Security experts share insights on keeping passwords safe : @VMblog
Some of the most infamous data breaches in
modern history, such as the Colonial Pipeline, can be attributed to stolen
credentials or passwords. This year’s World Password Day emphasizes the
significance of establishing robust, continuous security policies. To
commemorate the day, various cybersecurity experts have gathered to offer
important advice on what you can do to avoid having your passwords become one
of the 15 billion accessible on the Dark Web.
Patrick
Beggs, CISO, ConnectWise
“In the early days of the world wide web, you were
probably able to get away with a password as simple as ‘12345′. Times have
changed since then, but humans remain predictable. Research
has found that women typically include personal names in their passwords while
men often use their hobbies. And experienced hackers also know the common
vowels, numbers, and symbols that often appear in passwords.
Cybersecurity breaches are at an all-time high, but
there are three simple things we can all do to protect ourselves. First,
prioritize length over complexity, because we aren’t very good at remembering
complex passwords, and longer ones are more secure. Second, only use platforms
with multi-factor authentication — a password alone is not enough to protect
you. And finally, never reuse. Most breaches happen when a password from one
platform is used with another system that shares the same password.
If you follow these three simple steps, your
passwords should be strong enough to stop a determined hacker from causing
damage.”
Tyler
Farrar, CISO, Exabeam
“Colonial Pipeline and Twitch. Both of
these organizations have one thing in common: they suffered data breaches as a
result of stolen passwords and credentials. Credential theft has become one of
the most common and effective methods cyber threat actors use to infiltrate
organizations of all sizes and access sensitive data.
We strongly support efforts, like World
Password Day, that raise public awareness and can help to combat this pervasive
issue. We advocate for the best practices that ensure cyber hygiene and protect
personal and professional passwords and credentials to prevent credential-based
attacks from continuing.
Credential-driven attacks are largely
exacerbated by a ‘set it and forget it’ approach to credential management, but
organizations must build a security stack that is consistently monitoring for
potential compromise. Organizations across industries can invest in data-driven
behavioral analytics solutions to help detect malicious activity. These
analytics tools can immediately flag when a legitimate user account is
exhibiting anomalous behavior indicative of credential theft, providing greater
insights to SOC analysts about both the compromised and the malicious user,
which results in a faster response time.”
Neil
Jones, director of cybersecurity evangelism, Egnyte
“For
as long as I can remember, easily-guessed passwords such as 123456, qwerty, and
password have dominated the global listing of most commonly-used passwords.
Unfortunately, weak passwords can become a literal playground for
cyber-attackers, particularly when they gain access to your organization’s
remote access solution and can view corporate users’ ID details.
Similarly,
not a day goes by where I don’t hear another customer in a public setting like
a pharmacy or a supermarket vocally share his/her email address and/or personal
or business phone number, to obtain affinity club credit for a transaction or
to earn a discount. That private contact information – combined with weak
password administration – can represent a data breach just waiting to happen.
In
commemoration of World Password Day, here are practical tips to protect your
company’s mission-critical data:
- Institute Multi-Factor
Authentication (MFA) – One of the most effective ways to prevent unauthorized
access is by requiring additional validation of login credentials during a
user’s authentication process. This can be as straightforward as a user
providing his/her password, then entering an accompanying numeric code from an
SMS text.
- Educate your employees on
password safety – Educate your users that frequently-guessed passwords such as 123456,
password, and their favorite pets’ names can put your company’s data and their
personal reputations at risk. Reinforce that message, by reminding users that
passwords should never be shared with anyone, including your IT team.
- Inform users about the
dangers of social engineering and spear-phishing – Remind users that unanticipated email messages, texts, and phone
calls can be attempts to capture their login and password credentials. When
proper login credentials are entered, malware can be initiated that will place
your organization at risk of an even wider and more destructive cyber-attack.
- Keep personal and business
contact information separate – Remind your
users that maintaining separate email accounts and contact details for affinity
clubs and discount programs protects their personal privacy and your company’s
valuable data. Users should never provide business login credentials (such as
their email addresses) in public forums, particularly within earshot of others.
- Establish mandatory
password rotations – Discourage the usage of system default passwords and easily-guessable
employee credentials, by forcing employees to change their passwords on a
routine basis.
