Industry experts have been sharing their views on passwords and password security to mark World Password Day.
Here’s what they had to say…
Cindy Provin, CEO, nCipher Security
Whether we’re accessing our emails, checking our bank accounts or paying our bills, passwords remain at the forefront of our identification. However, as long as we still rely on passwords as a means of accessing our most important information and applications, so will cybercriminals.
This tsunami of passwords that now exists across every aspect of our digital lives – both personally and professionally – has left us drowning in information that we are struggling to secure. With a thriving underground industry of hackers going to extreme lengths in order to get their hands on these credentials, both businesses and consumers need to be doing more to minimise the dependence and exposure of passwords.
For organisations, this means implementing techniques such as certificate based authentication or transparent database encryption to ensure passwords are as secure as possible. For consumers, it requires using a variety of unique and random passwords for every different application or website. It also involves an understanding of which credentials are being stored on which devices and therefore how they might be vulnerable.
Robin Tombs, CEO and Co-Founder, Yoti
World Password Day has never been more relevant. The high volume of data breaches shows that passwords are no longer fit for purpose. They can easily fall into the wrong hands and if they’re stored in a central database, which could then be exposed, this puts our data at great risk. With the average person having 191 passwords, it’s no surprise that many of us choose convenience over security and reuse passwords across different websites. While this makes our lives simpler, we are making it incredibly easy for a hacker – they only need to crack one of our passwords and, chances are, they can then use this to unlock a treasure trove of our personal information.
With the development of password managers, help is at hand. They can securely store your login details – eliminating the need to remember all of your passwords. They can also generate stronger passwords and be secured with your unique biometrics rather than a master password – meaning only you can access and use your passwords.
When it comes to protecting our online accounts and personal information, we should demand security, privacy AND ease of use – it shouldn’t be a trade off. Living in a digital age means the technology now exists to give people a simple and more secure way to log into websites and World Password Day is a great time to promote this.
Colin Truran, Principal Technology Strategist, Quest
On World Password Day, the cry each year should surely be ‘why are we celebrating the use of passwords yet again?’ Passwords were created to try to solve the problem of proving identity in a very technologically limited world, far longer ago than the first silicone-based computers.
Passwords are fundamentally flawed as they are easily shared, often guessed, bypassed with paper and each iteration remains in circulation for far too long. This is probably why we stopped using passwords at international borders in the middle ages.
In modern times, technology has caught up in providing far more efficient and accurate ways to prove ones identity, however, in the beginning these were still far too expensive to implement as standard. Only those organisations that truly needed to know who they were letting in bothered to invest, such as defence agencies and pharmaceuticals.
Over the last five years we have seen two-factor authentication become commonplace but it is still only a small step towards solving the password problem. Today things are starting to change and I am encouraged to hear many more organisations turning to multiple levels of biometric identification, including government bodies.
Of course, it’s a huge responsibility to hold such biometric information in our consumer and user base, so this information must itself be protected by something better than a password. Let’s try to make this day a day of remembrance rather than a reminder of our reluctance to let go of an outmoded concept.
David Warburton, Senior Threat Evangelist, F5 Networks
World Password Day this year is perhaps more significant than it’s ever been. Despite the promise of new authentication systems which rely on strong cryptography (instead of our weak and bizarrely common ‘monkey’ passwords) the day when we can all throw our digital codes in the Recycle Bin seems just as far away as it ever did.
The rise of authentication technologies, such as biometrics and facial recognition, come with promise of stronger security for online consumers but the cybercriminals seem to do a far better job of adapting to change than the rest of us. Biometrics can often be tricked and attackers increasingly use insidious social engineers tricks to get around hardware security tokens such as bank card readers.
Attackers are increasingly relying on social engineering tactics, such as phishing, to deceive users and grab their names, addresses and passwords. These can then use this to access any sensitive data that is not protected by multi-factor authentication.
This puts businesses in a delicate position. How can they ensure they continue to implement the strongest security policies and outsmart hackers to protect their sensitive data? The best route businesses can take is to consider the context under which access is being requested. Where is the user located? Is this normal for this person? Are they using a corporate or personal device and do those devices comply to company standards?
While multi-factor authentication must become the norm, it should not stop at simply using a hardware or software token since these can and have been bypassed by criminals employing social engineering tricks. But, perhaps most importantly, organisations need to ensure continuous security training is available and compulsory for all staff.
