The 7th of May marks World Password Day, which falls on the first Thursday in May each year and was introduced to raise awareness of password best practices and the need for strong passwords. Password security grows more and more critical on the frontline defence for both individuals and businesses alike, especially now as the newly remote workers log in with extra authentication measures from home.
In light of World Password Day, we spoke with five industry experts to get their views on best password practices:
Password protection starts at home
“This year’s World Password Day feels especially significant as we see organisations wrestle with the logistics and cyber security implications of managing significant remote working deployments,” comments Andy Swift, Head of Offensive Security at Six Degrees. “We can all do ourselves a favour by utilising complex passwords, storing them appropriately, and backing them up with multi-factor authentication.
“We’re all expected to use incredibly complex passwords to keep our Personally Identifiable Information safe, and rightly so. But there’s no way we’ll remember them all without some help. Use a reliable password manager and resist the urge to go back to using ‘Monday1’ for everything. And remember that no matter how complex your password is, it is still susceptible to a brute force attack unless it is backed up by multi-factor authentication. So whenever you’re accessing a web application, a VPN through a laptop at home, or any point of contact between the internet and your IT infrastructure, make sure multi-factor authentication is in place to minimise the risk of illicit access and data breach.”
Practice good password hygiene
“We live in an age where breaches occur extremely frequently, and often large scale attacks are making headlines in mainstream media,” says Tim Bandos, VP Cybersecurity at Digital Guardian. “In addition to credit cards, email addresses and PII, password credentials have been highly sought-after by cybercriminals. Due to the high level of media stories about this, users have learned that it’s very important to practice good password hygiene, otherwise you’re putting sensitive accounts and credentials at risk. In addition, I believe the cybersecurity community has done a good job educating users on the importance of strong password hygiene, and users are starting to take it seriously.
“When it comes to boosting password hygiene statistics, users should avoid using any word in the dictionary as automatic tools can crack them within seconds. We really need to be thinking about which words/phrases/strings we should create to add additional complexity and make passwords harder to crack; yet easy enough to remember. Seemingly Illogical strings of words or phrases (such as song lyrics) with numbers and special characters mixed in will make the password much harder to crack.
“Length also adds complexity, so a minimum of 10-15 characters is recommended as it would make it harder for an attacker to crack. CISOs can instill these as policies for password creation among their users, as well as enabling two-factor authentication for an additional layer of security. Leveraging tools like Password Managers can also aid in developing extremely complex credentials that don’t require the end user to remember every single one. These tools can auto-populate password field boxes with your passwords in a secure manner.”
“The number of large-scale data breaches and the fact that users regularly re-use passwords is a real issue for businesses today,” agrees Raif Mehmet, AVP EMEA at Bitglass. “Against this background, static passwords simply cannot provide effective corporate protection. Businesses are now turning to a range of dynamic authentication methods that can analyse baseline user activity to detect potential intrusions, suspicious behaviours, and anomalous actions. It is essential that this approach to user authentication can extend to all cloud applications too. For example, if a user logs into Office 365 from the UK and then shortly after logs into Salesforce from Germany, this should be flagged as anomalous activity. The IT teams should be notified and the user should be asked to re-authenticate.”
Keep updating your passwords
“Good password security practice is basic – but it remains a vital defence for organisations in the fight against cybercrime. Despite this, a recent survey by Specops Software revealed 38% of people never update their passwords, with a third using the same password for Netflix as they do for their Internet banking,” explains Agata Nowakowska, Area Vice President at Skillsoft. “While this is a risk for anyone on a personal basis, if this practice extends to someone’s workplace, they risk opening the organisation up to the potential of financial, regulatory and reputational damage as a result of a cyber attack – all that’s totally avoidable.
“In the modern threat landscape, businesses need to be better prepared for potential breaches, and this takes the right combination of security tools and training. You can’t stop breaches altogether, given the onslaught of new hacking tools and malware that are being created constantly. But you can mitigate the dangers by ensuring all employees have the basic training necessarily to protect the organisation against common – and often simple – cyber threats. The answer lies in preparation; ensuring your workforce is well trained with up-to-date IT security practice will establish a baseline defence should an attacker take aim at your organisation – and that starts with good password practice.”
“World Password Day reminds us of just how critical it is to take every precaution to protect ourselves and our data,” concludes JG Heithcock, General Manager at Retrospect, a StorCentric company. “And certainly, a unique password is a great place to start, but, you can’t stop there. Cyberthreats like ransomware are becoming increasingly pervasive, affecting homes and businesses alike. However, by proactively employing a data protection strategy that includes an effective and efficient backup solution, you will be able to thwart cybercriminals and ensure your data remains private, secure, accessible and recoverable.”
You will find the study in full here
We’re now live at PrivSec Global!
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Register your virtual seat today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.