Industry Leaders Comments: World Password Day

Passwords are often the weakest link and for this reason, it is crucial for individuals and corporations to find alternative solutions that will provide a greater level of security. With World Password Day coming up on the 2nd May, it is the perfect time to address this cybersecurity issue.  

https://twitter.com/cloudy_steve/status/1123862081089015808

Experts Comments:  

Terry Ray, SVP and Imperva Fellow at Imperva:

“World Password Day reminds us all how important our cyber hygiene is to account safety, bringing to mind what we might be risking with vulnerable passwords. Now on everyone’s mind this Thursday, it is crucial for all users to reevaluate their cyber hygiene – with passwords exposed left and right, it is only a matter of time.   

Every user should have unique passwords for every website, or at the very least, have a unique password for every site you care anything about. Password managers are available – some for free and some for a fee, some for your computer, some for mobile and some for both – so there’s no real reason not to use one. Yes, it can be very annoying to not know your password and have to go look it up, but it’s more annoying to have your account hacked.   

This is really about cyber hygiene. If we could, wouldn’t it be easy to have just one physical key in our life, that would drive all your cars, open your home’s doors, get you into the office and where ever else you need to be? Probably doesn’t sound like a very secure idea, but it would make for a smaller key ring. We don’t do this for physical security, yet almost everyone, even security professionals reuse some passwords. For those people, you should at least consider unique passwords for things that will make your life difficult when they get hacked.    

For people looking to sharpen their password security this National Password Day, I recommend doing one of two things:   

1) Change all of your passwords to something unique – and I don’t mean: Password1, Password2, Password3, etc. – something really unique. Use letters and numbers in nursery rhymes: “HDS4tOn4W@ll,” for Humpty Dumpty Sat On A Wall. Whatever works, put them in a password manager and move onto the next website. Turn on 2FA (two-factor authentication) whenever possible.   

2) Prioritize your websites into important and unimportant. Do step one for all important websites and sacrifice the unimportant ones. Just never, ever use a password more than once for a website you consider important.   

There are many factors in determining what characteristics make up an important website, but you can take some these and add your own: 

• Contains obviously private data (phone, credit card number, social security number, address, bank account); 
• Contains your or your family and friends’ pictures; 
• Any work website; 
• Healthcare websites; 
• Insurance websites; 
• Social media websites (you don’t want someone posting things you wouldn’t say); 
• Dating websites (you don’t want people misrepresenting you, as you); 
• Airline, rental car, hotel and other points websites (no need to give free vacations to hackers).”

Andy Cory, Identity Management Services Lead at KCOM:  

“Choosing a password is often overlooked in the security conversation because it can seem so basic. We may all be used to the idea that passwords are important but they can seem less so in the face of AI-enabled automated firewalls and high-capacity DDoS prevention and so on.   

“But in reality, the humble password, and the effective management of passwords, is one of the most important aspects of corporate defence. It doesn’t matter how strong your perimeter is, or how intelligent your breach detection – if authorised users’ accounts can be cracked open from the front, if their passwords can be guessed or stolen, then your company is as good as defenceless. Once an account has been compromised in this way, an attacker will often be able to gain access to a whole plethora of sensitive information, often without setting off any internal alarms, with incalculable potential impact for the organisation.   

“With that in mind, good identity and access management should be the cornerstone of any cybersecurity infrastructure. Businesses must start by building an effective and resilient user authentication programme, ensuring that strong but usable password rules and multi-factor authentication is in place. As part of that, it’s also important to have a high-capacity cloud infrastructure in place that can effectively handle the authentication data – only then can you match user experience with security needs.   

“Don’t underestimate the importance of passwords and good password management. Work with the right partner to build a resilient identity and access management system – before it’s too late.”   

Rene Hendrikse, EMEA MD at Mitek:  

“It’s time for the password to say its goodbyes. Thanks to ever-increasing cyber security threats, more sophisticated attacks, and growing fraud risks, passwords are no longer a panacea for online security – for businesses or consumers.    

“A network is only as strong as its weakest password. For businesses in financial services and the sharing economy that must verify the identity of every customer, a password doesn’t even guarantee that the right person is logging in. One solution is more stringent authentication measures, such as demanding increasingly complex passwords. But as secure as they might be, we all struggle to remember 12 characters with a capital, number, and symbol – never mind remembering this fifty times over.   

“With complex passwords inevitably comes fewer passwords – or password-storing apps that provide an open door into a user’s whole identity. Both of these will ultimately fail to protect consumer identities and data online, and to prevent businesses from sophisticated cyber-attacks. We know that consumers are comforted by online security measures, as 27% have even abandoned a transaction due to a lack of security, according to Experian. But for businesses, finding the balance between security and customer experience will be crucial to their security strategy – and passwords aren’t the answer.   