- Update your account
lockout requirements – Prevent brute force password attacks, by immediately
disabling users’ access after multiple failed login attempts.”
Gunnar Peterson, CISO, Forter
“It is
especially fitting that we collectively celebrate World Password Day in light
of recent breaches this quarter that have resulted in terabytes of stolen
proprietary data and untold financial cost. The day is a reminder that the
simplest of defenses in our toolbelt, credential and identity management, can
be the difference between a secure system or an unimaginable incident.
Most of the
breaches we hear about in the news are a result of businesses relying on
automated access control and realizing too late when a user has been hijacked.
Once an account is compromised, identity-based fraud can be extremely difficult
to detect considering the advanced tactics and randomness of different crime
groups like LAPUS$ and Conti.
To succeed
against dynamic cybercriminals and account takeover (ATO) attacks,
organizations must build robust identity management systems and invest
resources into building a learning system that evolves to identify anomalous
user activity. These techniques can ebb and flow with the sophisticated threat
landscape we’re witnessing today.”
Aaron
Sandeen, CEO and co-founder, Cyber Security Works
(CSW)
“World Password Day is a day set aside not just to
promote better password use, but to draw attention to the numerous
password-related assaults. Tackling every password-related attack would be
difficult, but addressing the problem of Password Reset Poisoning plays an
important role in increasing organizational knowledge about better password use
and vulnerability management.
Every online application with a login gateway has
password reset capabilities. When a user forgets his password, this reset
password option is useful. However, in many organizations, password reset
poisoning is an attack in which the attacker obtains a victim’s password reset
token and is now able to reset the victim’s password. The problem occurs when
the program uses the host header to create the password reset link and then
adds the user-supplied host header to the password reset link. It is crucial
for companies to inform themselves of this type of password attack to protect
the privacy of their employees and the business as a whole. While addressing
similar password-related attacks, more vulnerabilities can be addressed and
give security teams peace of mind.”
Surya
Varanasi, CTO of StorCentric
“Few would argue the fact that a strong password is
an ideal first line of data protection defense. Without this basic security
measure, you are leaving the door wide open to a multitude of cybercrime risks.
Unfortunately, however, while highly sophisticated password tools are
available, today’s cyber criminals also have extremely advanced password
hacking technology at their fingertips. Which means, an increased risk of your
passwords being leapfrogged, and your data being compromised.
The ideal cybercrime defense is a layered defense
that starts with a powerful password and continues with Unbreakable Backup. As
backup has become today’s cyber criminals’ first target via ransomware and
other malware, an Unbreakable Backup solution can provide you with two of the
most difficult hurdles for cyber criminals to overcome – immutable snapshots
and object locking. Immutable snapshots are by default, write-once read-many
(WORM) but now some vendors have added features like encryption where the
encryption keys are in an entirely different location than the data backup
copy(ies). And then to further fortify the backup and thwart would be
criminals, with object locking layered on top of that, data cannot be deleted
or overwritten for a fixed time period, or even indefinitely.”
JG
Heithcock, GM of Retrospect, a StorCentric Company
“Ransomware is a huge global threat to businesses
around the world. Beyond the high-profile attacks, including Colonial Pipeline,
JBS, Garmin, and Acer, many people now personally know a colleague whose
business was attacked. In fact, a Coveware research study revealed that most
corporate targets are small and medium businesses (SMBs), with 72% of targeted
businesses having fewer than 1,000 employees, and 37% fewer than 100.
There are likely a few reasons for this continuing
trend. Certainly, one is that today’s ransomware is attacking widely, rapidly,
aggressively and randomly – especially with ransomware as a service (RaaS)
becoming increasingly prevalent – looking for any possible weakness in defense.
Another is that SMBs do not typically have the technology or manpower budget as
their enterprise counterparts, leaving them more vulnerable targets.
It is therefore critical that in addition to powerful
passwords, which anyone would agree is an indispensable first line of defense,
there must be additional measures taken. The first is that all organizations
regardless of size must be able to detect anomalies as early as possible to
remediate affected resources. The next is SMBs and large enterprises alike need
a backup target that allows them to lock backups for a designated time period.
Many of the major cloud providers now support object locking, also referred to
as Write-Once-Read-Many (WORM) storage or immutable storage. Users can mark
objects as locked for a designated period of time, preventing them from being
deleted or altered by any user – including internal bad actors.”
