Cybersecurity Experts Share Thoughts for World Password Day
World Password Day was created by Intel in 2013 to raise awareness of the need for strong passwords, but many experts now use the occasion to urge organizations to replace passwords with other, more secure authentication methods.
World Password Day is observed every year on the first Thursday of May, and in 2021 that is today, May 6.
Passwords are often compromised in data breaches, putting users at risk. On the other hand, passwords — either guessed or stolen — are also often leveraged to carry out an attack and breach an organization’s systems. That is why many experts believe it’s time to stop using them for authentication, or at least use them in combination with other mechanisms that provide better security.
Several cybersecurity professionals have shared thoughts for World Password Day, including on the future of passwords and better alternatives.
Francois Lasnier, Vice President, Access Management solutions, Thales:
“With more employees working remotely than ever before due to COVID-19, businesses are at greater risk from a cyber-attack with workers accessing systems outside of the usual company network. As such, this year’s World Password Day is in fact a timely reminder for businesses to drop passwords forever – they are no longer good enough and are the prime resource for hackers to gain access. Instead, companies should rollout access management solutions such as passwordless authentication which verifies users through other methods like their IP address or if they are accessing through a device or operating system associated to them. This will overcome the inherent vulnerabilities of text-based passwords, while improving levels of assurance and convenience.
No single solution is enough though, so organisations should also be looking to adopt a Zero Trust model in their approach to authenticating users and certifying their authorisation to access data. This strategy, based on the principle, “Never Trust, Always Verify”, views trust as a vulnerability and requires employees to only access data they’re authorised to do so, while ensuring they verify who they are each time they want access.”
Baber Amin, COO, Veridium:
“Have passwords, get hacked! Passwords and other static knowledge-based verification methods are archaic, but for now it is hard to get rid of them completely. The goal that all organizations should be going for is reducing their password related threat surface or footprint with a passwordless approach combined with biometrics and device+user behavior, and bio-mechanic analysis approach. The goal is creating a strong binding between a user, their behavior and the user agent in order to create an enhanced security and user experience.”
Mike Puglia, Chief Strategy Officer, Kaseya:
“Cybercriminals love password dumpers because they make it easier to propagate ransomware, steal data and gain entry for long-term access. They can now attempt logins against all major cloud and SaaS sites, especially since almost every company has some employee accounts on Google, Microsoft or Amazon. Access to targets supporting 95% of the world’s organizations are a click away from any location.
The next five years will bring password plus MFA for all logins, with password-only being the exception. It’s already happening with consumer accounts – banks, phones, even gaming systems — and now we are seeing it roll out across all business applications. Though MFA cannot stop 100% of attacks, it raises the effort and costs required for adversaries to be successful. It is the only way we start to lower the number of breaches.”
Benoit Grange, Chief Technology Evangelist, OneSpan:
“Passwords are a problem. Passwords are inconvenient and riskier than other authentication options available today because they can be guessed, stolen, or cracked. While we won’t see passwords go completely away anytime soon, a passwordless approach could be the answer to many user friction and security challenges. A recent VISA survey found consumers are ready to leave the password behind. Seventy percent of consumers believe that biometrics are always more comfortable as they do not involve memorizing passwords.
With a plethora of other data pointing to a continuing upward trend in biometric usage, new risk-based multifactor authentication with fingerprint, face, or iris recognition could be the solution that will finally free us from the burden of endless passwords, opening the doors to a brighter, passwordless future.”
Ralph Pisani, President, Exabeam:
“World Password Day 2021 is more important than ever as organizations grapple with the new reality of ‘work from anywhere’ and the fast adoption of the hybrid workplace trend. Cybercriminals will capitalize on any opportunity to collect credentials from unsuspecting victims. Just recently, scammers began preying on people eagerly awaiting vaccinations or plans to return to the office as a means to swipe their personal data and logins, for instance.
The most common attack technique that I often see in the breach reports that I read is stolen credentials. This is a never ending battle between the security industry and cybercriminals, but there are ways organizations can protect themselves against credential theft.
Through a mix of educating staff on complex password best practices, security awareness training and investing in machine learning-based security analytics tools, organizations can make it much more difficult for digital adversaries to utilize their employees’ usernames and passwords for personal gain. Behavioral analytics tools can swiftly flag when a legitimate user is exhibiting anomalous behavior indicative of compromised credentials. This approach provides greater insights to SOC analysts about both the impacted and malicious user, which results in a faster response incident time and the ability to stop adversaries in their tracks, before they can do damage.”
Patrick McBride, Chief Marketing Officer, Beyond Identity:
“Passwords are completely compromised. So much so that we recommend they be placed in a vulnerability class of their own. Since there is no CVE designation designed for this purpose, we recommend a new “Ubiquitous” CVE designation (U-CVE) and drafted a U-CVE for passwords. We are not a certified numbering authority in the CVE program, but believe passwords are uniquely qualified for a modified “Ubiquitous” designation.
Instead of “reminding” (nice euphemism for “forcing”) users to create longer, stronger passwords, to not reuse passwords across applications, and to change their passwords frequently, technology vendors need to think of passwords as a core vulnerability – one that cannot be easily patched. These ubiquitous vulnerabilities can be fixed with modern identity management architectures and the implementation of strong authentication methods.”
Saryu Nayyar, CEO, Gurucul:
“Passwords are the bane of the security team’s existence. Users use weak passwords, reuse the same passwords, refuse to change passwords, or simply forget them and need help resetting passwords. I thought self-service password reset options would have alleviated the help desk from resetting user passwords. However, it still turns out 20% to 50% of all IT help desk tickets are still for password resets (according to The Gartner Group).
We actually have the technology to eliminate passwords altogether, but that would require companies indulge in passwordless authentication.
Really, the best option for enterprises going forward is continuous behavioral based authentication. […] This is how organizations can make the authentication process more secure and frictionless for users.”
Neil Jones, cybersecurity evangelist, Egnyte:
“To commemorate World Password Day, we’d like to remind you about practical steps that you can take to protect your valuable information, while embracing today’s work-from-home environment:
- Educate your employees on password safety – Teach your users that commonplace passwords such as “123456,” “password” and their pets’ names can put your data and their personal reputations at risk. Remind users that passwords should never be shared with anyone.
- Institute two-factor authentication – IT administrators should require additional login credentials during the users’ authentication process, to prevent potential account breaches. This can be as simple as a user providing their password, then entering an accompanying numeric code from an SMS text.
- Set passwords for personal devices – Personal devices are on the rise in a remote-work environment and are particularly vulnerable to data theft, so encourage your employees to password-protect them.
- Change your Wi-Fi password regularly – Remember that potential hackers are often working from home, just like us. If you haven’t updated your Wi-Fi password recently, do it immediately.
- Establish mandatory password rotations – Greatly reduce exploitation of default and easily-guessable employee credentials by making your employees change their passwords regularly.
- Update your account lockout requirements – Prevent brute force password attacks by immediately locking out access points after several failed login attempts.”