Today is “World Password Day” and cybersecurity experts all across the globe are pointing out how bad our password habits still are. Here are some of the top tips they offer:
Dr. Torsten George, cybersecurity evangelist, Centrify:
Simple static passwords are not enough to secure anything, especially sensitive enterprise systems and data. With static passwords, how are you supposed to know if the user accessing data is the valid user or just someone who bought a compromised password from the 21 million that were revealed in the recent Collections #1 breach? You can’t trust a static password anymore, and every organization should adopt a mindset of “Never Trust, Always Verify, Enforce Least Privilege.”
Organisations must assume that bad actors are in their networks already. This World Password Day, I urge companies across all industries to move to a Zero Trust approach, powered by additional security measures such as Multi-Factor Authentication (MFA), the lowest hanging fruit for protecting against privileged access abuse.
Zero Trust Privilege helps enterprises grant least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment. The idea is that for those accounts that have access to sensitive data, they should only be given the ‘least amount of privilege’ and only for just the period of time when it is needed, then removed. A Zero Trust Privilege stance ensures all access to services must be authenticated, authorised, and encrypted.
Zero Trust Privilege can help companies avoid becoming the next breach headline, including the brand damage, customer loss, and value degradation that typically comes with it.
Rajesh Ganesan, vice president, ManageEngine:
Passwords are the oldest, secure and convenient way to authoritatively establish identities. Their benefits far outweigh the limitations and hence the many attempts to eliminate them completely has failed time and again. A more pragmatic approach is to impart awareness about password hygiene to people, in much the same way as personal hygiene, where strong and healthy individuals lead to strong and healthy communities. In the business scenarios, the technology infrastructure offers varieties of methods for information access, often protected by different types of accounts having varied levels of access to information. These accounts are typically protected by passwords and for teams running IT, these passwords are the keys to the kingdom and it becomes one of their top priorities to fully understand the implications, devise a strategy and implement strong password management systems. ManageEngine understands the problems and the needs of IT teams around managing the different types of accounts and passwords and has crafted solutions to empower them to completely be in control of information security.
Michael Madon, SVP & GM security awareness, Mimecast:
The strongest password in the world still fails when you trick someone to type it into the wrong place.
Password re-use is the real enemy, especially across personal and work accounts. Password managers and multi-factor authentication increasingly have a role to play instead of asking for regular password changes that lead to additional bad behaviours.
This is why cybersecurity training needs to adapt to truly engage employees with a clear understanding of the risks and the important role each individual plays. Attitude needs to change from one of compliance to one of commitment where security is part of everyday life.
Lance Spitzner, Director Research & Community, SANS
There are really three key points to good password practice: long passwords; password managers; and two-step verification. The days of crazy, complex passwords are over. The key to passwords is to make them as long as possible. These are called passphrases, for example: Time for strong coffee! or lost-snail-crawl-beach. With over twenty characters, both of these are strong but easy to remember.
You also need a unique password for every account, which given the number of websites and services we sign up to that require a password, can make it impossible to remember. The answer to this is to use a password manager, a special computer program that securely stores all your passwords in an encrypted vault. That way, you only need to remember one password: the one for your password manager. The password manager then automatically retrieves your passwords whenever you need them and logs you in to websites for you.
The final step to safe password practice is to enable two-step verification wherever possible. This adds an additional layer of security by requiring you to have two things when you log in to your accounts: your password and a numerical code which is generated by your smartphone or sent to your phone. This process ensures that even if a cyber attacker gets your password, they still can’t get into your accounts.
It may sound silly, but these three simple steps will go a long way in protecting your job, your reputation, and your financial future.
Harish Chib, vice president, Middle East & Africa, Sophos
Passwords are an important aspect of computer security – they are the front line of protection for user accounts in a very wide variety of services and systems. This article provides a guide on the importance of complex passwords, how to create cryptographically strong passwords and reference links on creating passwords.
With a password you’re not only securing your vacation pictures at your home from sneaky attackers who can hold them to ransom from but also the company confidential data and the resources you are authorised for.
There are many different ways to create passwords, randomly generated by hand, randomly created by a program like a password vault, using your pet’s name + mother’s maiden name + birthday or even just picking random words you can memorise, but modifying them with letters and numbers.
Here’s how you can keep passwords secure: Never share your password with anyone in your office not even the IT service desk; never write your password down (this includes on paper, email, IM) except if using a secure encrypted password manager; never use Remember Passwords from search engines an email programmes; if your password is compromised, report it to IT and change all your passwords; lock your computer every time you leave your desk; and use unique passwords for different accounts. A secure password manager can help you remember your personal passwords.
Gavin Millard, VP of Intelligence, Tenable
World Password Day was originally introduced to raise awareness to the importance of creating strong passwords – so that worked! However, with the sheer volume of data breaches where users’ passwords are stolen and sold on the Dark Web, the is sue is less about creating strong passwords or phrases and more about educating people of the need for a unique code for each online account.
Considering millions are still using 123456 as a password, the chances of changing password behaviour is nothing short of a miracle. Instead, I advocate the use of password managers that create and store complex passwords, with some capable of alerting users when compromised passwords are found in data breaches. So on World Password Day, instead of improving your complex recipes for password success, do yourself a favour and automate.