John Gunn, CEO, Token
“World
Password Day is akin to National Running with Scissors Day, both
activities are inherently unsafe, with the latter being significantly
safer based on a statistical analysis. The security of passwords, or
lack thereof, has advanced only marginally over the sixty-one years
since they were first implemented. It’s time for us to collectively
change the name of the day to World Passwordless Day and commit to
eliminating passwords entirely.”
Dave Cundiff, CISO, Cyvatar
“As
it has become apparent through the years that passwords alone would not
be sufficient to protect users and their data, multiple technologies
have emerged. One of the most ubiquitous and easiest to implement these
days is multi-Factor authentication. Before mobile technology became so
widespread, MFA was enabled by hardware tokens you purchased from a
company and either entered a code or scanned a key or inserted a USB.
Now it can be as easy as having a code emailed to a different email
address or texted to your smart phone. This vastly improves the chances
of a user to not have their credentials compromised by eliminating the
single point of failure, the password.
Further, we have
additionally evolved to multiple biometric solutions such as fingerprint
scanners, facial recognition, and even keyboard/mouse biometric models.
A number of organizations require these types of security in addition
to passwords to provide a greater reliability. Biometric continuous
authentication systems like keyboard models monitor the typing styles of
the user and build a sophisticated model of how the user interacts with
their keyboard, what their typing style or cadence is and other data
points to be able to discern very quickly a difference between the
actual user and someone else. These methods will continue to improve in
reliability and accuracy as we move forward, hopefully one day making
the need for passwords as unnecessary as the early days of my childhood
playing games like Zork.”
Ismet Geri, CEO, Veridium
“Do you want to eliminate 80% of cybers attacks? Then kill the password.
We
all have heard about Colonial Pipeline attack that took down one of the
largest fuel pipelines in the US and the T-Mobile
millions of customers data breach, just to name a few of them. All these
attacks have in common the use of compromised credentials. Compromised
passwords have been the root cause of 80% of these attacks. Google have
warned that billions of passwords are available in the dark web,
probably your passwords are already in use.
Authentication is
the fundamental cornerstone for everything happening in our digital
world, would this be connecting to our social medias, login into our
enterprise applications, making online purchase, executing financial
transactions, …We have been dependent on shared secrets for
authentication for many decades, we have been dependent for too long
time on the shortcoming of passwords.
This must change now! Our
digital society can’t rely anymore on passwords, on share secrets.
Technologies for passwordless multifactor authentication are now robust,
resilient, and well tested. Smartphones, desktops used in combination
with biometrics such as fingerprint, facial recognition and behavioral
analytics can be used to both onboard and authentication users.”
Monti Knode, Director of Customer Success, Horizon3.ai
“The
movies typically frame hackers as underground, terrifying,
sneak-into-your-home types of criminals, but that’s not really the case.
The fact of the matter is that most attackers don’t hack in; they log
in. The password pandemic that plagues the technology world today is
rampant, but definitely fixable. How?
- First: take
control. Having weak or default passwords such as ‘adminadmin’,
‘password1’ or even ‘P@$$w0rD’ leaves you with your pants around your
ankles – exposed. - Second, don’t reuse your passwords. Having one
singular password for everything means that if one is successful or
cracked, an attacker will attempt to reuse it and then your entire
foundation comes crumbling down around you. - Finally,
aggressively seek out your weaknesses. One way to do this is autonomous
pentesting. By continuously searching your network for paths and
openings, you are proactively fighting against attackers.
Be your own hero this World Password Day by protecting your ‘crown jewels’.”
Lance Spitzner, Director of Security Awareness, SANS Institute
“Even
if you have the longest, most secure password in the world, if that
password is compromised cyber attackers have full access to your
account, system, and data. One of the most effective and proven
approaches for strong authentication is something called Multi-Factor
Authentication, or MFA. This way, if your password is compromised, your
account, system, and data are still safe as the other factor or factors
still protect you. MFA can include:
- A one-time, unique code is
sent to your mobile device via SMS text that is then used along with
your password to authenticate and log-in. - An authentication
mobile app (such as Google Authenticator) that generates the unique
one-time codes for you. You download the mobile app to your mobile
device, then to enable MFA for your accounts you sync the authentication
app with each account. Some mobile authentication apps (like
Microsoft’s Authenticator) also make it so that when you log into
certain websites, instead of requiring a one-time use code, the website
pushes an authentication request to your mobile app asking if that is
you trying to log in. - A physical device that connects to your
laptop or computer and is registered with the websites you regularly log
into. When the device is connected to your computer (via the USB port
or connected via NFC technology) and you visit these websites, the
device authenticates you.”
