I felt bad as I did not pick up on WPD until it was too late and published an article titled "May 4 is/was world password day".
The whole idea of WPD is to get people to stop using sloppy, easily crackable, passwords and asking people and organisations around the globe to take a pledge to improve their password habits.
Darran Rolls, chief technology and chief information security officer at Sail Point , an identity governance company reached out to me to see if we could not make up for forgetting WPD.
Fact or fiction? Corporate password policies are only necessary to pay attention to for 'important' applications like financial applications.
Fiction. Security is all about the principle of the weakest link. An attacker will always go after the lowest rung first since it’s generally the easiest to infiltrate, before moving on from there to higher value targets. While a risk-based approach to security does work, that doesn’t mean you should only focus on those high-risk, high-value applications and leave the low-value areas unprotected – since that’s what attackers will be relying on.
Fact or fiction? It’s safe to store your passwords in a notebook out of sight of your desk.
Fact. Well… kind of. So, for a SaaS applications, you’re probably far better off having a complex password on a sticky note than a memorable three-letter password kept in your head. To be clear, I'm not recommending post-it password policies. Remember, the insider is our biggest risk and the next insider threat might be your co-worker or an office cleaner. But realistically, when the adversary is physically remote, a notebook in a locked desk drawer is a better solution.
But more generally it’s truly not in your best interest to write your passwords down where someone could spot them. Instead, consider using an easy-to-remember password scheme, like using the first letter of the words in a phrase or song mixed with the name of the application. These methods may not be the safest methods you can choose from – but overall a complex password that you need to write down to remember is always better than a short password that you won’t forget but is an easy guess or easily crackable.
Fact or fiction? I can re-use my password if it’s really complex.
Fiction. Don’t re-use passwords. Period. Just look at several recent high-profile breaches to understand why. Following breaches like Dropbox and LinkedIn, hackers reuse the username/password combos taken from those services in order to gain access to accounts on other services – taking advantage of the widespread bad habit of reusing passwords across platforms and applications.
Fact or fiction? A long password doesn’t have to be complex to be secure
Fiction. A long password made up of consecutive words that are typically used together is no more secure than the most common singular words used in passwords. As an aside, research shows that "Red" is the most common colour used in a password and "Batman" is the most common superhero.
These facts contribute to the way hackers crack passwords made up of these commonly-used words. The bad guys use databases of commonly used words and numbers called a Rainbow Table, to cycle through all possible plaintext permutations of encrypted passwords to compare with stolen password hashes.
Anything you can think of easily can be effortlessly cracked using this method. When it comes to passwords – complexity and randomness (aka entropy) is quite literally the key; the first letters of a song you like, an usual mix of upper and lowercase letters, mix that with some random numbers and you are good. Remember – if it’s easy to say and remember, it’s almost always a bad password.
Fact or fiction? Using a password generator ensures a strong password.
Fiction. For the most part, password generators work since they easily create complex and unusual passwords. But remember – when choosing a password generator, make sure it’s provided by a trusted source. Recently, there was a free password generator app offered on iPhone that was analysed by the security community. It was found that the random number generation scheme used by this app was anything but random. Look for tools that are open source or highly recommended by trusted sources and already being used by security practitioners.
Fact or fiction? I can use a weaker password if I use multi-factor authentication.
Fact. Again… sort of. It’s all about finding the balance between convenience and control. If you’re using rock-solid multifactor authentication and it’s deployed properly then you may still be protected with an easier to remember the password. But, why wouldn’t you make sure that everything is strong? A multi-layered approach to security is always a good idea – but why wouldn’t you make each of those layers are as strong as possible? I would say: go for both.
Fact or fiction? The password is dead
Fiction. Like I said above – a multi-layered approach to security is always best. Passwords aren’t going away anytime soon, so taking advantage of the full spectrum of password tools and best practices will only benefit you. Use stronger passwords, use layered multifactor authentication and, if you have the budget and the time, use biometrics. Multi-layered security is always in your best interest. But until every application and every system has moved off the password path, it is critically important that we appropriately manage them.
Following the passing of World Password Day, we hope you take the opportunity to reflect on your own password behaviours and take action to nix those bad habits in favour of good password strategies. And put WPD in your diary for next year.