It’s been over a year since the start of the COVID-19 pandemic, and the growing use of online services borne out of the crisis has made the issue of password security even more pertinent than it was before. The growth in new accounts in response to trends such as the shift to online shopping has opened up more opportunities for cyber-criminals to steal personal data via account compromise, removing the need to crack sophisticated cybersecurity systems. Monti Knode, director of customer & partner success at Horizon3.AI, commented: “Attackers don't hack in . . . they log in. Annual security reports illustrate this trend across industries, exploding this past year. In more than 500 pentest operations in the last six months, we’ve seen this as well, with weak or default credentials topping our top-10 findings lists for the second quarter in a row, averaging over 90 credentials exploited per operation.”
It is well recognized that poor password practices are commonplace—a large proportion of people use easily guessable words, which are rarely changed and are recycled across multiple accounts.
However, simply lecturing people about these facts is not sufficient in addressing weak password security, particularly in light of the surge in online accounts during COVID-19. Dearbhail Kirwan, security operations team lead at edgescan, said: “This advice was sufficient when you could mentally manage your passwords for one or two logins, but the majority of us these days have to regularly log into a range of different systems. As a result of all these requirements, people commonly employ mechanisms or patterns to help remember their passwords, which unfortunately can often have the side-effect of making them predictable, and therefore easier for an attacker to access a number of your passwords as a result of cracking just one.”
As such, using separate complex passwords for different online accounts and changing them on a regular basis is not going to be a realistic prospect for many people. If the advice makes life too difficult, there is a danger people will simply ignore it. As Mark Bower, SVP at comforte AG, put it: “One of the hardest things to manage with complex passwords is entering them accurately, especially on mobile devices. There’s nothing more frustrating that transcribing “%jI>iW(&*VwdQA,” and fumbling data entry repeatedly due to endless shift combinations on a small touch keyboard. Repetitive mis-entry might result in forcing password resets which actually increases risk of compromise.”
This is why for this year’s World Password Day, it is critical to offer practical ways for people to ensure their passwords keep their accounts safe, and are easy and convenient to manage. After discussions with a range of security experts, Infosecurity has compiled five tips to help people achieve these dual aims.
Password Managers
One solution, frequently advised by security pros, is to use a password manager to store and manage the numerous complex passwords being utilized. Tyler Shields, CMO at JupiterOne, noted: “The best way to use passwords is to not have to use them by hand! Get a password manager such as LastPass or 1Password and use very complex, difficult to guess, randomly generated passwords via those tools. Respectable password managers have integrations into your daily workflow and systems including browser plugins or command line tools. If you do it right, you can remove the pain of passwords while making your world much more secure.”
"If you do it right, you can remove the pain of passwords while making your world much more secure"
Javvad Malik, security awareness advocate at KnowBe4, added: “Creating and remembering a unique password or passphrase for each account can become difficult because there are dozens, if not hundreds of different accounts people need to sign on to. The best way would be to use something like a password manager.”
Multi-factor Authentication
Another important tip is to ensure multi-factor authentication (MFA) is enabled for online accounts, particularly those of high importance. This provides an extra layer of security in the event that a password is compromised, and is normally quick and easy to do, such as typing in a code sent across via text message. “Using MFA for sites that store important information, such as email, social media, banking websites, or other high-value sites can help deter attackers in the event a password is leaked or reused,” outlined Sean Nikkel, senior cyber-threat intel analyst at Digital Shadows.
Even if not used anywhere else, it is highly advisable to at least turn on MFA for email accounts, as they are key to the password reset function on most websites. Felix Rosbach, product manager at comforte AG, explained: “Especially for critical parts of your personal landscape—like email accounts—strong security and hygiene are crucial. With access to an email account it is easy to reset multiple other account credentials. Using two-factor authentication wherever possible not only provides stronger security but also ensures that account takeover isn’t as easy.”
Passphrases Not Passwords
Using additional software and technology solutions, such as password managers, may not be the right thing for everyone though. In which case, there are ways of creating passwords that are both complex AND easy to remember. Malik said: “One of the best tips that comes to mind is to replace ‘password’ with ‘passphrase’—a longer password is a more secure password, and a phrase is a lot easier to remember compared to a random string of characters.”
This facilitates the use of words, which are far easier to remember than jumbled characters, in an order that has some meaning and relevance. Rita Nygren, business systems administrator, BI and project management, at Tripwire, advised: “Many systems are still requiring special characters, so consider that a phrase with punctuation and/or some substitution—i.e., ‘she made harry eat onions’ might become ‘sh3madeHarryeatoctopus?’—only rather than using a familiar mnemonic as a base, use the latest in-joke in your household, or a mis-quote of advice from your parents, or four randomly selected words with your favorite underused punctuation. The length of the phrase—as long as it’s not likely in a password dictionary—makes the hashing extremely difficult to beat.”
Acronyms
Similarly, passwords can be made both memorable and complex by creating meaningful acronyms, which can be associated with individual websites. “To comply with password complexity rules, feel free to capitalize and ensure it contains a number,” outlined Martin Jartelius, CSO at Outpost24. “This is easy for you to remember, especially with some practice. A good practice is to add a personal element to it per site. Facebook? 'So you had that for food?' would for example become 'Syhtff?'”
Keep Changing?
While conventional wisdom dictates that passwords should be changed regularly, this notion has been challenged by the growing availability of sources that show if your account has been potentially compromised. Jartelius advised: “Subscribe to HaveIBeenPwned (https://haveibeenpwned.com/NotifyMe) and ensure that if you show up, make an adjustment to the potentially affected passwords to save you time. But otherwise, should you change passwords? No, there is very little to gain. If you have a password that is unique for a site, and you have a strong password, you are relatively safe.”
There has been much discussion about the rise in alternative methods of authentication, such as biometrics. However, it seems certain that passwords will remain a crucial component of keeping accounts secure for the foreseeable future. Traditional password best practices, of ensuring they are complex, are unique across different logins, and are changed regularly, are becoming harder to achieve as a result of the huge increase in online accounts, particularly in the past year. Strong security needs to go hand in hand with convenience to be truly effective in the modern world.