“Technologies such as digital identity verification could work alongside – or instead of – passwords to secure and verify customers’ identities online. This method enables a customer to upload an image of their ID document alongside a selfie, and the two are verified against each other using advanced AI and biometric face comparison technologies. While established text or email verification measures can be compromised by blunt force attacks, digital identity verification offers enough friction to help customers feel safe, and provides businesses with the multi-factor authentication they need in the age of the cyber-attack. All in all, a selfie can offer far more security than the password ever did.”     

Juliette Rizkallah, CMO at SailPoint:  

“We should all keep our passwords long and complex so they are more difficult to crack (think about a phrase and number combination for each site), and most importantly avoid repeating those passwords across your various accounts whether personal or professional. For additional security, we should be wary of anything that appears out of the norm in our online interactions, taking note of anything and anybody who asks us to ‘log in’ or provide any personal information. Small steps like these can help us protect our privacy when another inevitable data breach or privacy leak occurs.” 

Todd Peterson, IAM evangelist at One Identity: 

“Although it’d be time to ditch traditional passwords in favour of a more secure authentication method, that is actually pretty difficult to do, particularly with legacy applications. The expense and effort required to retrofit more secure authentication methods are prohibitive to most organizations. So, whenever possible, opt for something more secure than the good-old password. But don’t attempt a hasty wholesale replacement – it will be too expensive, take too long, and too fraught with trouble to be worthwhile.   

Rather, make sure that the controls around your passwords are good enough, and that you augment them wherever possible with multifactor authentication. By far the best practice is good passwordhygiene (as much complexity as possible), and – for high-value passwords – a password vault. The best option is a password vault augmented with session audit, analytics, and multifactor authentication, but this is generally only practical for high-value credentials like the Admin log-on.  

Beyond that, adding a second factor such as a smart card, OTP token or biometric will dramatically increase the security of passwords” 

David Warburton, Senior Threat Evangelist at F5 Networks:  

“World Password Day this year is perhaps more significant than it’s ever been. Despite the promise of new authentication systems which rely on strong cryptography (instead of our weak and bizarrely common ‘monkey’ passwords) the day when we can all throw our digital codes in the Recycle Bin seems just as far away as it ever did.   

The rise of authentication technologies, such as biometrics and facial recognition, come with promise of stronger security for online consumers but the cyber criminals seem to do a far better job of adapting to change than the rest of us. Biometrics can often be tricked and attackers increasingly use insidious social engineers tricks to get around hardware security tokens such as bank card readers.   

“Attackers are increasingly relying on social engineering tactics, such as phishing, to deceive users and grab their names, addresses and passwords. These can then use this to access any sensitive data that is not protected by multi-factor authentication.

“This puts businesses in a delicate position. How can they ensure they continue to implement the strongest security policies and outsmart hackers to protect their sensitive data? The best route businesses can take is to consider the context under which access is being requested. Where is the user located? Is this normal for this person? Are they using a corporate or personal device and do those devices comply to company standards? While multi-factor authentication must become the norm, it should not stop at simply using a hardware or software token since these can and have been bypassed by criminals employing social engineering tricks. But, perhaps most importantly, organisations need to ensure continuous security training is available and compulsory for all staff.   

“Ultimately, as hackers continue to refine and evolve their techniques, so must businesses. Continuously evaluating security practices and authentication methods is crucial to implement new habits stay on top of a threat landscape that shows no signs of slowing down.”

Rajesh Ganesan, Vice President at ManageEngine: 

“Passwords are the oldest, most secure and convenient way to authoritatively establish identities. Their benefits far outweigh the limitations and hence the many attempts to eliminate them completely has failed time and again. A more pragmatic approach is to impart awareness about password hygiene to people, in much the same way as personal hygiene, where strong and healthy individuals lead to strong and healthy communities. In business scenarios, the technology infrastructure offers a variety of methods for information access, often protected by different accounts having varied levels of access to information. 

These accounts are typically protected by passwords and for teams running IT, these passwords are the keys to the kingdom, becoming one of their top priorities to fully understand the implications, devise a strategy and implement strong password management systems. 

ManageEngine understands the problems and the needs of IT teams around managing the different types of accounts and passwords and has crafted solutions to empower them to completely be in control of information security.”  

David Higgins, EMEA Technical Director at CyberArk: 

“There are passwords and there are passwords. There are passwords used on the web, used by individuals to access sites and services. These of course should be replaced with stronger authentication which do not rely on users to remember a multitude of passwords or force them down the path of recycling passwords to make them easier to remember, but more easily hacked.