Ultimately, as hackers continue to refine and evolve their techniques, so must businesses. Continuously evaluating security practices and authentication methods is crucial to implement new habits stay on top of a threat landscape that shows no signs of slowing down.
Jason Hart, Cybersecurity Evangelist, Cloud Protection and Licensing Activity, Thales
It’s time to retire passwords as a security solution. After years of employees using the same credentials to log into everything from social media to corporate networks, should just one account be breached, all associated accounts risk being compromised too.
What’s needed now is an adaptive, intelligent approach to the log-in experience. Innovative technologies such as Passwordless authentication with Smart Single-Sign On allow users to log-in to multiple applications with a single identity, removing the need for passwords altogether.
By taking into account contextual information, such as user location and app sensitivity and previous log-in attempts when verifying users and combining these technologies with multi-factor authentication when needed, it’s possible to dramatically reduce the risk of false log-in attempts and re-purposed passwords.
Mark Crichton, Senior Director, Security Product Management at OneSpan
World Password Day should no longer just be about passwords. We all know about the issues surrounding passwords, and the damage weak or reused credentials can cause. Instead, we should use this day to focus on the bigger authentication picture.
It’s clear that passwords alone are no longer enough. This is why there is an increasing need to evolve the intelligence, strength and complexity of the systems that work alongside passwords. Banks and other industries need to take more ownership of authentication to help detect fraudulent account access.
In fact, technology exists today to allow for password-less authentication: biometric authentication is one mainstream example, but we can also use advanced device recognition technology to replace the password.
The challenge is that users are accustomed to passwords and taking this away may cause concern. A sensible way forward for the industry is therefore to layer the technology that can effectively ignore the actual password and instead provide positive device recognition against an account name or identifier.
Regulations are another driver of the use of this technology. We have seen a positive change in the protection against password compromise in the financial sector. Examples are PSD2 and FFIEC, which mandate that financial organisations should perform more validation of the transaction and the devices being used to perform the transactions and to use something more secure than a static password.
Gavin Millard, VP of Intelligence at Tenable
World Password Day was originally introduced to raise awareness to the importance of creating strong passwords – so that worked. However, with the sheer volume of data breaches where users’ passwords are stolen and sold on the Dark Web, the issue is less about creating strong passwords or phrases and more about educating people of the need for a unique code for each online account.
Considering millions are still using 123456 as a password, the chances of changing password behaviour is nothing short of a miracle. Instead, I advocate the use of password managers that create and store complex passwords, with some capable of alerting users when compromised passwords are found in data breaches. So on World Password Day, instead of improving your complex recipes for password success, do yourself a favour and automate.
Anjola Adeniyi, Technical Leader at Securonix
Passwords are the weakest link, and this couldn’t be more true in today’s cybersecurity environment. We have to create several versions of them, ensure they’re hard to guess, yet commit them to memory. It’s no surprise most people end up using the same password for a number of accounts and write them down in places they can easily find them.
Bearing this in mind, there are numerous alternatives to the traditional text password that could provide a greater level of security. Examples include:
- Persona-based authentication, which relies on a combination of ‘geographical’, such as locational data and ‘behavioural’ elements, such as the way in which they hold their smartphone, their voice and their eye blinking pattern to help verify an individual’s identity
- The use of strong encryption algorithms such as Advanced Encryption Standard-256, used by WhatsApp, can add an extra layer of security for organisations with a huge amount of sensitive information
- Zero-interaction authentication (ZIA), which uses Bluetooth, near-field communication or radio frequency identification from another device to confirm a user’s identity
- Fingerprint readers, a technology that smartphones and tablets have made readily available. However, there remains various concerns about user compromise, as individuals can’t change their fingerprint.
- A Trust Score System, where users can sign in and unlock devices through a trust score that is calculated using several behavioural factors such as location, facial recognition and typing pattern. Google has used a trust score system to move away from passwords.
Dan Pitman, Principal Security Architect at Alert Logic:
Passwords are not a new thing, and perhaps one issue is in the name – that it is a word – some effort has been made to re-brand them as pass ‘phrases’ which highlights that they should be of a longer form but ‘password’ has stuck. Vendors and website owners are unlikely to put up barriers for entry if their revenue depends on people accessing their site so while blocking passwords known to be breached and cracked seems like a good idea it is problematic from a business point of view as well as a management point of view.
