Thursday May 2nd is World Password Day 2019, yet a new report from the U.K. government’s National Cyber Security Centre shows that millions are still not using adequate passwords.
According to the report, names, soccer players, musicians and fictional characters make up some of the worst passwords of the year, yet “123456” still remains the worst password of all.
A recent report from the UK government suggests 'young Brits' lack cyber-security awareness with 52% using the same #password for multiple accounts. [https://t.co/Eznj1teU7y] You may find this advice helpful: https://t.co/FF8BTxFU67
— Bowker IT (@BowkerIT) March 24, 2018
More than half of British firms 'report cyber-attacks in 2019'. International survey suggests 55% faced an attack in 2019, up from 40% last year. https://t.co/WDKw8JUhP1
— Joe Tidy (@joetidy) April 23, 2019
Expert Comments:
Nabil Hannan, Managing Principal at Synopsys:
With many password leaks on the internet, organisations are starting to realise how important it is to store passwords securely in their applications. Storing passwords securely is not as simple as it might seem at first. Details of how to store passwords securely can be found here.
The themes I’m seeing in the industry are:
- People are moving away from just username and password model (1 factor) to a 2 factor authentication model to protect their users in the case that their passwords get breached.
- Social logins are gaining popularity and becoming easier to integrate and organisations are leveraging social logins to make signing up/authentication easier for the end user.
On the organisational side, practices around the usage of strong passwords, regularly having users change their passwords, and making sure passwords are stored securely are important things to keep in mind.
On the end user side, smartphones, tablets, and personal computers have software available where they’ll manage/synchronise your passwords across devices (Apple’s iCloud Keychain, Google Chrome’s password manager, etc.). There are also other paid password managers that end users can use. This allows them to let the password manager generate strong and unique passwords, and manage them across the end users different user accounts and machines.
Although using passwords may not be the most secure way of authenticating, it’s simple, and people have gotten into the habit of understanding how to use the combination of username/password to authenticate. Eventually, passwords will become obsolete, and new authentication techniques leveraging social logins, single-sign-on, and biometrics will starting gaining more traction. Ultimately which solution is adopted in the future will depend on which solution the end users end up using the most.
Storing passwords securely is challenging because it’s not quite as straight forward as just hashing or encryption the password and storing it. Passwords are just like any other sensitive data/asset of the software ecosystem. In order to design a system securely, organisations have to do the necessary business analysis to understand the importance of the data, do threat modelling to understand what controls need to exist to protect the data from threat actors, and then ensure those controls get included in the software requirements so that they actually get implemented and tested as part of the secure SDLC.”
Ryan Wilk, Vice President at NuData Security:
Too often we see consumers rely on simple passwords they can remember and across many accounts instead of just one. Despite new authentication technologies, passwords will be with us for quite some time and consumers need strong passwords and different ones across accounts. One of the best approaches is using a password manager to ensure that users can have a variety of combinations and all of them accessible in one place.
There is another side to passwords; when the user types it, they also show other information such as their typing cadence and speed. For this reason, even if passwords are compromised, just by typing or copy-pasting them, other signs are exposed that can reveal undercover fraud. This type of technology, called passive biometrics, can verify that the right customer is behind the device by identifying them by their online behaviour. This way, even if a password has been compromised, the company can still verify the user behind the device correctly and protect the account from fraud.”
Terry Ray, Senior Vice President at Imperva:
“The threat of cyberattack has existed since data went digital … yet it seems as though the significance of cyber security has increased in recent years. What’s driving this shift? Data is at the center of today’s digital environment. More data is in more places, available through more apps, accessed by more people, and cybercriminals have more places to sell it. Any law enforcement professional will tell you, ‘theft is a crime of opportunity.’
“Fundamental to digital transformation is that enterprises are simply generating more data than ever before. It’s part and parcel of a knowledge-driven economy and how enterprises create and deliver value. All this data—stored in an ever-shifting array of locations and repositories—simply presents more opportunity to the cybercrime industry.
“Apps are fundamental to digital transformation. Manifested as mobile apps, customer portals, websites and even as APIs, they are now the de facto way enterprises interact with other businesses and consumers. In addition to driving down enterprise costs, these apps directly generate much of the data driving how enterprises create value. This exploding app universe serves as a direct gateway to enterprise data and exponentially expands the potential attack vectors available to the cybercrime industry presenting criminals with more opportunity.”
Tim Dunton, MD at Nimbus Hosting:
“It is clear that many organisations are adopting the unhealthy mentality that cybersecurity measures are a luxury not a necessity, and it is vital that business leaders begin to understand the vast damage that can be caused by a hack or cyber attack, and that no organisation is safe from one.
Moving forward, it is essential that all businesses quickly and effectively introduce the catalogue of cyber security measures that are needed to minimise the threat of a cyber attack. This process begins with the introduction of a safe, secure and modern IT and website infrastructure – which will protect customer and employees personal information and sensitive details, and lead to far less online downtime.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.