The first Thursday of May is World Password Day, and this year it’s today, 6 May 2021. First celebrated in 2013, this day is meant to serve as a reminder of the importance of good password hygiene.
It has never been more important to have long and strong passwords which are managed for you using a password manager, especially in the face of escalating password breaches, cyber attacks and leaks of personal information.
A series of top security companies have provided me with a treasure trove of excellent advice which I’m sharing below for individuals, IT admins and enterprises, from CyberArk, LogMeIn/LastPass, Check Point Software, McAfee, Thales, Nuance, Auth0, Ping Identity, Barracuda Networks and Snowflake so please read on - and share this article!
Let’s start with CyberArk VP of Solution Engineers, Jeffery Kok, who notes the forced acceleration of digital transformation and the news ways of working, collaborating and communication have created challenges for security and IT professionals.
Kok notes: “Every new corporate application or tool becomes a new identity silo, with unique password management requirements, such as complexity or how often they should be rotated.
“And because we are pretty bad at using and remembering strong passwords, we often use weak ones, or re-use them. In fact, 84% of remote workers admitted to re-using passwords in our survey. Added to this, passwords are still often the only verification method in use. Because of this, IT professionals consider passwords to be amongst the weakest links in their company’s defences.”
Kok says World Password Day 2021 provides a timely opportunity for IT admins and security teams to reinforce best practices, and shares four top tips to reducing password-related risk:
1. Mandate the use of a strong password
Strong passwords contain several different types of characters and, consequently, require more effort and time for an attacker to hack. Passwords should contain at least 10 characters and include a combination of character types, such as commas, percent signs and parentheses, as well as uppercase and lowercase letters and numbers.
2. Enforce the use of one unique password for each service and account
If employees re-use passwords on multiple sites or accounts, even if the password is complex enough and long, all it will take is for one of their accounts to be compromised to make all of their other accounts vulnerable.
3. Use multi-factor authentication
This means that multiple types of authentication – not just a password – are required to unlock the account. The first part of the authentication process requires something the user already knows, like a password. The other part of the authentication process involves something the user doesn’t already know, such as a code sent to the mobile phone by authentication software or created by a designated application on the phone.
This code becomes the other half of a user’s login authentication. Now, even if attackers manage to get a password, they still don’t have access to the account without the other part of the authentication.
4. Address the risk of local admin accounts on workstations
Weak passwords and end users with local admin rights on their workstations represent a significant security risk for organisations. Many attacks start on endpoints where attackers initially gain access through a phishing attack or when an employee inadvertently downloads and executes a malicious application. In many cases, an attacker’s aim is to compromise the privileged credentials that reside on workstations.
Privileged credentials – such as admin rights – can allow attackers to move laterally until they can secure credentials to your system with sensitive PII (personal identifiable information) or intellectual property. To reduce this risk, organisations should rotate local admin credentials (including the OS build in local account) on a periodic basis as an important security measure. Over time, organisations should consider removing local admin rights from end user workstations altogether to further reduce the risk of attacks from the endpoint.
1. Stop reusing passwords
It’s tempting to use the same password because we like to think we can remember everything, but we all know that’s not always the case. In fact, 91% of us know that using the same or a variation of the same password is a risk but 61% do it anyway, and 54% keep track of passwords by memorising them. A quarter (25%) of us reset passwords at least once a month because we’ve forgotten them.
2, Say goodbye to words, and hello to phrases
Did you know it takes hackers only a few seconds to crack an easy 6-character password? There’s always strength in numbers: consider using a phrase to not only lengthen your password, but also make it unique. For example, ThisIs4str0ngP4ssw0rd_!
3. Round up your important information There’s already so much we have to organise and sometimes it can be hard to keep up with the times. It’s important to keep track of all sorts of information from passcodes, to PIN numbers, security questions and account ID numbers. Having a password manager will save you the headache and keep everything secure with bank-level encryption.
LastPass is excited to celebrate World Password Day and promote cybersecurity education and awareness by supporting Coder Dojo, a global, volunteer-led community of free programming workshops for young people.
When you purchase LastPass products from now until World Password Day (May 6th), you’ll receive 25% off while supporting cybersecurity education: $1 from every purchase will be donated to Coder Dojo.
Please see here for more information.
Check Point Software:
Check Point Software Technologies is providing top five tips to help Aussies create a strong password and stay cyber-safe.
According to Check Point Software’s latest security report, the world faces over 100,000 malicious websites and 10,000 malicious files each day, all seeking to steal, cause disruption or damage. A large portion of this malicious activity often involves bypassing password protections.
Ashwin Ram, Cyber Security Evangelist at Check Point has provided the following security tips on how to create strong passwords and improve password hygiene:
1, Make your password long. Hackers often use a technique called “brute force attack.” In this technique, a computer program runs through numerous possible combination of letters, numbers, and symbols as fast as possible to crack your password. The longer and more complex your password is, the longer this process takes. Passwords that are three characters long take less than a second to crack.
2. Don’t use dictionary words. Password-cracking tools freely available online often come with dictionary lists that will try thousands of common names and passwords.