Lucia Milică, Global Resident CISO at Proofpoint
“Passwords
are one of the first critical barriers between a person, a threat actor
and a successful cyberattack. One of the most common mistakes that
people make is reusing the same ID/email address and password across
multiple sites and devices. Password reuse is exacerbated by the
increasing volume and success rates threat actors are reaping with
advanced credential phishing campaigns that use fake websites resembling
the login page of a legitimate online service to steal usernames and
passwords.
We recommend consumers use different passwords,
especially on critical financial and data-driven accounts. Be sure to
turn on multi-factor authentication (MFA) if available for as many
accounts as possible. If MFA is not an option for the account, use a
password manager. A password manager creates randomized passwords that
are safely stored, encrypted, and accessible across all personal devices
and reduces the burden of trying to remember complicated login
credentials across multiple websites. If you use a passphrase as part of
your password, make sure you never use common words or phrases, names
or dates associated with you or direct family members. It’s also best to
change all passwords twice a year and change business passwords every
three months.
Since 95% of cybersecurity issues can be traced
to human error, it remains important for businesses to implement a
people-centric approach to security. Ensure that both your remote and
in-office employees receive training and education on basic
cybersecurity best practices, including how to identify a credential
phishing attempt and how to securely manage passwords.”
Matt Middleton-Leal, Managing Director Northern Europe, Qualys
“Passwords
have been around for years, and they will continue being used. Why?
They are an extremely simple approach to enforce some degree of security
that works when everything around it is done correctly.
The
challenge with passwords is that they have become increasingly complex
to manage sufficiently, due in part to the sheer number of accounts that
users hold. The rules around passwords can make them harder for people
to remember, so they either re-use one password for multiple accounts or
write them down. Equally, best practices for secure passwords can be
missed. Take something like enforcing a limit to the number of times
users can attempt to enter a password so that attackers can’t use
dictionary attacks or password libraries to brute force their way in.
This might be obvious for applications that are customer-facing, but
those rules should also apply to internal applications or cloud services
too.
In today’s world, passwords alone are not enough to keep IT
access secure. As such, tools like multi-factor authentication (MFA) –
which requires users to provide two or more verification factors to gain
access to a resource – have become available to further improve
security hygiene. Companies, no matter the industry or size, must
recognise the value of strong security and doing the small things, like
implementing MFA, right.
What can companies be doing to improve
password hygiene? For starters, ensure that users cannot use a simple
dictionary word as their password, and enforce different controls so
they cannot re-use the same password multiple times. It is important to
apply rules on length of passwords and the variety of characters used,
in addition to looking out for poor security practices such as missing
MFA or lack of role-based access control.”
Tom Bridge, Principal Product Manager, JumpCloud
“Passwords
are ubiquitous for users, but are they effective? On their own, I would
argue no. While it is possible to put together password policies to
help users secure their access, passwords are not enough on their own.
It’s great to encourage users to adopt pass phrases or non-standard
formats that include multiple character types in order to have stronger
passwords in place, but this is not all that you should be doing to
improve both access and security.
Alongside raising awareness of
good password policy on this day, companies should think about identity
more generally too. This can make it easier to support your employees
around remote and hybrid work, as well as improving your work processes
overall. For small businesses, consolidating how you manage your users’
access and accounts can help you deliver the services that those users
need to work efficiently wherever and whenever they want.
To
achieve this, you should deploy multi-factor authentication alongside
any passwords that they use. This is an opportunity to look at other
ways to improve your efficiency around identity, like using single
sign-on to simplify the process. At the heart of authentication is how
you connect users to the services and applications that they need every
day, and how you can make work easier for them. Passwords and identity
management should not get in the way of how people work; they should
serve the business in making remote work happen more easily.
The
pandemic made remote work – and managing remote user identities – more
important to how work happens in business. This process has to continue,
so that businesses can keep the value from those changes.”
