Today is World Password Day. But what’s the state of passwords in 2020? With technologies like Fido 2 and biometrics, shouldn’t the days of passwords be a thing of the past? Spoiler: we’re not quite there yet. Hence, passwords will be with us for quite a while. We talked to quite a few experts in the cybersecurity community about their take on passwords and today’s World Password day. Here are their statements:
Joseph Carson, Chief Security Scientist at Thycotic:
“World Password Day is a day to review your password hygiene to ensure you are up to date with the latest best practices. It is always important to review your current password habits and one of the most important topics this year is which of your passwords is the only thing protection your accounts, meaning you have not combined it with another security control such as two-factor authentication. Passwords are usually the only security protecting most people’s sensitive information and this year you should do a detailed review of what your bad habits are. Most passwords can be easily cracked, with approximately 20% of passwords using commons known words that are available in dictionaries, making them easily guessed.
For many, passwords are used repeatedly for all types of accounts, such as your corporate Salesforce login, your Facebook account or your bank. And for some, that favorite password may be older than your current relationship. The problem is that it’s putting you at risk of identity theft, ransomware, an online account hack, computer viruses and more. It is also important when you do change your password to only perform this task from a safe network and not a public location.
This year, review your password best practices. Ensure that you have started to use passphrases to help make your password long and include some complexity as well, although the debate about how frequent you should change your password continues. My recommendation is that it should not be older than one year. It’s best not to wait until you are notified about a data breach as it usually means cybercriminals had access for longer than two hundred days.”
Jan van Vliet, VP EMEA at Digital Guardian:
“Use a different password for each of your online accounts. Worried about remembering all of them? Consider using a password manager. There are a number of easy-to-use password apps out there, many of which are free. Make sure your passwords are unique and complex to ensure that hackers cannot guess them. If you’re notified that your account has been compromised, change your password immediately. Lastly, where possible, enable multi-factor authentication. Popular websites like Facebook, Gmail and Skype all offer this service.”
Anurag Kahol, CTO at Bitglass:
“A staggering 59% of consumers reuse passwords across multiple accounts. This means that if a cybercriminal appropriates a single password, then they can potentially gain access to a user’s accounts across a number of services where that password is reused. It is crucial for companies to do a better job at protecting data – particularly when so much of their business is conducted via the cloud and through digital services. To safeguard customer data, organisations should leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. Additionally, basic password protection is a must. Organisations must authenticate their users in order to ensure they are who they say they are, before granting them access to their systems. Fortunately, multi-factor authentication (MFA) and user and entity behaviour analytics (UEBA) are two tools that can help companies defend their data.”
Jay Ryerse, VP of Cybersecurity Initiatives at ConnectWise:
“Passwords are often associated with inconvenience — and for good reason. Employees and consumers alike are overwhelmed by the thought of remembering login details for 100-200 websites and making them difficult for bad actors to guess. That’s why this World Password Day, it’s important to look at the practical solutions to this impractical problem, accelerated by more and more aspects of our lives going online.
“To ensure your personal and work-related accounts, as well as the sensitive data residing within them, remain secure:
- Use a password manager
- Use a different, complex password for every website.
- Remember that the longer the password, the longer it takes for digital adversaries to crack it, thus deterring successful brute force attacks
- Avoid overused practices like adding an exclamation point at the end, including phrases associated with family or pets, or using incremental numbers.
- Give only fake answers to security questions that would help you recover your password
- Implement multi-factor authentication wherever available
There will always be varying degrees of account compromise. If someone hacked my LinkedIn, they might post something embarrassing, but it’s easy to change the password and regain control. However, if they broke into my online bank account or used my credit card on Amazon to rack up charges, we’d be looking at significant damage. Wouldn’t it be better to prevent all of these incidents, though? Implementing these best practices across your online presence will do just that–and protect both you and your company on an ongoing basis.”