Perhaps other approaches such as forcing users to have multiple words in the passphrase or stopping the requirement for punctuation and requiring a longer length of password could have a better outcome. The common approach of eight characters with punctuation and numbers drives users to produce passwords that are not un1que…
Working towards multi-factor authentication wherever possible is a must, ideally this should follow the banking example of device authorisation plus a passphrase or other type of check. But the primary issue for the end-user is that the entire ethos around passwords is detrimental to good practice. For example, forcing changes often and the aforementioned ‘complexity’ requirements drives bad behaviour.
In the business world, two-factor authentication is a must for employee interactions with business systems, but on top of this businesses should work to make sure that optional security measures, for example VPNs, are as easy as possible to use and are in fact automated. Integrating security seamlessly into user processes and working methods should be a priority otherwise users can and will circumvent them to make their lives easier.
Lance Spitzner, SANS Director, Research and Community
There are really three key points to good password practice: long passwords; password managers and two-step verification. The days of crazy, complex passwords are over. The key to passwords is to make them as long as possible. These are called passphrases. For example: Time for strong coffee! or lost-snail-crawl-beach. With over 20 characters, both of these are strong but easy to remember.
You also need a unique password for every account which, given the number of websites and services we sign up to that require a password, can make it impossible to remember. The answer to this is to use a password manager, a special computer program that securely stores all your passwords in an encrypted vault. That way, you only need to remember one password: the one for your password manager. The password manager then automatically retrieves your passwords whenever you need them and logs you in to websites for you.
The final step to safe password practice is to enable two-step verification wherever possible. This adds an additional layer of security by requiring you to have two things when you log in to your accounts: your password and a numerical code which is generated by your smartphone or sent to your phone. This process ensures that even if a cyber attacker gets your password, they still can’t get into your accounts.
It may sound silly, but these three simple steps will go a long way in protecting your job, your reputation, and your financial future.
Michael Madon, SVP and GM of Mimecast Security Awareness
The strongest password in the world still fails when you trick someone to type it into the wrong place.
Password re-use is the real enemy, especially across personal and work accounts. Password managers and multi-factor authentication increasingly have a role to play instead of asking for regular password changes that lead to additional bad behaviours.
This is why cybersecurity training needs to adapt to truly engage employees with a clear understanding of the risks and the important role each individual plays. Attitude needs to change from one of compliance to one of commitment where security is part of everyday life.
Sarah Whipp, Head of Go to Market Strategy, Callsign
Earlier this month the National Cyber Security Centre released a list of the most common passwords which included 3.6 million people using ‘password’ and 23.2 million with ‘123456’ as a means of security. Despite organisations trying to impose stronger password requirements and striking awareness campaigns, clearly the message is not getting through. What’s more, the first computer passwords were first introduced in the 1960s. Yet half a century later the technology has moved on very little and isn’t doing a particularly good job at keeping information secure. This is why organisations need to take more responsibility and why additional layers of security, beyond the password, are so important.
It would be foolish to suggest that passwords are completely redundant, they will always have a place in the authentication process, however, organisations are now able to draw on more reliable and intelligent data points in order to identify people. Now they aren’t restricted to one or two authentication methods but can offer their customers a choice in how they want to authenticate themselves. By giving them this choice, those who haven’t created a secure password will have alternative measures in place to make sure their data won’t be compromised.
By incorporating both hard (facial recognition, fingerprints, iris scanning) and soft (behavioural characteristics e.g. how people type, move their mouse or hold their smart phone) biometrics, which are personal and unique to each individual, and combining them with advance Machine Learning, businesses can use intelligence driven authentication to guarantee the security of their customers’ data.
Harish Chib, Vice President, Middle East and Africa, Sophos
Passwords are an important aspect of computer security – they are the front line of protection for user accounts in a very wide variety of services and systems.
With a password you’re not only securing your vacation pictures at your home from sneaky attackers who can hold them to ransom from but also the company confidential data and the resources you are authorised for.
There are many different ways to create passwords, randomly generated by hand, randomly created by a program like a password vault, using your pet’s name + mother’s maiden name + birthday or even just picking random words you can memorise, but modifying them with letters and numbers.
