#WorldPasswordDay is one of our favorite cyber awareness days because it's something that both consumers and enterprises can take notice of and take real action on.
In the wake of recent mass breaches that came at the hands of compromised passwords (Colonial Pipeline, Twitch, SolarWinds, and more) -- experts across the cybersecurity industry shared their best practices and insights on the current and future state of password security and why it's never been more critical.
Lucia Milică, Global Resident CISO at Proofpoint
“Passwords are one of the first critical barriers between a person, a threat actor and a successful cyberattack. One of the most common mistakes that people make is reusing the same ID/email address and password across multiple sites and devices. Password reuse is exacerbated by the increasing volume and success rates threat actors are reaping with advanced credential phishing campaigns that use fake websites resembling the login page of a legitimate online service to steal usernames and passwords.
We recommend consumers use different passwords, especially on critical financial and data-driven accounts. Be sure to turn on multi-factor authentication (MFA) if available for as many accounts as possible. If MFA is not an option for the account, use a password manager. A password manager creates randomized passwords that are safely stored, encrypted, and accessible across all personal devices and reduces the burden of trying to remember complicated login credentials across multiple websites. If you use a passphrase as part of your password, make sure you never use common words or phrases, names or dates associated with you or direct family members. It’s also best to change all passwords twice a year and change business passwords every three months.
Since 95% of cybersecurity issues can be traced to human error, it remains important for businesses to implement a people-centric approach to security. Ensure that both your remote and in-office employees receive training and education on basic cybersecurity best practices, including how to identify a credential phishing attempt and how to securely manage passwords.”
Lamont Orange, CISO, Netskope
“Over the past year, organizations and individuals have almost completely adapted to operating within a flexible—and highly distributed—virtual environment. However, even though organizations are more well-adjusted to this digital lifestyle, the use of cloud tools and applications are still major contributors to threats against an organization's security infrastructure. Organizations’ security teams must remain vigilant. Ensuring that the correct individuals have visibility over network activity and can utilize remote access controls is critical. Organizations need to make certain that remote work nor the use of BYOD practices are allowing the exposure of sensitive company data. WorldPassword Day serves as a great reminder that even though operations have been streamlined to accommodate the new world of work, user access/authentication and data protection are still very present security sensitivities that must be kept top of mind.”
Sadiq Khan, Chief Information Security Officer at BlueVoyant
“World Password Day is of extra importance this year because of a rapid increase in attacks designed to get around measures that make account log-ins more secure. First and foremost it’s still important to use strong passwords. BlueVoyant continues to observe large volumes of compromised credentials being sold on dark web forums, which are in turn used to breach victim organizations. Organizations should ensure they have monitoring in place to detect when their credentials are compromised and potentially being sold by cyber criminals.
In addition to password hygiene, MFA should be enabled by default across all organizations. Multi-factor authentication (MFA) is a more secure way of authenticating compared to merely using a password. MFA requires users to provide at least two verification factors in order to access a device or account. BlueVoyant has seen threat actors move on from potential victim organizations once they determine MFA is in place, and move on to the next target looking for an organization that doesn’t have it.
However, given the uptick in organizations using MFA in their cyber defense, there has been a recent increase in MFA-bypass attacks. These attacks rely on social engineering techniques to lure and trick users into accepting fake MFA requests. Some specific methods of attacks include sending a large amount of MFA requests and hoping the target finally accepts one to make the noise stop, or sending one or two prompts per day, which attracts less attention, but still has a good chance the target will accept the request. Attackers will also use more aggressive social engineering, such as Vishing (Voice phishing) that requires calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process. Sometimes attackers even use bots to call, instead of a live person.
In the past few months, some well-known hacking groups have gotten around MFA controls to breach very large companies that are household names.
The best defense is training employees. They should know if they are ever unsure about an MFA request, to reject it. Instead, they should only accept MFA requests they know they have initiated.”
Avi Shua, CEO and Co-Founder of Orca Security
“With an ever widening threat landscape, organizations must be able to find all passwords and secret keys that have been mistakenly stored within their cloud estates and pose grave security risks if stolen. Our research team recently found that 1 in 3 customer organizations provided root admin access to cloud accounts without MFA in place, showing the damage one password could create.