“And then there are passwords that, if compromised, allow access to much greater rewards. Admin passwords are a key target for attackers and, due to operational challenges, are rarely managed to the level that they should be. With numerous examples of default admin passwords set on external facing servers being the access point to major data breaches, these represent the soft underbelly of the organisation. Basic level passwords that allow entry into the IT world will remain, in at least the near future, a true break glass issue.”

Cindy Provin, CEO at nCipher Security:   

“Whether we’re accessing our emails, checking our bank accounts, or paying our bills, passwords remain at the forefront of our identification. However, as long as we still rely on passwords as a means of accessing our most important information and applications, so will cyber-criminals.   

This tsunami of passwords that now exists across every aspect of our digital lives – both personally and professionally – has left us drowning in information that we are struggling to secure. With a thriving underground industry of hackers going to extreme lengths in order to get their hands on these credentials, both businesses and consumers need to be doing more to minimize the dependence and exposure of passwords.   

For organisations, this means implementing techniques such as certificate based authentication or transparent database encryption to ensure passwords are as secure as possible. For consumers, it requires using a variety of unique and random passwords for every different application or website. It also involves an understanding of which credentials are being stored on which devices, and therefore how they might be vulnerable.”   

Robin Tombs, CEO and Co-Founder at Yoti:

“World Password Day has never been more relevant. The high volume of data breaches shows that passwords are no longer fit for purpose. They can easily fall into the wrong hands and if they’re stored in a central database, which could then be exposed, this puts our data at great risk. With the average person having 191 passwords, it’s no surprise that many of us choose convenience over security and reuse passwords across different websites. Whilst this makes our lives simpler, we are making it incredibly easy for a hacker – they only need to crack one of our passwords, and chances are, they can then use this to unlock a treasure trove of our personal information.

“With the development of password managers, help is at hand. They can securely store your login details – eliminating the need to remember all of your passwords. They can also generate stronger passwords and be secured with your unique biometrics rather than a master password – meaning only you can access and use your passwords. When it comes to protecting our online accounts and personal information, we should demand security, privacy AND ease of use – it shouldn’t be a trade off. Living in a digital age means the technology now exists to give people a simple and more secure way to log into websites, and World Password Day is a great time to promote this.”  

John Fokker, Head of Cyber Investigations at McAfee:  

“You could stop the majority of cybercrime if people had stronger passwords and if they didn’t have the same password across multiple accounts. The NCSC recently revealed that 23 million people were hacked last year because they used “123456” as their password. With so many logins to remember for all their different apps and devices, people end up using the same password for everything, weakening the security around their data.

“And the risks extend beyond our personal lives. McAfee found almost half of UK employees have experienced a breach while working for their current employer. Companies hold vast amounts of personal identifiable information on employees and consumers, making it imperative the right security is in place. Tight security and GDPR compliance requires collaboration beyond the IT team. CIOs should implement staff training and encourage the whole workforce – from employees through to partners – to use strong passwords to protect sensitive information, and make the potential risks of bad password hygiene clear.”

Colin Truran, Principal Technology Strategist at Quest:

“On World Password Day, the cry each year should surely be “why are we celebrating the use of passwords yet again?” Passwords were created to try to solve the problem of proving identity in a very technologically limited world, far longer ago than the first silicone based computers. Passwords are fundamentally flawed as they are easily shared, often guessed, bypassed with paper and each iteration remains in circulation for far too long. This is probably why we stopped using passwords at international borders since the middle ages. In modern times, technology has caught up in providing far more efficient and accurate ways to prove ones identity, however, in the beginning these were still far too expensive to implement as standard. Only those organisations that truly needed to know who they were letting in bothered to invest, such as defense agencies and pharmaceuticals.    

Over the last 5 years we have seen two factor authentication become commonplace but it is still only a small step towards solving the password problem. Today things are starting to change and I am encouraged to hear many more organisations turning to multiple levels of biometric identification, including government bodies. Of course, it’s a huge responsibility to hold such biometric information in our consumer and user base, so this information must itself be protected by something better than a password! Let’s try to make this day a day of remembrance rather than a reminder of our reluctance to let go of an outmoded concept.” 

Tim Erlin, VP, Product Management and Strategy at Tripwire: 

“Maybe it’s time to retire ‘world password day’ in favor of ‘world authentication day.’ The password is the least secure component in most authentication systems, and passwords alone are no longer sufficient. World password day is a good day to set up multi-factor authentication everywhere you can.”

.

.

Lamar Bailey, Senior Director of Engineering at Tripwire: 

“Passwords are for assets you really don’t care about. Anything of value should be using better authentication methods and critical assets should be using multifactor authentication.”