Every year, the first Thursday of May is designated as World Password Day-not exactly a cause for celebration, but the fact is, these little crypto keys which are our first line of digital defence, may well be on their way out. For many of us, this will come as a relief, considering that efforts to select a password, enter mother’s maiden name, and favourite pet frustrate even the most patient among us.
World Password Day was set up to provide a warning to the world that protecting passwords is crucial to prevent identity theft. However, accounts still remain as vulnerable as before, in fact, research shows that some of the most common passwords allow access to 98% of all accounts. Therefore, doubts are being cast on the faithful old password’s ability to withstand sophisticated hacking techniques and experts are of the opinion that static passwords are no longer safe, advising companies and individuals to adopt stronger data protection measures.
Gavin Millard, VP of Intelligence, Tenable, says: “World Password Day was originally introduced to raise awareness to the importance of creating strong passwords – so that worked! However, with the sheer volume of data breaches where users’ passwords are stolen and sold on the Dark Web, the issue is less about creating strong passwords or phrases and more about educating people of the need for a unique code for each online account.”
“Considering millions are still using 123456 as a password, chances of changing password behaviour is nothing short of a miracle. Instead, I advocate the use of password managers that create and store complex passwords, with some capable of alerting users when compromised passwords are found in data breaches. So on World Password Day, instead of improving your complex recipes for password success, do yourself a favour and automate.”
Dr Torsten George, Cyber security evangelist at Centrify, concurs. He says: “Simple static passwords are not enough to secure anything, especially sensitive enterprise systems and data. With static passwords, how are you supposed to know if the user accessing data is the valid user or just someone who bought a compromised password from the 21 million that were revealed in the recent Collections #1 breach? You can’t trust a static password anymore, and every organization should adopt a mindset of “Never Trust, Always Verify, Enforce Least Privilege.”
George advocates companies to move towards a ‘zero trust’ approach and adopt stronger cyber security measures. “Organizations must assume that bad actors are in their networks already. This World Password Day, I urge companies across all industries to move to a Zero Trust approach, powered by additional security measures such as Multi-Factor Authentication (MFA), the lowest hanging fruit for protecting against privileged access abuse.”
According to him, Zero Trust Privilege helps enterprises grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. The idea is that for those accounts that have access to sensitive data, they should only be given the ‘least amount of privilege’ and only for just the period of time when it is needed, then removed. A Zero Trust Privilege stance ensures all access to services must be authenticated, authorized, and encrypted. Zero Trust Privilege can help companies avoid becoming the next breach headline, including the brand damage, customer loss, and value degradation that typically comes with it.”
Lance Spitzner, Director, Research and Community, SANS Institute, offers tips for good password practice. He is of the opinion that long passwords, password managers and two-step verification, can all help to strengthen the password’s defence mechanism. “There are really three key points to good password practice: long passwords; password managers; and two-step verification. The days of crazy, complex passwords are over. The key to passwords is to make them as long as possible. These are called passphrases, for example: Time for strong coffee! or lost-snail-crawl-beach. With over twenty characters, both of these are strong but easy to remember.”
“You also need a unique password for every account, which given the number of websites and services we sign up to that require a password, can make it impossible to remember. The answer to this is to use a password manager, a special computer program that securely stores all your passwords in an encrypted vault. That way, you only need to remember one password: the one for your password manager. The password manager then automatically retrieves your passwords whenever you need them and logs you in to websites for you,” he adds.
“The final step to safe password practice is to enable two-step verification wherever possible. This adds an additional layer of security by requiring you to have two things when you log in to your accounts: your password and a numerical code which is generated by your smartphone or sent to your phone. This process ensures that even if a cyber attacker gets your password, they still can’t get into your accounts. It may sound silly, but these three simple steps will go a long way in protecting your job, your reputation, and your financial future,” Spitzner says.
For those of us who do not have complex data to protect, but rather just emails and a few pictures, keep changing passwords regularly, mix and match letters and numbers, and do not take password shortcuts to save a few seconds in your digital journey. So, Happy Password Day, stay safe!