Here are the most important parameters to keep in mind when creating a strong password.
- Check the program parameters
No matter how good the password is, it won’t do you any good if you can’t use it with the program
- Avoid using whole words
Dictionary words, especially names of important people, relatives and pets is a bad idea.
- Avoid predictable passwords
- Adopt passphrases
Some of the easy way to remember passwords are not words but phrases or sentences. Make use of a line from your favourite novel, song or poem.
- Create unique combinations
How to keep passwords secure
A password needs to be secured once created.
- Never share your password with anyone in your office not even the IT service desk.
- Never write your password down (this includes on paper, email, IM) except if using a secure encrypted password manager.
- Never use Remember Passwords from search engines an email programs.
- If your password is compromised, report it to IT and change all your passwords.
- Lock your computer every time you leave your desk.
- Use unique passwords for different accounts. A secure password manager can help you remember your personal passwords.
Rajesh Ganesan, Vice President, ManageEngine
Passwords are the oldest, secure and convenient way to authoritatively establish identities. Their benefits far outweigh the limitations and hence the many attempts to eliminate them completely has failed time and again. A more pragmatic approach is to impart awareness about password hygiene to people, in much the same way as personal hygiene, where strong and healthy individuals lead to strong and healthy communities.
In the business scenarios, the technology infrastructure offers varieties of methods for information access, often protected by different types of accounts having varied levels of access to information. These accounts are typically protected by passwords and for teams running IT, these passwords are the keys to the kingdom and it becomes one of their top priorities to fully understand the implications, devise a strategy and implement strong password management systems.
ManageEngine understands the problems and the needs of IT teams around managing the different types of accounts and passwords and has crafted solutions to empower them to completely be in control of information security.
Dr. Torsten George, Cybersecurity Evangelist at Centrify
Simple static passwords are not enough to secure anything, especially sensitive enterprise systems and data. With static passwords, how are you supposed to know if the user accessing data is the valid user or just someone who bought a compromised password from the 21 million that were revealed in the recent Collections #1 breach? You can’t trust a static password anymore, and every organisation should adopt a mindset of ‘Never Trust, Always Verify, Enforce Least Privilege’.
Organisations must assume that bad actors are in their networks already. This World Password Day, I urge companies across all industries to move to a zero trust approach, powered by additional security measures such as multi-factor authentication (MFA), the lowest hanging fruit for protecting against privileged access abuse.
Zero trust privilege helps enterprises grant least privilege access based on verifying who is requesting access, the context of the request and the risk of the access environment. The idea is that for those accounts that have access to sensitive data, they should only be given the ‘least amount of privilege’ and only for just the period of time when it is needed, then removed. A zero trust privilege stance ensures all access to services must be authenticated, authorised and encrypted.
Zero trust privilege can help companies avoid becoming the next breach headline, including the brand damage, customer loss and value degradation that typically comes with it.
Karl Lankford, Lead Solutions Architect, EMEA, for BeyondTrust
While everyone agrees that static passwords are problematic, because they are so heavily ingrained into businesses they are set to be around for long time. Today, businesses still manage 20-year-old systems which use passwords and in 20 years’ time they’ll undoubtedly still use passwords.
As a result, it is essential that organisations take proactive measures to effectively manage passwords. Awareness training is the future of good password health, through educating employees about what a robust password looks like. Furthermore, implementing a password rotation solution can also ensure they are not the weakest security link.
The way in which a second factor of authentication is offered will change significantly. Biometrics for instance has clear use cases on a personal level for users to securely access given services or information, though large organisations may struggle to implement such measures, as more and more people become concerned about their privacy and the rights they have with their data.
David Higgins, EMEA Technical Director at CyberArk
There are passwords and there are passwords. There are passwords used on the web, used by individuals to access sites and services. These of course should be replaced with stronger authentication which do not rely on users to remember a multitude of passwords or force them down the path of recycling passwords to make them easier to remember, but more easily hacked.
And then there are passwords that, if compromised, allow access to much greater rewards. Admin passwords are a key target for attackers and, due to operational challenges, are rarely managed to the level that they should be. With numerous examples of default admin passwords set on external facing servers being the access point to major data breaches, these represent the soft underbelly of the organisation. Basic level passwords that allow entry into the IT world will remain, in at least the near future, a true break glass issue.