This year is marks the fourth annual World Password Day, and yet the old security measure of changing passwords still seems to be troubling both large and small organizations. Today makes it a good day to get updated on the best practices and tips for creating and securing strong passwords.
The intention behind World Password Day is to reduce the attack surface of the end user by raising awareness of best practices for password management, according to Alex Heid, chief research officer at SecurityScorecard.
The reason for the emphasis on changing passwords is because attackers are constantly trying to reuse passwords that have been obtained in data breaches, he said.
(Related: Are mandatory password changes really the best idea?)
“Every year, there are increasing reports of large enterprises suffering from successful breaches whereby millions of e-mail addresses, logins and passwords are compromised,” said Heid. “One startling fact is that less than 1% of people will change their passwords even after they have been informed of a breach of their credentials.”
Billy Austin, vice president of security at LOGICnow, said that another problem with passwords is getting people to care about secure passwords, and most organizations do not know where to start. These same individuals will continue to use weak passwords, despite the large amount of information and media coverage about hackers.
Another problem is passwords are the first line of defense for a consumer to protect their online services, but often the passwords are not secure and are simple (so the user will not forget them), said Dimitri Sirota, CEO and cofounder of BigID. This leaves them vulnerable to hackers who can easily steal their passwords.
Austin said the best thing that security leaders could do is continue to educate teams about protecting personal information, and to offer simple solutions so as to not overwhelm them.
One thing that Austin recommended companies consider is to adopt a password-management policy. Data thieves look for opportunities for phishing, packet sniffing and social engineering, which are common (and successful) tactics that justify the need of such a policy.
“While passwords are a common backdoor for data thieves, organizations that adhere to the adoption of a password-management policy essentially reduce the likelihood of becoming a victim through this attack vector,” said Austin. “Validation of such adopted password tips and controls should then be routinely assessed to ensure checks and balances are in good standing.”
Ironically, World Password Day can create some easy ways for hackers to get into accounts and steal important information, according to Heid. He said that an attacker could hypothetically create a phishing e-mail that encourages users to change their password, and direct users to a fake login page that tricks users will into inputting their personal information.
“Attackers can then quickly make use of the pilfered credentials before the victim realizes they have been duped,” said Heid.
The experts had additional advice on passwords:
Billy Austin, vice president of security at LOGICnow
- Consider a password manager to store and generate passwords. Password managers help employees generate sophisticated and unique passwords for each login.
- Avoid storing passwords in clear text. If storing a password is required, ensure the file and or password is encrypted.
- Change all default passwords on vendor-provided devices and applications (ex: When the home wireless router login is “Admin” and the password is “Password”).
- Remove all account IDs and passwords from terminated employees to avoid unauthorized access. Attackers see this as a backdoor to access data.
- Use multi-factor authentication such as biometrics or PINs in conjunction with your password.
- Enforce password complexity rules. Examples include changing the password every few days, ensuring that a password consists of alphanumeric characters and in some cases a special character.
- Restrict the use of the same password. When attackers obtain easily guessed passwords from third-party applications such as Facebook, LinkedIn and Twitter, such credentials are then used to attempt access to other applications where it is more financially rewarding.
Dimitri Sirota, CEO and cofounder at BigID
- Use stronger password and randomize across sites. There are tools to help here, but as of now, none work seamlessly across the Web, mobile and wearables.
- Use secondary authentication based on something you have (tokens or SMS PIN codes), something you know (such as where you first met your wife), or something that’s a part of you (thumbprint, faceprint, voiceprint, etc.).
- Protect your valuables “behind the door.” For example, use encryption where you can (like putting stuff in a safe), use an alarm system to get notified of unusual activity, and insist that whoever has your digital stuff has the tools to track and manage your valuables.
Alex Heid, chief research officer at SecurityScorecard
- Ideally, a password should make use of alphanumerics and special characters. A good method is to make use of a “passphrase,” which can be a short sentence that makes use of punctuation and spaces.
- A passphrase is especially recommended as the “Master Password” for password-management software.
- An encrypted password manager will not guarantee the security of stored credentials. It simply adds an extra step to the attack process.