Passwords essentially are the gateways to our digital lives. From business accounts, social media, shopping, banking – you name it – if they’re compromised, it can have big implications. To mark the day, we’ve compiled the advice of some of the world’s leading experts in cybersecurity to help keep individuals and, ultimately, businesses safer on their way to solving password creation and management.
Curtis Simpson, CISO, Armis:
Most importantly, protect your credentials through the use of a token or app-based multi-factor authentication (MFA) solution. Refrain from relying on SMS-based MFA options or the use of security questions as neither are particularly secure. When protecting accounts with an effective MFA solution, even if someone gains access to your user ID and password, it’s highly unlikely that your credentials can actually be used to access your account. If your email accounts are not already protected using MFA, this should be priority #1 and should be enabled without delay. If a bad actor gains access to your email account, they can often reset passwords and gain access to many of your other accounts that have not already been protected with an effective MFA solution.
Additionally, use single sign-on where possible to access your accounts. This enables rapid access into your online apps without the need to manage many different passwords manually or using a password management app. If establishing a complex, highly secure password for your primary account (e.g. Gmail account) and protecting this primary account using MFA, each app accessed using this account is universally protected.
Where single sign-on is not an option, use a password manager solution and protect access to the password manager using MFA.
Aaron Cockerill, Chief Strategy Officer at Lookout:
Passwords need to go. We should not be celebrating World Password Day, we should celebrate the day no one ever needs to remember a password ever again. And That day is coming. For example WebAuthN and the FIDO alliance are making great headway toward that goal using public key cryptography. Passwords are a terrible way of asserting your true identity, and present major issues for the organisations that have to store your password in the event of a breach. We need to stop using passwords or shared secrets as a way of identifying an individual. But in the mean time there is a lot of support to help us with systems that still require them. Password managers and even browsers now notify you when passwords are repeated or stolen, and they suggest longer and stronger passwords that they remember rather than you having to. And increasingly your password can be strengthened by things like second factors and biometrics. Increasingly identity will be established using intelligent devices like your smartphone, leveraging both encryption and biometric sensors, and passwords will become a thing of the past. The challenge then is to know that your smartphone is safe.
Bindu Sundaresan, Director, AT&T Cybersecurity:
At the root of these problems are the systems that authenticate users with passwords. Passwords are inconvenient and create numerous security vulnerabilities. A password by itself should be considered a point of high exposure. In today’s connected world, hackers can easily access systems and personal devices. Passwords are shared, stolen, reused, and replayed. They are the hacker’s favourite target, and entire categories of vendor products exist to make up for the shortcomings of passwords. While passwords are not the only reason for diminished trust, they are certainly the most expensive. Two distinct authentication factors, each acting as a separate padlock, are necessary to help secure information.
Best practices to help strengthen password security are:
- Don’t use the same password for all your accounts.
- Use multi-factor authentication for an extra layer of protection. (For instance, ZenKey is a highly secure, multifactor identity solution offered by a joint venture formed by the three major US wireless providers.)
- Consider a password manager to help you maintain security
Going passwordless may help organisations achieve increased productivity amongst employees, reduced IT costs, and more robust security. However, keep in mind that passwords are still the most prevalent authentication method and are not going away any time soon. That’s why organisations should consider coupling a passwordless login experience for employees and enterprise password management for every password that is still in use to secure every access point while delivering a seamless login experience. With the rate of spiked credential stuffing attacks that happened last year and many malicious login attempts on websites, it is safe to say the explosion of new digital users has opened up the attack surface for fraudsters to launch credential stuffing attacks like never before.
Imagine if the security resources used to mitigate these attacks were reprioritised. Eliminating the password lays the foundation for a powerful Zero-Trust experience that is easy to use and easy to deploy. Between the reduced tooling and allowing cybersecurity teams to focus on the things that really matter, the ROI of going passwordless cannot be understated.
Dan Conrad, field strategist, One Identity:
While many of us are “in the industry” and pay close attention to systems where accounts are required and the way we authenticate, I’ve learned there are many others that do not see the value of protecting an individual credential. Instead of providing password tips, consider these as “rules”.
-
- Generate unique complex passwords for every system that requires an account. Many personal password managers will handle this for you but be sure to use one that requires strong authentication to the password manager. This way, if one of the systems you use has their user/password database compromised you won’t have to run to other systems and change passwords.
- If a system offers MFA, use it.
- Never use the same password for a corporate/work account that you use anywhere else – to protect the company if one of your other systems is breached.
- Appreciate strong authentication in the systems you use and help socialise good practices.
Authentication itself is maturing and changing to meet complex needs. In the future, hopefully we can look back and realise these simple rules are no longer relevant. But for now, these rules are the best way to protect ourselves, our company/organisation, and the data behind all the accounts we use every day.
Niamh Muldoon, Global Data Protection Officer at OneLogin:
Access control mechanisms need to be appropriate for the asset (technology or data) being protected. Complex passwords are hard to remember and often a single point of failure. The Stefan Thomas case from earlier this year was a great example of the financial cost associated with not implementing an appropriate access control mechanism where not remembering the password was the single point of failure.
Technology and product innovators must recognise that biometrics play a crucial role in access control. Biometric data can be used as the primary, second or third factor in authentication to support and protect the critical information assets of individuals and organisations. Partnering with a trusted service provider on access control would be a great way to enable this to happen.
Natalie Page, Threat Intelligence Analyst, Talion:
Uncomplex, duplicated passwords are one of the single most troublesome factors regarding adversaries successfully infiltrating and compromising networks. It is estimated that the average person now utilises around 100 passwords, making it understandable why the use of unimaginative passwords duplicated across platforms is so rife. However, while we may feel we are just making our own life’s easier, we are also making the job of the adversary much easier, too.
