In recognition of this year’s World Password Day, five cybersecurity experts have shared their advice for strengthening password security
Passwords are critical gatekeepers to our digital identities: securing online work and private life communications. However, with hundreds of passwords required day-to-day, many people rely on memorable words or dates such as a pet’s name, anniversary, or even ‘password’ itself. Using easy-to-remember passwords may save time, but it also makes personal data vulnerable to threat.
World Password Day is a timely reminder for people to review their password habits and address the need for strong password hygiene. Organisations, too, will benefit from better password security education – as most data breaches and cyber attacks are the result of weak password security.
Remote working calls for strengthened password security
This World Password Day, it’s important to think about how crucial it is to change and update passwords frequently, especially in current circumstances. Steve Nice, Chief Security Technologist at Node4, comments:
“One of the biggest threats to IT security is ‘shadow IT’ – where the security team has limited or no visibility into the applications and tools employees are using. Many employees will be deploying remote collaboration tools independently of their organisation’s IT departments and these are not subject to the same due diligence and testing that would normally be undertaken. This means security, data sovereignty, compliance and retention are all outside of the organisation’s control.
“Once we all get back to working ‘normally’ in offices again, many of these collaboration applications will be forgotten, and this poses new security problems. Many of these apps will not be updated again and will, therefore, be vulnerable for exploitation by hackers. On top of this, login credentials – which will likely include easy-to-guess passwords anyway – may get compromised and be utilised for other attacks, such as phishing.”
Sacha Giese, Head Geek at SolarWinds, also warns of the increased security threat as a result of a nationwide shift to remote working:
“The sudden increase in the number of remote workers has been accompanied by a spike in phishing scams and spam attacks as hackers ruthlessly use the COVID-19 crisis to their advantage. In the public sector—as in every sector—IT pros have to contend with keeping stressed IT systems functioning while working from home, and now this dramatic surge in cybersecurity threats as well.
“But in the face of such adversity, the simplest measures, such as password protection, can often prove the most effective. At times like this, remember passwords act as vital gatekeepers to the most sensitive data. Strengthening password habits such as regularly changing them and using two-factor authentication (2FA) makes it harder for hackers to gain access to data and information. For the public sector, 2FA is a very effective additional layer of security that requires not just a username and password, but also something completely unique to that user, whether it be a piece of information or a physical token. It’s based on the concept that only those users will gain access based on something they know (knowledge) and something they have (possession). Such a system makes it much more resistant to attack, and in our current times, is reassuring for both system administrators and the public.”
A strong password is only the first line of defence
For individuals seeking to protect their personal information and secure their online accounts, a strong password is a critical first line of defence. “But, if you are a commercial, nonprofit or government organisation, a password, regardless of how unique or how often it is updated, will barely scratch the IT security surface,” argues Mihir Shah, CEO, Nexsan, a StorCentric company.
“The only true protection for an organisation’s high-value data is to aggressively lock it down using a hardened storage solution that has been engineered with the understanding that attempts at corruption or deletion can come from anyone, anywhere and at any time. The solution must be capable of recognising and rejecting every such attempt, regardless of whether it’s from a virus, ransomware, spyware, user mistakes, software error – or a new threat that hasn’t even been discovered yet.”
However, Sam Humphries, Security Strategist at Exabeam, advises even if attackers are able to access your network, your hope of identifying them is not lost:
“Credentials are key and it can be a huge problem for security teams once an attacker is undercover in the network, using valid credentials to look just like a legitimate user.
“Even if attackers are able to access your network undetected – under the guise of an employee with legitimate access and valid credentials – your hope of identifying and stopping them is not lost. Being able to understand the normal behaviour of the users and devices that access your network is vital – if you can do this, you can more easily spot when behaviour deviates from this baseline.
“This is why behavioural analytics has grown so quickly in recent years. It just takes one gap for an attacker with valid credentials to break through. When this happens, the ability to spot behavioural anomalies quickly is the best way to protect your organisation.”
Tips and tricks for tightening password hygiene
As the COVID-19 crisis continues, so too does the spike in phishing scams and spam attacks on remote workers as hackers relentlessly use it to their advantage. Wieger van der Muelen, Global IT-Security Manager / CISO at Leaseweb Global explains:
“Not only are workers having to adapt to working from home full-time, but the IT teams of the organisations they belong to must contend with adapting current IT systems to fit with a home environment. It is at times like these – more so than usual – that it is vitally important that simple security measures are followed. Simple yet effective steps like ensuring passwords are suitably protected spring to mind. Regularly updating passwords, having different ones for different applications stored in a password manager, and two-factor authentication are all practical steps towards making it much more difficult for hackers to infiltrate information. While the chaos around COVID-19 ensues, with all of its social and financial pressures, the last thing a company wants is to fall prey to a ransomware or phishing attack. By acting smart now, we can all avoid that risk.”
To conclude, Jay Ryerse, VP of Cybersecurity Initiatives at ConnectWise, offers his own tips for strengthening password hygiene:
“Passwords are often associated with inconvenience – and for good reason. Employees and consumers alike are overwhelmed by the thought of remembering login details for 100-200 websites and making them difficult for bad actors to guess. That’s why this World Password Day, it’s important to look at the practical solutions to this impractical problem, accelerated by more and more aspects of our lives going online.
“To ensure your personal and work-related accounts, as well as the sensitive data residing within them, remain secure:
Use a password manager…but do your research. Some have been breached in the past, and you want to make sure your choice is reliable, safe and up to date
Use a different, complex password for every website. This reduces your risk of credential stuffing attacks, where hackers take login details harvested from breached websites to log into users’ accounts on other, unaffected sites. A password manager makes this process much easier as it will create lengthy, unique passwords for each site
Remember that the longer the password, the longer it takes for digital adversaries to crack it, thus deterring successful brute force attacks
Avoid overused practices like adding an exclamation point at the end, including phrases associated with family or pets, or using incremental numbers. Hackers use these well-known patterns to guess your password, and you’ll just make their jobs easier
Give only fake answers to security questions that would help you recover your password, so hackers cannot mine that information from snooping on you online. One example would be your mother’s maiden name. With some social media searching, this would be easy to identify, so choose a made up name only you would know
Implement multi-factor authentication wherever available to create extra hurdles for cybercriminals
“There will always be varying degrees of account compromise. If someone hacked my LinkedIn, they might post something embarrassing, but it’s easy to change the password and regain control. However, if they broke into my online bank account or used my credit card on Amazon to rack up charges, we’d be looking at significant damage.”
Passwords are fundamental to our personal and professional security and privacy. However, many individuals still seem numb to the risks that weak passwords pose – continuing to use memorable or similar passwords out of convenience. World Password Day reminds us of the importance of strengthening password defences. By following a few simple password practices, we can bolster online security and keep ourselves secure from outsider threats.