Brian Spanswick, Chief Information Security Officer, Cohesity
“With more than 22 billion connected devices online and cyber attacks on the rise, your data has never been at greater risk,” said Brian Spanswick, chief information security officer, Cohesity. “On World Password Day, it’s critical that IT managers, SecOps personnel, and, for that matter, all business workers, remember to prioritize password hygiene today and year around. Using a password manager is an effective way to ensure secure passwords, and taking steps to choose a unique password that’s regularly updated and varied from device to device can mean the difference between a normal day and a devastating data breach — where you potentially not only expose your data, but put your company at risk as well.”
Greg Stuecklin, VP and GM of North America at WSO2
“Improved security is key to driving better digital experiences and gaining a competitive edge, according to 90% of the 500 IT decision-makers who participated in a recent survey sponsored by WSO2. So, on World Password Day, maybe it’s time to ask why we still require consumers to remember complex passwords instead of giving them easier, securer alternatives.
Eliminating passwords altogether once sounded like a bold idea. That’s no longer the case, especially when you consider Verizon’s 2021 Data Breach Investigations Report (DBIR). It observed that vulnerabilities with credentials, like a username and password, accounted for over 84% of all data breaches.
Easier, more effective ways to authenticate users exist, and if companies are serious about security, those ought to take priority. Modern authentication measures replacing password log-ins include alternatives that apply the Fast ID Online 2.0 (FIDO2) standard to biometrics, security keys, and plug-in authenticators to uniquely identify consumers while providing a simple, single sign-on passwordless experience.
The other piece of the puzzle is multi-factor authentication (MFA), which can prevent up to 90% of security breaches. Many consumers already type in a verification code they’ve received in a text—or better and more secure via one-time-push (OTP)—as a second way to confirm their identity. Now imagine protection provided by combining a fingerprint or device ID with the code: fast, easy, and much harder to hack.
So, on World Password Day, let’s make a pledge to free consumers from passwords and instead give them advanced alternatives that make it easier than ever to protect their data and yours.”
Payal Chakravarty, Head of Product, Security & Risk at Coalition
“Poor cyber hygiene can lead to disastrous outcomes for organizations and yet, best practices are often ignored.
However, employees can and should take simple steps to proactively protect themselves and their companies from attacks. For example, by using unique, varied and strong passwords as well as multi-factor authentication (MFA).
Passwords are like physical keys, and these keys to the kingdom must be protected at all times. In terms of choosing the strongest password, there’s a misconception that using a mix of capital and lower-case letters, numbers and symbols is best practice. The fact is, hackers and the software they use know to guess with that in mind. Rather, a randomly-generated password or a long passphrase — something like MyFav0riteCak3IsChocolat3WithP3anutButt3rFr0st1ng! — would take thousands of years for an attacker to guess and is easier to remember.
Password managers are an effective way to manage all your passwords across devices with a single account. They offer features such as generating one-time password codes used in the MFA process, encrypted note-taking, and secure password sharing within your organization.
This World Password Day is a good reminder to make cyber hygiene a top priority, especially while most employees continue to work from home or in hybrid roles and thus, are more vulnerable to attacks.”
Geoff Bibby, SVP, OpenText
“World Password Day is an excellent time for individuals, channel partners and businesses to reflect on their current password practices and ensure they are building the safest habits to protect themselves and their company from cybercriminals. Many are under the assumption that if they are taking the steps to create unique passwords for each platform and application, they are secure. But it’s not enough.
The number of headline-grabbing breaches that have taken place over the last year highlight the critical need for safeguards across the entire company network. While there are a few different ways to protect login credentials beyond a simple username and password, one of the most popular and effective options is two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user’s phone, email address or through an authenticator app, after entering their username and password. It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical.
Email is a common point of attack because it often contains sensitive and valuable communications. Organizations should also consider implementing an email security solution that conducts a security audit to analyze its admins, users, mailboxes, and rules for vulnerabilities such as outdated passwords so they can be resolved before a breach happens. This is especially true for ensure partners so that they can ensure the customers they support are protected against today’s cyberthreats and vulnerabilities. Organizations should use World Password Day to evaluate their internal Password Policies and send reminders to employees and customers alike about the importance of good password hygiene.”
##