In these strange times, we all need something to celebrate, so happy World Password Day!
Intel started World Password Day in 2013 and the first Thursday in May has been used to promote good password practices ever since.
The need for strong passwords to protect personal data has been well-documented, with the 2019 Data Breach Investigations Report revealing that 80% of hacking-related breaches involve compromised and weak credentials.
But lately World Password Day has become the topic of considerable debate. Last year, some voices in the industry suggested that World Password Day 2019 should be the last, pointing towards an industry-wide move away from passwords and toward more risk-based authentication.
Several cybersecurity professionals have commented on the celebration of World Password Day – many advocate the use of password managers, and all of them agree that you should never, ever reuse the same password across different accounts.
Here’s some of their tips to brush up your knowledge of password hygiene best practices:
Niamh Muldoon, Senior Director of Trust and Security at OneLogin:
“Have you thought about how secure your remote working set up really is? According to a global survey from OneLogin, which surveyed remote workers from Germany, France, Ireland, the USA and UK, password best practices have not taken priority under the current spike in remote working, with 36% of global respondents admitting they have not changed their home WiFi password in more than a year, leaving corporate devices exposed to a potential security breach.
Working from home can often blur the line between work and leisure as many of share or use work devices outside of office hours and 1 in 5 global respondents admitted to sharing the password to their corporate device with a spouse or child. However, World Password Day today presents the opportunity to promote and implement good password habits, so I encourage everyone to take a look at their password hygiene. This could mean updating and strengthening the passwords which protect your personal information, utilising multi-factor authentication rather than single factor authentication such as a password, or simply updating the way you store your passwords in order to protect yourself from data breaches.”
Adam Palmer, Chief Cybersecurity Strategis at Tenable:
“Inspired by Mark Burnett’s book – Perfect Passwords, Intel took the initiative and introduced ‘World Password Day’ in 2013 to raise awareness to the importance of creating strong passwords – seven years later and it’s still a bone of contention! The sheer volume of stolen users’ passwords available for sale on the Dark Web highlights that the issue is less about creating strong passwords or phrases, and more about users creating unique codes for each online account to limit the damage from database breaches.
Every time a researcher with time on their hands searches through the stolen password databases, it reveals millions are still using 123456 as a password, so the chances of changing password behaviour is nothing short of a miracle.
Given the reliance on passwords doesn’t appear to be reducing, and if anything, our virtual identities are increasing, password managers that create and store complex passwords are essential. This year, as a spotlight is once again shone on passwords, instead of advocating complex recipes and codes, do yourself a favour and automate.”
Csaba Galffy, Product Marketing Manager of MFA and Password Management at One Identity:
“A compromised password is always costly – and the stakes are now higher than ever. Organisations finding themselves having to roll out remote access have effectively created a whole new attack surface. Potential attackers now don’t have to deal with the physical security of your office buildings, and as long as they have the correct login data, they can access the corporate network with all its riches. Considering the billions of login data stolen from various organizations in gigantic data breaches, we recommend changing passwords for all remote workers as the work-from-home program is rolled out.
Now is also the best time to implement the most recent updates in password policy guidelines. Industry recommendations, like the NIST-published Digital Security Guidelines and the Microsoft Security Baseline, now recommend dropping password expiration policies, removing complexity rules, and asking for longer passwords.”
Anthony Dickinson, CRO 2MC, a TUV Rheinland company:
“The best thing you can do is have a password manager and make sure you have a different password for every login. These should be at least 12 characters long with a combination of letters, numbers and symbols. While it will be impossible to remember all of these passwords, I recommend using the technological affordances granted to us by deploying a password manager. This means that your account will not suffer from brute force attacks – because random passwords are almost impossible to guess. Even if an account is breached, it will only be one account and not all of them. Too often consumers are using and reusing simple passwords, and this makes each of their incredibly vulnerable to cybercriminals.”
Rita Nygren, Business System Administrator, BI and Project Management at Tripwire:
“One of the means to foil password hackers is to take advantage of the hash algorithm. The algorithm is one-way (you can’t deconstruct it), and another characteristic is that changing a single character completely changes the result in a pretty unpredictable manner. The hashed result for “CorrectHorseBatteryStaple” (https://xkcd.com/936/) is completely different from “CorrectHorseBatteryStable.”
This means for your personal sites where your passphrase doesn’t change often, you can use a long passphrase that isn’t likely in a hacker’s dictionary and preface it with the site name – i.e. “SocialMediaJenny8675309” vs “WellsFargoJenny8675309.” The hash processing will see those as extremely unique and unrelated, but your memory lets you “reuse” your WellsFargo passphrase for Facebook.
Also, take care as to the prefix/suffix you use for your accounts. Humans are bad at randomizing, and computers are getting good at pattern recognition. If a future breach displays your passphrase for one site in plain text, consider if you are giving the hacker enough information to ‘guess’ what your passphrase would be on another site.”
Note: Don’t use the above example passphrases, the first lines of your favourite songs or anything from Shakespeare as passphrases. These common examples have all been coded into the hacker dictionaries, and you can count them as cracked. Having said that, the XKCD cartoon referenced above spurred the creation of this generator of random words that may be of use to you: http://correcthorsebatterystaple.net/.
Roger Grimes, data driven defense evangelist, KnowBe4:
“This World Password Day, let’s forget about the password. Hear me out: in so many years gone by, we’ve concentrated on the composition of the password and forget that it’s not really passwords that are the problem – it’s the behaviour that surrounds them. At the end of the day, password complexity only amounts for a small potential risk; whereas using the same password over and over, sharing it with friends and family or becoming a victim of social engineering have far wider consequences.
For years, many have speculated about the impending “password-less” era; but after 30 years of debating over this popular prophecy, I can assure you that passwords will continue to be in our conversations for at least another decade. If you do one thing this World Password Day, stop thinking about how you can make the most epic password in the history of passwords and instead, make all your passwords unique and store them securely with a password manager.”