The lengthier and more complex a password, the better. Passwords varying from 12-16 characters are an ideal, recommended length, differing on each platform. The use of a mixture of special characters and lower/higher case letters also heightens password security. While setting up individual platforms to meet this criterion may be a simple and extremely effective security measure, remembering all of these logins can be painful.
One of the most effective ways an individual can utilise multiple complicated passwords across various platforms is to adopt a password manager. These are safe, secure applications that store all of your passwords in one place, meaning you just need to remember the one password to the application. It is important when choosing which password manager to use that you select a trustworthy application. Some reliable, safe examples being Keeper, NordPass, Last Pass and Dashlane. Ensure you research any other tools you may wish to use before downloading these applications.
For users not wanting to utilise a password manager, alternatives could be to create a tip sheet that would give cryptic clues, writing down the passwords in a disguised/coded manner, creating your own code via acronyms and abbreviations, utilising a variety of random words such as foods, colours, and animals, mixed with special characters. It is crucial when setting up these passwords that you avoid patterns and habits, while you may not be replicating the exact password, displaying patterns across your passwords will also enable an attacker the advantage.
Finally, once you have all of this in place, it is essential you continue to update these passwords, this is recommended every 90 days.
Dearbhail Kirwan, Security Operations Team Lead at edgescan:
We’ve all heard the ‘good password practice advice’ which boils down to:
- Use long, complex passwords (complexity referring to using multiple character sets, i.e., upper and lowercase letters, numbers, symbols)
- Change your passwords regularly
- Use different passwords for all your logins
- Don’t share your passwords
- This advice is also commonly extended to include points such as ‘use long passphrases’ and ‘avoid using dictionary words’ which also adds complexity to the task.
This advice was sufficient when you could mentally manage your passwords for one or two logins, but the majority of us these days have to regularly log into a range of different systems. As a result of all these requirements, people commonly employ mechanisms or patterns to help remember their passwords, which unfortunately can often have the side-effect of making them predictable, and therefore easier for an attacker to access a number of your passwords as a result of cracking just one.
The common expiry time for passwords is 90 days. If you have to manage just 10 different logins, that’s 40 passwords over the course of a year, along with avoiding confusion between your pre and post-change passwords at the end of the 90 day period, and between which password belonged to which login. Unless you have perfect recall, it’s going to get extremely difficult to mentally maintain all of your passwords without compromising on security.
Enter the password manager, which for the unfamiliar can be considered a secure way to write down all of your passwords so that you don’t have to know or remember them. In recent years there has been a significant increase in the number of password manager providers which has resulted in a wide range of feature-rich options. There are many different platforms that should satisfy the requirements of the majority of situations, such as online vs offline, free vs paid, and so on. Most password managers also come equipped with a password generator where you can set the parameters such as length, character sets to include, etc., which allows you to generate and save secure passwords at the click of a button.
Using a password manager can take the pain out of securely managing your passwords. You should still employ all the best practice advice mentioned above, you just don’t need to remember every single password yourself – just remember to ensure that you adequately secure your password manager! This advice is focused on passwords, however, for authentication management in general, Multi-Factor Authentication methods should always be used where possible.
Amit Sharma, security engineer, Synopsys Software Integrity Group:
Ensuring our passwords are secure is a crucial element of protecting our digital identities and sensitive information that we may provide when shopping online, using social media or mobile banking apps (to name a few popular examples). The wide array of password protected services available to us leads many to re-use the same password across many applications for the sake of convenience. However, in the event that a password for one service is breached, many doors could be opened to would-be attackers if users are in fact re-using passwords—a very common attack strategy.
Understanding password security best practices—such as not re-using passwords, employing a password manager, and using multi-factor authentication whenever possible—teaches users how to create a more secure environment in which to protect their data. And new technologies are continuously emerging to improve security and scalability while also accounting for a seamless user experience.
Jamie Akhtar, CEO and co-founder of CyberSmart:
The best advice I have when having to manage various complicated passwords is to use a password manager. Password managers allow users to easily create complex passwords as well as securely store them in a central location. The only thing you need to remember then is the master password that gives you access to this bank.
Rupesh Chokshi, VP, AT&T Cybersecurity:
Multifactor authentication (MFA) is a *must have*. With MFA, the password may represent the first factor in the multi factor process. The second part of the process is typically a code sent through email or text message (like when logging into your bank), but may also be a fingerprint scanner, face recognition or a physical token. While MFA isn’t un-hackable, cybercriminals would need physical access to your device to hack you in most cases.
Minimize login attempts. Don’t be too generous with the number of unsuccessful password attempts to access your systems. The fewer tries available for employees (within reason), the less chance for hackers to keep trying new passwords.
When logins are unsuccessful, lock accounts. Much like minimising logins, this strategy will give hackers a reason to give up and move on to their next target. You can also limit the time between unsuccessful logins.
Do not share your passwords. Sharing login credentials may sound like it will save time and or money, but the savings won’t come close to the costs of a data breach if any of those passwords are stolen.
Be sneaky with your secret questions and answers. Social media is a treasure trove of personal information, and hackers may easily guess some of the secret questions if you fill them out with easy answers. Use information that very few people know, or simply make things up with answers only you know.
Finally, and most importantly, foster a corporate culture of security awareness. When users are made aware of the risks associated with bad passwords and poor security habits, everybody wins. Make them feel involved and engaged with your awareness programme. Good cyber hygiene should be part of your culture and taught to employees and contractors on a regular basis.
And there you have it – some sound advice from those in the know. Bottom line: if you haven’t enabled MFA on important accounts, do so immediately. And finally, check out some password managers – Comparitech offers some great guides: https://www.comparitech.com/password-managers/