3. Include numbers, symbols, uppercase and lowercase letters. Randomness is more difficult to crack. For example, you could substitute a zero for the letter O or @ for the letter A. Avoid using simple adjacent keyboard combinations: For example, “qwerty” and “asdzxc” and “123456” are bad passwords that can be easy to crack.
4. Don't use obvious personal information. Do not choose passwords based upon details that may not be as confidential as you’d expect. Examples are your birth date or phone numbers, or names of family members. These only make your password easier to guess. If you are required to choose security questions and answers when creating an online account, select ones that are not obvious to someone browsing your social media accounts.
5. Do not reuse passwords. Lists of compromised email addresses and passwords are often leaked online by hackers. If your account is compromised and you use this email address and password combination across multiple sites, your information can be easily used to get into other accounts. Constantly choose unique passwords. Change your passwords regularly.
Raj Samani, Chief Scientist and McAfee Fellow at cybersecurity firm McAfee, has written on the importance of password safety following the post-pandemic surge in online activity, and how Aussies can create secure passwords this World Password day, to protect their accounts and devices.
“When it comes to online safety, password hygiene has never been more relevant. Over the past year alone, we’ve seen a massive surge in online activity, with the pandemic leaving many Australians reliant on conducting daily activities such as shopping and banking online.
“Passwords are of course a key part of our digital lives, enabling people to gain quick access to a variety of online platforms, accounts and devices. However, it can be easy to take them for granted and forget the basics of password hygiene during our busy lives, particularly now as we have so many accounts to keep on top in order to get on with our day-to-day activities.
“Passwords which include personal information, such as your name, or pet’s name, make them easier to guess. This is especially true when we share a lot of personal information online, making it easier for online criminals to make guesses about your password. You should also never share a password, even with a close relative. While this may seem harmless, sharing these details could result in critical personal information falling into the wrong hands. In fact, McAfee recommends changing your passwords about every three months at a minimum. This is so that if a password has been shared or compromised, the safety of your online information has a higher chance of being kept safe by making this change.
“World Password Day is an excellent time to highlight the importance of password safety to consumers. But it is just as important to ensure password hygiene remains top of mind at all times and not just for one day. We’ve shared our top-tips and tricks below.”
McAfee’s top tips for creating secure passwords:
1. Password sharing – passwords should never be shared with anyone else, even trusted family and friends. Sharing a password could result in critical personal information falling into the wrong hands. McAfee advises against this and encourages consumers to keep all passwords to themselves. Even more importantly, never share a password over text, email, or any other online communication channel.
2. Keep it impersonal. Passwords that include personal information, such as your name, address, or pet’s name, make them easier to guess. This is especially true when we share a lot of personal information online. But, you can use personal preferences that aren’t well known to create strong passphrases.
3. Never reuse passwords. If you reuse passwords and someone guesses a password for one account, they can potentially use it to get into others. This practice has become even riskier over the last several years, due to the high number of corporate data breaches. With just one hack, cybercriminals can get their hands on thousands of passwords, which they can then use to try to access multiple accounts.
4. Employ a password manager. If just the thought of creating and managing complex passwords has you overwhelmed, outsource the work to a password manager. These are software programs that can create random and complex passwords for each of your accounts, and store them securely. This means you don’t have to remember your passwords – you can simply rely on the password manager to enter them when needed.
5. Employ multi-factor authentication. You can double check the authenticity of digital users and add an additional layer of security to protect personal data and information.
• Try making your password a phrase, with random numbers and characters. For instance, if you love crime novels you might pick the phrase: ILoveBooksOnCrime
• Then you would substitute some letters for numbers and characters, and put a portion in all caps to make it even stronger, such as: 1L0VEBook$oNcRIM3!
• If you do need to use personal information when setting up security questions, choose answers that are not easy to find online.
• Keep all your passwords and passphrases private.
• Use unique passwords for each one of your accounts, even if it’s for an account that doesn’t hold a lot of personal information. These too can be compromised, and if you use the same password for more sensitive accounts, they are also at risk.
• If a website or monitoring service you use warns you that your details may have been exposed, change your password immediately.
Over the last year, cybersecurity has been stretched to the limit with no site or service immune to attack. Facebook and LinkedIn are just two of dozens of recent examples of our precious passwords falling into the wrong hands. And with so many of us working from home, there doesn’t seem to be an end in sight.
“With more employees working remotely than ever before due to COVID-19, businesses are at greater risk from a cyber-attack with workers accessing systems outside of the usual company network.
“As such, this year’s World Password Day is in fact a timely reminder for businesses to drop passwords forever – they are no longer good enough and are the prime resource for hackers to gain access. Instead, companies should rollout access management solutions such as passwordless authentication which verifies users through other methods like their IP address or if they are accessing through a device or operating system associated to them. This will overcome the inherent vulnerabilities of text-based passwords, while improving levels of assurance and convenience.
