Weak passwords can cause businesses and individual consumers a real headache. Business Reporter asked several leading experts for their advice on keeping safe with passwords.
Passwords are critical gatekeepers to our digital identities: securing online work and private life communications. However, with hundreds of password combinations to remember, many people use weak passwords or reuse the same passwords across multiple accounts.
This presents a consistent source of security challenges. Indeed, the two most common passwords of 2020, ‘12345’ and ‘123456789’, are estimated to take just a few seconds to crack by hackers. And, once one account is compromised, stolen login information or financial details can be used across the web.
With 80% of all hacking incidents involving the use of stolen credentials or passwords guessed using brute force tactics in 2020, the impact of poor password security can be monumental. We spoke to five security experts to learn how consumers and businesses alike can clear up their act and implement effective password hygiene.
“Here’s a riddle for you: what’s the one thing we all have, all hate and never remember?,” questions Wes Spencer, CISO, Perch Security, a ConnectWise Solution. “Yep, a password.
“Isn’t it ironic that in 2021, we’re still using one of the most broken systems for authentication ever? Even Julius Caesar hated passwords and preferred his own cipher to communicate instead.
“Why is this? Well, passwords are like underwear. You see, you should never share them, never hang them on your monitor, and honestly, no one should ever see them. So how do we go about living in a password-required world? First, remember that long passwords are always better than complex ones. This is because the human brain is hardwired to be extremely poor at creating and remembering complex passwords. In fact, a long 16-digit password is far more secure than a short 8-character complex password.
“Second, never reuse a password. Ever. Most successful breaches occur when a stolen password from one platform is leveraged against another system that shares the same password. At Perch Security, we’ve dealt with many breaches that occurred this way. It’s a true shame. The best way to avoid this is by using a reputable password manager and keeping it locked down. The password manager can handle the creation, storage and security of every password you use.”
“Passwords remain one of the biggest challenges for both consumers and businesses around the world,” agrees Joseph Carson CISSP, chief security scientist & advisory CISO at ThycoticCentrify. “Thanks to the SolarWinds security incident in late 2020, we were all reminded that a poor password choice can not only impact your own organisation but all connected organisations as well. This was likely one of the biggest supply chain cyber-attacks in history — all stemming from poorly-created passwords.
“If you are a consumer, start by using a password manager today. If you are a business leader, you should move beyond password managers straight into privileged access security. Rotating and choosing passwords is one of the biggest causes of cyber fatigue, so organisations can reward employees with privileged access security solutions that will eliminate one of their biggest work headaches and introduce security solutions that they will want to use.”
Keeping up with the credentials
Good password hygiene is more important than ever as organisations grapple with the new reality of ‘work from anywhere’ and the fast adoption of the hybrid workplace trend. “Cyber-criminals will capitalise on any opportunity to collect credentials from unsuspecting victims,” notes Ralph Pisani, president of Exabeam.“Just recently, scammers began preying on people eagerly awaiting vaccinations or plans to return to the office as a means to swipe their personal data and logins, for instance.
“The most common attack technique that I often see in the breach reports that I read is stolen credentials. This is a never ending battle between the security industry and cyber-criminals, but there are ways organisations can protect themselves against credential theft.
“Through a mix of educating staff on complex password best practices, security awareness training and investing in machine learning-based security analytics tools, organisations can make it much more difficult for digital adversaries to utilise their employees’ usernames and passwords for personal gain. Behavioural analytics tools can swiftly flag when a legitimate user is exhibiting anomalous behaviour indicative of compromised credentials. This approach provides greater insights to SOC analysts about both the impacted and malicious user, which results in a faster response incident time and the ability to stop adversaries in their tracks, before they can do damage.
“The pandemic increased the velocity of digital transformation, and cyber-criminals are clearly becoming more advanced in parallel. We must stay hyper vigilant in protecting credentials.”
“While a lot of the coverage about passwords focuses on business users, it’s really important not to overlook children and teens in this discussion, adds Tim Bandos, CISO at Digital Guardian. “They will typically make some of the same types of common mistakes as adults when creating and using online passwords, but there are several that stand out the most for this age group.
“One of the worst is sharing credentials with friends, boyfriends/girlfriends, etc. At that age, relationships tend to be shorter in duration and some kids end up using the shared access against each other such as posting inappropriate messages on social media accounts or conducting surveillance over account activity. This type of password-sharing behaviour may even stem from early childhood when parents would share their credentials with their kids for accessing devices or online sites. This should be avoided at all costs.”
Top password tips to remember
Recently, one of the largest data dumps in history, referred to as COMB (Compilation of Many Breaches), exposed an astronomical 3.2 billion passwords linked to 2.18 billion unique email addresses. “This is frightening news for all of us,” highlights Neil Jones, cyber-security evangelist at Egnyte, “but it’s particularly worrisome for IT leaders. So many of them are kept up at night with a gnawing concern: How do I manage the growing risk of data breaches, with a large proportion of my employees working remotely?
“Remote work can lead to employees accessing unsanctioned devices, apps and networks, particularly when they experience issues with work-related IT resources. This broadens the attack surface for bad actors and leaves few checks in place for careless behaviour that can result in data leaks.
He concludes by sharing some “practical steps that you can take to protect your valuable information, while embracing today’s work-from-home environment:
- Educate your employees on password safety . Teach your users that commonplace passwords such as “123456,” “password” and their pets’ names can put your data and their personal reputations at risk. Remind users that passwords should never be shared with anyone.
- Institute two-factor authentication . IT administrators should require additional login credentials during the users’ authentication process, to prevent potential account breaches. This can be as simple as a user providing their password, then entering an accompanying numeric code from an SMS text.
- Set passwords for personal devices . Personal devices are on the rise in a remote-work environment and are particularly vulnerable to data theft, so encourage your employees to password-protect them.
- Change your Wi-Fi password regularly. Remember that potential hackers are often working from home, just like us. If you haven’t updated your Wi-Fi password recently, do it immediately.
- Establish mandatory password rotations. Greatly reduce exploitation of default and easily-guessable employee credentials by making your employees change their passwords regularly.
- Update your account lockout requirements . Prevent brute force password attacks by immediately locking out access points after several failed login attempts.”
Main image courtesy of iStockPhoto.com