The author Agatha Christie once wrote “to every problem, there is a most simple solution.” These words resonate to a large degree when it comes to the problem of hacking; a huge proportion of data breaches that organizations and individuals suffer could be avoided if only simple password practices were widely followed. “Good password security practice is basic – but it remains a vital defense for organizations in the fight against cybercrime,” noted Agata Nowakowska, area vice-president at Skillsoft.
While poor password practice is often strongly associated with individuals, it is also the basis upon which businesses and organizations throughout the world secure the vast swathes of highly confidential data they hold. Sam Humphries, security strategist at Exabeam, said: “Weak credentials are a gift for bad actors – making it far easier for them to get where and what they want. If you think about it, most of the huge breaches we read about in the news involve attackers leveraging stolen user credentials to gain access to sensitive corporate data.”
World Password Day During COVID-19
It is why the annual World Password Day retains as much, if not more importance this year than when it first started back in 2013. Initiated by Intel, the awareness day is held on the first Thursday of May with the purpose of addressing the critical need for strong passwords and to promote better password habits. This year, in the midst of the COVID-19 pandemic, it takes on special significance due to the unprecedented rise in people working from home.
“One of the biggest threats to IT security is ‘shadow IT’ – where the security team has limited or no visibility into the applications and tools employees are using. Many employees will be deploying remote collaboration tools independently of their organization’s IT departments and these are not subject to the same due diligence and testing that would normally be undertaken. This means security, data sovereignty, compliance and retention are all outside of the organization’s control,” explained Steve Nice, chief security technologist at Node4.
Recent research has demonstrated increasing laxity when it comes to password security, probably due to the increased number of online accounts people have now have, which is being exacerbated by the current lockdown. “A staggering 59% of consumers reuse passwords across multiple accounts,” noted Anurag Kahol, CTO at Bitglass. A recent survey by Specops further emphasized the scale of the problem, showing that 38% of people never update their passwords, and around a third of the population use the same password for streaming services such as Netflix as they do for more sensitive accounts like online banking.
Earlier this week, the UK’s National Cyber Security Centre (NCSC) and the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) published an advisory which highlighted other ways in which the COVID-19 crisis is increasing the importance of following good password security practices. The advisory stated that healthcare bodies and research organizations have been subject to large-scale ‘password spraying’ campaigns by advanced persistent threat (APT) groups during COVID-19.
“Good password security practice is basic – but it remains a vital defense for organizations in the fight against cybercrime”
Good Password Practices
Good password practices can probably easily be recalled by those working in the cybersecurity sector: passwords should be complex, changed regularly and vary across online accounts. However, it is important to also delve further into these principles to add clarity for individuals and organizations to enable them to better protect themselves.
Tim Bandos, VP cybersecurity at Digital Guardian, said: “We really need to be thinking about which words/phrases/strings we should create to add additional complexity and make passwords harder to crack; yet easy enough to remember. Seemingly Illogical strings of words or phrases (such as song lyrics) with numbers and special characters mixed in will make the password much harder to crack. Length also adds complexity, so a minimum of 10-15 characters is recommended as it would make it harder for an attacker to crack.”
Jay Ryerse, VP of cybersecurity initiatives at ConnectWise, added: “Avoid overused practices like adding an exclamation point at the end, including phrases associated with family or pets, or using incremental numbers. Hackers use these well-known patterns to guess your password, and you’ll just make their jobs easier.”
However, raising awareness of the importance of undertaking these types of practices is one thing, practical application is another matter entirely. Poor password practices are not necessarily caused by ignorance or laziness, as is often the characterization: the reality is that people simply have so many online accounts nowadays that following this guidance to the letter would be an incredibly tedious and time-consuming process. “Employees and consumers alike are overwhelmed by the thought of remembering login details for 100-200 websites and making them difficult for bad actors to guess,” acknowledged Ryerse.
It’s therefore critical that practical solutions that enable people and businesses to follow good practices with limited inconvenience on their day-to-day lives are promoted as well in the quest to enhance global password security. Raising awareness of software that can assist people with this is vital. “Leveraging tools like password managers can also aid in developing extremely complex credentials that don’t require the end user to remember every single one. These tools can auto-populate password field boxes with your passwords in a secure manner,” said Bandos.
“Leveraging tools like password managers can also aid in developing extremely complex credentials that don’t require the end user to remember every single one”
Moving to a New Model?
Another solution is for organizations to accelerate the use of techniques that actually reduce the necessity for passwords in protecting data. One area that can reduce the reliance on passwords currently gaining a lot of traction is multi-factor identification, with its effectiveness increasingly recognized by cybersecurity experts. This provides a critical backstop should a password become compromised, such as a special code being sent to the individual by text that they need to type once a password has successfully been entered.
In addition, identity and access management (IAM) solutions are something businesses engaged in remote working should look at very closely now and in the future. Using such techniques can provide organizations with the means of controlling user access to critical information. Simon Wood, CEO at Ubisecure, advised: “While implementing IAM tools varies depending on the size and type of business, there are a few fundamental elements that organizations must consider when it comes to securing a remote business. For example, by implementing Single Sign-On (SSO) and other effective identity management features, including support for third party digital identities, businesses are able to enhance privacy and security, as well as boost user experience.”
“For maximum security and to definitively drop the reliance on passwords, biometrics should be combined with alternative data sources available from your daily activity”
Finally, a form of identification that is likely to gradually grow in use in people’s everyday lives is biometric scanning. This has, after all, already become a staple in many parts of people’s lives, be-it facial recognition to unlock personal devices or biometric scans at airport security. Gus Tomlinson, general manager, identity fraud propositions, Europe at GBG said: “For maximum security and to definitively drop the reliance on passwords, biometrics should be combined with alternative data sources available from your daily activity, such as device, current location or previous behavior. When your face, location and purchasing history are all that’s needed to agree a transaction, taking a centuries-old village economy model and adapting it to the online world makes a lot of sense. What’s more, biometrics is both secure and convenient – for example, a fingerprint is always with you, therefore there’s no need to worry about remembering or finding it as you would with a complex, traditional password.” However, privacy concerns over the use of biometrics could slow its implementation in organizations.
Nevertheless, the traditional password is set to remain a vital component of data security around the world for the foreseeable future. While it is important for organizations to continue introducing techniques such as multi-factor identification and biometric scans into their systems, the eye should not be taken off the ball in regard to promoting good password practices, especially with this year’s World Password Day taking place amid the COVID-19 pandemic, whilst people are working remotely on an unprecedented scale. However, as well as reinforcing the need to have multiple, complex and regularly changed passwords, there should also be an increased focus on informing people of the ways they can do this throughout their multiple accounts with minimum difficulty and inconvenience.