Organizations should use modern entitlement mechanisms that don’t rely on passwords within their cloud accounts and internet connected systems. By not practicing sound password management, they put themselves at risk of serious security breaches. It is critical that security teams harness tools and approaches to monitor their cloud accounts for risks, including misplaced passwords, to protect against theft and educate others around them on this importance to avoid preventable mishaps.”
David Lindler, CISO, Contrast Security
"One of the most common security requirements I still see being used in organizations is forced password expiration. NIST has explicitly stated for 4 years now (SP 800-63B Section 5.1.1.2) that memorized secrets should not be required to be changed arbitrarily and only force a change if there is evidence of compromise. If you make one change to your password policy, remove this arbitrary requirement."
How many passwords have you forced yourself to remember? How many renditions of the same password (e.g. Password1, Password12, Password1!) are you using? A password manager will simplify your life and allow you to create and store passwords securely, and at the same time, you will never have to even know what those passwords are. Get yourself a password manager today."
George Gerchow, Chief Security Officer, Sumo Logic
Recent reports indicate a need for organizations to prioritize password protection and security as insider threats continue to impact organizations. World Password Day provides a perfect opportunity for organizations to address these needs. Here are a few steps organizations can take to prioritize password safety.
Password Vaults: As the world adjusts to a hybrid work model, companies must provide employees with a password vault. Employees who work from home typically balance the use of personal and professional passwords throughout their workdays. With one single, trusted login or password program, vital work and personal data and information can securely live in one location.
Passphrases: To help prevent threat actors from stealing passwords, organizations should utilize passphrases – passwords that are different phrases rather than similar names and numbers. Passphrases are more difficult to crack as they don’t necessarily have to pertain to the user, contain more letters and numbers, and provide more opportunities to toggle between capital letters.
Biometrics: The future of passwords is biometrics; it provides a more secure and trusted method for storing sensitive data. Companies like Apple have already proven that passwords can be replaced through the implementation of digital identity, and organizations should look to follow suit. Biometrics will never be 100% perfect, but it removes the need for multiple passwords or passphrases, and provides improved account security and a single, trusted login for all accounts.
Geoff Bibby, SVP, OpenText
“World Password Day is an excellent time for individuals, channel partners and businesses to reflect on their current password practices and ensure they are building the safest habits to protect themselves and their company from cybercriminals. Many are under the assumption that if they are taking the steps to create unique passwords for each platform and application, they are secure. But it's not enough.
The number of headline-grabbing breaches that have taken place over the last year highlight the critical need for safeguards across the entire company network. While there are a few different ways to protect login credentials beyond a simple username and password, one of the most popular and effective options is two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user's phone, email address or through an authenticator app, after entering their username and password. It’s getting easier for cybercriminals to breach even the most complex password, which is why implementing 2FA is critical.
Email is a common point of attack because it often contains sensitive and valuable communications. Organizations should also consider implementing an email security solution that conducts a security audit to analyze its admins, users, mailboxes, and rules for vulnerabilities such as outdated passwords so they can be resolved before a breach happens. This is especially true for ensure partners so that they can ensure the customers they support are protected against today's cyberthreats and vulnerabilities. Organizations should use World Password Day to evaluate their internal Password Policies and send reminders to employees and customers alike about the importance of good password hygiene.”
Tyler Farrar, CISO, Exabeam
“Colonial Pipeline, SolarWinds, Twitch. All of these organizations have one thing in common: they suffered data breaches as a result of stolen passwords and credentials. Credential theft has become one of the most common and effective methods cyber threat actors use to infiltrate organizations of all sizes and access sensitive data.
We strongly support efforts, like World Password Day, that raise public awareness and can help to combat this pervasive issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional passwords and credentials to prevent credential-based attacks from continuing.
Credential-driven attacks are largely exacerbated by a ‘set it and forget it’ approach to credential management, but organizations must build a security stack that is consistently monitoring for potential compromise. Organizations across industries can invest in data-driven behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior indicative of credential theft, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
###