Despite employees knowing the risk of bad password habits, many continue to recycle the same passwords out of convenience. However, 95% of organizations suffering credential stuffing attacks had between 637 and 3.3 billion malicious login attempts throughout the year, highlighting the need for more education on password practices.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
World Password Day marks the perfect occasion to look back and reflect on how password practices have evolved and discuss the importance of passwords to safeguard our digital identities. Passwords are go-to access points for cybercriminals, and far too often many continue to choose common themes such as their family name, or a favorite pet – making it too easy for any cybercriminal to guess.
One reason for this is that strong passwords are often seen as a trade-off between security and quick and easy access. Employees find them hard to remember and observe them as time-consuming to use, having to constantly update terms and sign in and out of various applications. But there is a solution. Technologies are now available that can offer password encryption, such as password managers streamlining the process, and vault managers which help with storing and remembering. In addition, organisations can also take steps to bolster password security by implementing privileged access management. Using this process, they can ensure that even if a password is stolen, malicious actors have limited access to sensitive information, helping to safeguard the organisation and limit potential damage.
However, in order to really improve password security, we need to bring individual users and organisations together. To get started, companies need to have a password policy in place, credentials need to be safeguarded, and extra security measures for password protection must be implemented. This should form part of any company’s cyber security policy and we also need to see greater general awareness around how to create a strong password and why this is important. Passwords should be seen as the gatekeepers of our digital identities and only by deploying the right tools and strategy we can avoid any cybercriminal trespassing.
The problem with passwords is we expect users themselves to be the security measure. We expect them to set unique and complex passwords whilst also being able to remember them all. However, human nature is to opt for convenience, which is why each year we see ‘password’ and ‘12345’ cited as some of the most common terms in use. Cybercriminals understand human nature and know that people will continue making the same mistakes with passwords, no matter how many times they are warned. Therefore, threat actors continue to leverage tactics such as password spraying, credential stuffing and brute force attacks, because they work.
As passwords aren’t disappearing anytime soon, we need to reduce the reliance on and responsibility of the individual user. Adding multi-factor authentication continues to be a powerful security measure as part of an overall Zero Trust approach, provided it is implemented in a bespoke and thoughtful way that doesn’t leave users frustrated. It is also encouraging to see a continuing upward trend in the adoption of password managers which take the human element out of the equation, implementing complex and unique passwords without the user needing to remember them.
Every time a corporate user depends on a password to get access to a service, your IT team has failed at their jobs. Updating practices to include modern identity management technologies means your users don\’t have to remember passwords anymore and that criminals gain nothing from stealing them. This is why it is absolutely critical to enforce a company-wide policy of leveraging a password manager and mandate multifactor authentication (MFA). Even if a user is successfully phished for a password, your data stays safe.
Enterprises should be developing and implementing password policies based on research not intuition, folklore, and anecdote. If you had done that, you’d have stopped rotating passwords arbitrarily over a decade ago and you’d now drop the requirements for special characters in exchange for longer passwords and using passphrases (with no special characters). These passwords are easy to remember and often faster to type, which is a better user experience, while making user accounts safer. CyLab created a great password research piece – https://www.andrew.cmu.edu/user/nicolasc/publications/Tan-CCS20.pdf
A habit that compromises security is creating bad passwords. I have done many password hash analyses between breached databases and current or historical passwords, and my experience has shown that not only are many users bad at creating passwords, but their techniques are also painfully similar to their peers inside the company. It is shocking how many people use company jargon and industry terms in passwords.