assessing their behaviour to create a unique digital fingerprint. 

 However, while biometrics is the next step forward, its adoption is stalled by people’s fear and lack of understanding of the tech. Passwords have also become too ingrained into our society, making it hard to convince people to change their habits.  

The key to a password-less future starts with education. We need to help people understand how biometrics work and why it can never be stolen or misused. Passwords alone are not enough and as our youths of today demand security and speed, we need to introduce a quicker, seamless authentication option that promises protection against fraudsters.

 

Last edited 1 month ago by Sanjay Gupta
Rod Simmons
Rod Simmons , VP of Product Strategy
InfoSec Expert
May 6, 2022 3:31 pm

A habit that compromises security is creating bad passwords. I have done many password hash analyses between breached databases and current or historical passwords, and my experience has shown that not only are many users bad at creating passwords, but their techniques are also painfully similar to their peers inside the company. It is shocking how many people use company jargon and industry terms in passwords.

Last edited 1 month ago by Rod Simmons
Larry Maccherone
Larry Maccherone , DevSecOps Transformation
InfoSec Expert
May 6, 2022 5:43 pm

Enterprises should be developing and implementing password policies based on research not intuition, folklore, and anecdote. If you had done that, you’d have stopped rotating passwords arbitrarily over a decade ago and you’d now drop the requirements for special characters in exchange for longer passwords and using passphrases (with no special characters). These passwords are easy to remember and often faster to type, which is a better user experience, while making user accounts safer. CyLab created a great password research piece – https://www.andrew.cmu.edu/user/nicolasc/publications/Tan-CCS20.pdf

Last edited 1 month ago by Larry Maccherone
Steve Wilson
Steve Wilson , Chief Product Officer
InfoSec Expert
May 6, 2022 6:08 pm

Every time a corporate user depends on a password to get access to a service, your IT team has failed at their jobs. Updating practices to include modern identity management technologies means your users don\’t have to remember passwords anymore and that criminals gain nothing from stealing them. This is why it is absolutely critical to enforce a company-wide policy of leveraging a password manager and mandate multifactor authentication (MFA). Even if a user is successfully phished for a password, your data stays safe.

Last edited 1 month ago by Steve Wilson
Pete Caldecourt
Pete Caldecourt , Director of Product Management
InfoSec Expert
May 6, 2022 8:32 pm

The problem with passwords is we expect users themselves to be the security measure. We expect them to set unique and complex passwords whilst also being able to remember them all. However, human nature is to opt for convenience, which is why each year we see ‘password’ and ‘12345’ cited as some of the most common terms in use. Cybercriminals understand human nature and know that people will continue making the same mistakes with passwords, no matter how many times they are warned. Therefore, threat actors continue to leverage tactics such as password spraying, credential stuffing and brute force attacks, because they work.

As passwords aren’t disappearing anytime soon, we need to reduce the reliance on and responsibility of the individual user. Adding multi-factor authentication continues to be a powerful security measure as part of an overall Zero Trust approach, provided it is implemented in a bespoke and thoughtful way that doesn’t leave users frustrated. It is also encouraging to see a continuing upward trend in the adoption of password managers which take the human element out of the equation, implementing complex and unique passwords without the user needing to remember them.

Last edited 1 month ago by Pete Caldecourt
Rashid Ali
Rashid Ali , Enterprise Sales Manager UK & Nordics
InfoSec Expert
May 6, 2022 8:34 pm

World Password Day marks the perfect occasion to look back and reflect on how password practices have evolved and discuss the importance of passwords to safeguard our digital identities. Passwords are go-to access points for cybercriminals, and far too often many continue to choose common themes such as their family name, or a favorite pet – making it too easy for any cybercriminal to guess.

One reason for this is that strong passwords are often seen as a trade-off between security and quick and easy access. Employees find them hard to remember and observe them as time-consuming to use, having to constantly update terms and sign in and out of various applications. But there is a solution. Technologies are now available that can offer password encryption, such as password managers streamlining the process, and vault managers which help with storing and remembering. In addition, organisations can also take steps to bolster password security by implementing privileged access management. Using this process, they can ensure that even if a password is stolen, malicious actors have limited access to sensitive information, helping to safeguard the organisation and limit potential damage.

However, in order to really improve password security, we need to bring individual users and organisations together. To get started, companies need to have a password policy in place, credentials need to be safeguarded, and extra security measures for password protection must be implemented. This should form part of any company’s cyber security policy and we also need to see greater general awareness around how to create a strong password and why this is important. Passwords should be seen as the gatekeepers of our digital identities and only by deploying the right tools and strategy we can avoid any cybercriminal trespassing.

Last edited 1 month ago by Rashid Ali
Information Security Buzz
10
0
Would love your thoughts, please comment.x
()
x