“No single solution is enough though, so organisations should also be looking to adopt a Zero Trust model in their approach to authenticating users and certifying their authorisation to access data. This strategy, based on the principle, “Never Trust, Always Verify”, views trust as a vulnerability and requires employees to only access data they’re authorised to do so, while ensuring they verify who they are each time they want access.”
“World Password Day represents a reminder that PINs and passwords are an archaic tool, no longer fit for purpose. Passwords are being sold on the dark web, exploited for fraudulent activity and have even cost unfortunate individuals vast sums of money in terms of forgotten passwords to safeguard cryptocurrencies.
“Indeed, new Australian research from Nuance has found that over a quarter (28%) of consumers have admitted to relying on the same two or three different passwords or similar variations of them. A similar number (28%) say they receive notifications their passwords have been compromised at least every two or three months. This could leave those individuals at an increased risk of fraud, and it is the enterprises that must take responsibility to address this by strengthening their customers’ security with more modern solutions.
“Given the same poll has found that on average victims of fraud lost over $2,400 each in the last 12 months, it is high time PINs and passwords are confined to the history books, so that technology – such as biometrics – can be more widely deployed in order to robustly safeguard customers. Biometrics authenticates individuals immediately based on their unique characteristics – taking away the need to remember PINs, passwords and other knowledge-based credentials prone to being exploited by fraudsters and providing peace of mind, as well as security, for end-users.”
To mark the occasion of World Password Day, the identity management experts at Auth0 are releasing the first in a series of international surveys. The research, commissioned by Auth0 working with YouGov, asked more than 1,200 business leaders and 8,000 consumers around the world about their expectations for online login and sign-up experiences.
Nine in ten consumers reuse password
According to the Australian consumers surveyed, when using a new website or online service, the main frustrations are creating a password that has to meet certain requirements (56%), entering private information such as a passport number, tax file number, medicare number, etc. (54%), and having to fill in long login or sign up forms (50%).
This frustration leads to 90% of Australian consumers reusing passwords for more than one account – and more than half (53%) admitted to doing so frequently. And it’s not just Australia. Across the world, password reuse is still alive and well, with nearly nine in ten consumers (88%) admitting to the practice.
Consumers deserve safe and convenient alternatives to passwords
Richard Marr, General Manager, APAC at Auth0 says: “Consumers are frustrated with the standard password and username method of authentication. As humans, we aren’t suited to remembering long, complex alphanumeric combinations, and need easier, faster and more secure forms of authentication, and it’s partly because of this that we’re seeing a rise in successful cybercrime. It’s time we consider the role of businesses in promoting a safer internet by offering more secure and convenient alternatives to passwords.
“For businesses, this is an opportunity to listen to their customers and make changes to the login process. Technologies exist to stop users from getting frustrated, while protecting them against fraud.
“Passwordless and biometric security are already mainstays of multifactor authentication, and adaptive technologies are already on the market that can offer that security without the friction.
“We need to see technology adapt to humans, not the other way around. Passwords will inevitably make way for alternatives that are driven by the adoption of the WebAuthn standard, but businesses need to prepare for that transition now.”
“These findings show that for many of us, the password hygiene message simply hasn’t yet sunk in deeper than the frustrations we feel. This means our personal data, often across multiple platforms and accounts, could be at risk. World Password Day is the perfect reminder for all of us to take stock of our apps and online accounts, and carve out a bit of time today to download a password manager across our devices and develop strong, unique passwords.”
Dr. Catarina Katzer, a leading cyber psychologist, also adds: "The majority of online users are now well aware that there are security problems with using the same username and password combination to register for multiple services. But we try to suppress that psychologically in the brain. The more extensive a registration process appears, the less inclined we are to go through with it. Convenience and simplicity play a major role here, which means we need to rethink security [in a way that doesn't compromise the customer experience]."
Ashley Diffey, Head of APAC and Japan, Ping Identity, says that “World Password Day falls in National Privacy Awareness Week here in Australia, a timely reminder that the biggest issue today in privacy is caused because so many people and organisations holding onto data with several copies made as backups and stored in several places.
"While this process may be to ensure that data isn’t lost, in fact it provides more complexity around the management and protection of that data. To create better security or privacy we need to give people the right and control to create and delete their data when there is no real need for this information to be stored.
"To enable this we need to move to a decentralised identity model whereby your identity can be verified, time stamped and then deleted.”
Fleming Shi, Chief Technology Officer at Barracuda Networks adds, “When organisations collect data, they must assume responsibility for the safekeeping of the data. By implementing legislation to penalise incompetency, this will raise awareness and change human behaviour.
"In the meantime, I think that this can also work the other way around by rewarding those who have done an excellent job in protecting data. I believe Australia will continue to raise the bar in this area and hopefully do so with penalties for the weak and rewards for the best practitioners.”
Jonathan Sander, Security Field Chief Technology Officer at Snowflake, added, “The network used to be king in terms of security, and the jealous prince was identity. For years, identity management specialists have said that identity is the new perimeter.
"This has taken a long while to become true for most organisations, however now it will be the primary layer of security, and a network location will become just another attribute to identify the users.”