Steve Nice, Chief Security Technologist at Node4:
“This World Password Day, it’s important to think about how crucial it is to change and update passwords frequently, especially in current circumstances. One of the biggest threats to IT security is ‘shadow IT’ – where the security team has limited or no visibility into the applications and tools employees are using. Many employees will be deploying remote collaboration tools independently of their organisation’s IT departments and these are not subject to the same due diligence and testing that would normally be undertaken. This means security, data sovereignty, compliance and retention are all outside of the organisation’s control.
3 tips for your staff are not to reuse passwords, have complex passwords and to enable multi-factor authentication whenever available. Beyond this, ensuring employees are still getting the basics right while working remotely is key. Password managers, for example, can limit the risk associated with dormant applications, so even if ‘shadow IT’ collaboration tools are being used and left, the credentials remain up-to-date.”
Mihir Shah, CEO, Nexsan, a StorCentric company:
“For individuals seeking to protect their personal information and secure their online accounts, a strong password is a critical first line of defence. But, if you are a commercial, nonprofit or government organisation, a password, regardless of how unique or how often it is updated, will barely scratch the IT security surface. The only true protection for an organisation’s high value data is to aggressively lock it down using a hardened storage solution that has been engineered with the understanding that attempts at corruption or deletion can come from anyone, anywhere and at any time. The solution must be capable of recognising and rejecting every such attempt, regardless of whether it’s from a virus, ransomware, spyware, user mistakes, software error – or a new threat that hasn’t even been discovered yet.”
Andy Swift, Head of Offensive Security, Six Degrees:
“This year’s World Password Day feels especially significant as we see organisations wrestle with the logistics and cyber security implications of managing significant remote working deployments. We can all do ourselves a favour by utilising complex passwords, storing them appropriately, and backing them up with multi-factor authentication.
We’re all expected to use incredibly complex passwords to keep our Personally Identifiable Information safe, and rightly so. But there’s no way we’ll remember them all without some help. Use a reliable password manager and resist the urge to go back to using ‘Monday1’ for everything. And remember that no matter how complex your password is, it is still susceptible to a brute force attack unless it is backed up by multi-factor authentication. So whenever you’re accessing a web application, a VPN through a laptop at home, or any point of contact between the internet and your IT infrastructure, make sure multi-factor authentication is in place to minimise the risk of illicit access and data breach.”
JG Heithcock, GM, Retrospect, a StorCentric company:
“World Password Day reminds us of just how critical it is to take every precaution to protect ourselves and our data. And certainly, a unique password is a great place to start, but, you can’t stop there. Cyberthreats like ransomware are becoming increasingly pervasive, affecting homes and businesses alike. However, by proactively employing a data protection strategy that includes an effective and efficient backup solution, you will be able to thwart cybercriminals and ensure your data remains private, secure, accessible and recoverable.”
Finally, Stan Lowe, Global Chief Information Security Officer at Zscaler gives an outlook to the future of passwords:
The digital identity of every single user has become a valuable asset, and this asset must be protected efficiently. The starting point for this protection is a secure access to any application and the cornerstone for this is secure verification of the identity.
The fact that passwords are no longer a suitable means of doing this today is demonstrated by the alarmingly high number of security breaches that occur via stolen login data. On the corporate side, the awareness for a rethinking of security has already matured, as shown by the popularity of Zero Trust-based security approaches that rely on multi-factor authentication. The FIDO2 standard as a combination of several authentication methods ignites the next level of security.
The industry is feverishly paving the way for the widespread introduction of FIDO2, and the infrastructure for this is already being built. Traditional identity providers are already jumping on the bandwagon by integrating the technology via APIs, although it will take about 18-24 months before the final implementation. A decisive factor for the broad acceptance of the users will be education on a broad front but also a simple user guidance of the technology.
As a farewell to the password, the FIDO2 standard seems to have no alternative. For the technology it is a relatively small step. For the digital humanity it is a big step to raise the security of privacy to a new level.