- Security TWENTY
- Women in Security
Tomorrow is World Password Day. During the COVID-19 outbreak, many office-based employees are working from home and accessing password-protected business accounts outside the office, as Hal Lonas, Chief Technology Officer at Webroot, points out.
He says: “Opportunistic cyber attackers are on high alert to take advantage of this, meaning users need to be even more careful with their passwords than usual. Businesses also need to play their part to ensure strong cyber hygiene is in place and that individuals remain vigilant. This begins with security awareness training and ensuring that strong password policies are in place.
“Password cracking software does not discriminate by characters used, but instead length makes it more difficult to hack. Therefore, staff should be encouraged to prioritise longer passwords over the inclusion of special characters and numbers. Encouraging employees to use a password manager makes it easier for them to use different passwords across websites, further aiding security. Also, too frequent password rotation also causes problems, as people tend to use easier-to-guess passwords if you force them to change too frequently. Requiring a password change every 30 days therefore may actually cause more problems than it solves.
“Putting these password policies and training measures in place, alongside cybersecurity technology such as email filtering and anti-virus protection, will help businesses take great strides towards cyber resilience – important now more than ever as they rely on remote workforces.”
At British Standards (BSI) Stephen Bowes, Global Practice Director, Information and Security Technologies, says: “A password is the primary method used to confirm the identity of a user to gain access to a wealth of platforms and personal information. They are used for everyday activities both off and online and are needed for accessing multiple platforms that help us with our day to day lives. These include logging on to utility or financial accounts, entertainment or streaming services, shopping online and even to gain access to a property by a security gate keypad or alarm. By having good password habits, online users are not only protecting themselves but protecting their data, property and business.”
Charles Poff, Chief Information Security Officer, SailPoint, says: “World Password Day is still worthy of celebration, and education around good password hygiene remains crucial. While many may dream of a passwordless world, passwords will remain a critical method of authentication for years to come.”
Aaron Zander, Head of IT, HackerOne, says that when it comes to organisational or institutional security, a lot of what we can do to bolster our protection can come from within. “Password re-usage is often one of the most common pitfalls we see. Once a hacker has been able to access, via an employee’s password, they can go digging through the organisations databases with insider access. In addition, if this password is reused, the user may see the ramifications across all of their personal and work accounts and devices.
“Many argue that biometrics could be a better alternative. However, if there is a data breach, you can’t exactly reset your finger print – and this data is far more sensitive in the hands of a hacker, at least a password can be changed. For the foreseeable future, people will have to continue making passwords work for them, whether that is using personal algorithms to keep track of them or using password managers. Organisations can do their part by implementing and pushing or even mandating two-factor authentication so that even if passwords are breached, the damage is contained. Right now, passwords pose one of the biggest security challenges the security world faces but there isn’t really a viable wide spread replacement on the horizon.”
And Adenike Cosgrove, cyber security strategist, international, Proofpoint points also to how we ensure that the management and handling of passwords does not compromise their integrity as a form of security and authentication. “The dangers of password reuse have been made abundantly clear through the rise in successful credential stuffing attacks, yet recent research has shown that 45% of working adults admit to reusing the same password for multiple services. This issue will likely persist into the future due to human beings’ desire for convenience and the difficulty of remembering ever more complex passwords for the multitude of online services they use. The repercussions can be serious however, as one compromised password can open an individual up to identity theft or even put their entire organisation at risk.
“Likewise, cybercriminals are continuing to leverage sophisticated strains of information-stealing malware or keyloggers, often delivered through email phishing campaigns leveraging social engineering. Even in the best case scenario where a user has complex and unique passwords in place, a carefully targeted phishing attack dropping a stealer or keylogger can deliver these credentials directly to the attacker.
“Both individuals and organisations can do their bit to respond to these threats. Password reuse can be tackled through greater education and training, but it must be combined with technological solutions to reduce the onus on the individual, which is consistently the route most exploited by cybercriminals. Organisations should be implementing multi-factor authentication as standard, and it is also encouraging to see a rise in the use of password management applications which mitigate the risk of relying on the human memory for password security.”