May 5, 2022 marks the ninth anniversary of World Password Day.
An event created by Intel to raise awareness about the importance of strong passwords in hopes of decreasing cybersecurity risks, the day aims to highlight the problem of using weak passwords or reusing passwords, which can increase the likelihood of a data compromise.
According to SpyCloud’s 2022 Identity Exposure Report, there were 1.7 billion total exposed credentials and 13 billion total PII collected — a 200% increase from the 4.6B last year. In addition, 64% of people often repeat passwords across multiple accounts, and 70% of users tied to breaches last year and in years prior are still using an exposed password.
The bottom line is that poor password hygiene increases the risk of cyberattacks and data breaches; therefore, proper password hygiene is critical to protect both organizations and individuals from being exploited by adversaries.
In honor of World Password Day, security leaders have shared what this day means, the importance of strong passwords, and some best practices and tips on bolstering password defenses year round.
Lamont Orange, Chief Information Security Officer (CISO), Netskope:
Over the past year, organizations and individuals have almost completely adapted to operating within a flexible — and highly distributed — virtual environment. However, even though organizations are more well-adjusted to this digital lifestyle, the use of cloud tools and applications are still major contributors to threats against an organization’s security infrastructure. Organizations’ security teams must remain vigilant. Ensuring that the correct individuals have visibility over network activity and can utilize remote access controls is critical. Organizations need to make certain that remote work nor the use of BYOD practices allow the exposure of sensitive company data. World Password Day serves as a great reminder that even though operations have been streamlined to accommodate the new world of work, user access/authentication and data protection are still very present security sensitivities that must be kept top of mind.
Chris Hallenbeck, CISO for the Americas, Tanium:
Passwords have been basic cyber hygiene 101 for decades. But the fact is, they are no longer a viable security method amid today’s rising attacks. Hackers launch an average of 50 million password attacks every day, or about 580 per second. And approximately 60% of data breaches are attributed to compromised credentials.
Big tech is already transitioning away from passwords —take Microsoft, Google and Apple, for example — and toward more high-tech solutions like biometric logins and facial recognition software. However, passwords are likely to remain for a little while longer. And with the average cost of a data breach estimated at $4.2 million, we must continue to embrace them to avoid becoming the target of the next big breach.
Proactively using strong password management and multi-factor authentication (MFA) remains best practice and has become commonplace for consumers, employees and organizations alike. MFA effectively protects against “credential stuffing,” where hackers reuse stolen passwords to launch attacks, and while a good first step, it simply isn’t enough to ensure security given today’s threat landscape. That said, this World Password Day, consider changing your passwords and revisit your cyber hygiene habits to protect your information.
Zane Bond, Director of Product Management, Keeper Security:
Password protections have come a long way since 1961, when MIT created the first computer password, yet credentials are a popular attack vector for bad actors to hack into organizations. The need for strong credentials continues to escalate along with new threats, but now, even the most frequently updated and strongest credentials can be stolen.
The evolving threat landscape, coupled with the proliferation of connected devices, data and apps spread across an increasingly complex, distributed network environment, is creating the need for sophisticated password protections and Identity Access Management (IAM) software and systems.
At a time when every aspect of work and life is becoming digital, it’s surprising how unsophisticated most systems still are. After 60+ years of using passwords to verify identity — and 35 years since two-factor authentication was first adopted — we have the technology to make passwords secure, and easy to manage, and to eliminate the hassle of remembering passwords. This year Password Day should be a call to take advantage of the tools to make passwords better and more secure for everyone.
Bud Broomhead, CEO, Viakoo:
For both individuals and organizations, password management done poorly can leave the doors open to threat actors — with devastating consequences including loss of reputation, data exfiltration, and distribution of malware. But to be clear, organizations face orders-of-magnitude more consequences from poorly executed password strategies, and must face a massively harder task because of the scale of passwords used in an organization.
The cost to an organization from being breached is, on average, $8.19M, versus $225 for an individual; an astounding 36,000 times more costly. And unlike an individual, organizations have hundreds or thousands more devices and systems that require an effective password policy. Every device runs a unique password that meets strength and reusability requirements. The corporate environment containing multiple forms of IoT devices has another challenge: many parts of the organization manage IoT devices, and sometimes even non-employees. Take the case of an external contractor installing new Point of Sale (POS) systems in a retailer; will they take the extra time to understand your company’s policies and set appropriate passwords, or will they install the system and leave the default vendor-provided passwords in place? Or other IoT devices like smart lighting systems that the Facilities team has installed and updated passwords on, but they use the same password on all of them (and leave it posted on sticky notes in the breakroom).
This World Password Day, Viakoo’s advice is to bring unmanaged and IoT devices into compliance; use automated methods to ensure all devices follow corporate password policy, which focuses on quickly fixing non-compliant devices.
Joseph Carson, Chief Security Scientist and Advisory CISO, Delinea:
World Password Day provides us with a time to stop and reflect on current password hygiene. Passwords remain one of the biggest cyber challenges for both consumers and businesses around the world, as a poor password choice can make it extremely easy for cybercriminals to steal and spy on your data. As humans, we continually gravitate towards creating passwords that are easy to remember and simplistic. Incorporating a birthday or special date within a password is a common denominator, one that cybercriminals are all too aware of.
Dangerously, we continue to leave it up to humans to create strong and secure passwords, despite the fact that most people have already been victims of borderline password disclosures from a person’s history of password choices. Having already had your previous password decisions and choices exposed means that an attacker can simply take that as the baseline and from there create variations of that. An effective password should include passphrases, and a sequence of random words for added security. Regular consumers should consider deploying and utilizing a password manager to enhance and regularly rotate their login credentials.
For organizations, a password manager should be a default implementation. If you are a business leader, then you must move beyond just having password managers and start using privileged access security to control and protect privileged access. Privileged access security will help automate, rotate and secure your passwords for you and your business, eliminating a significant amount of cyber fatigue. Taking it a step further, organizations should look beyond just their internal password hygiene and take a deeper dive look into their suppliers and contractors to ensure password protection. Are they using a password manager, do they have MFA deployed and how do they protect access to their privileged accounts? We’ve seen the catastrophic domino effect that one poor password choice can have within a supply chain.
Organizations can enhance their password posture by understanding that security starts with the social network around you. Why not encourage your employees’ families to use a password manager and reward them? They see that you’re not just taking care of the company but that you’re actually extending security to the social sphere, so that their family and kids can even extend to using password managers and reduce the threats, because attackers can and will target them first as stepping stones to get into your organization. So it makes you think, why not extend your perimeter to the social sphere around the organization. Your supplier, your contractor, partners, your customers and everybody.
Ashish Gupta, CEO and President, Bugcrowd:
World Password Day is an opportunity to take a step back and examine what the future holds for secure logins. To date, over 600 million passwords have been exposed through data breaches. Needless to say, standalone password protection is an insufficient and ineffective method of protecting organizations and sensitive information. Weak, insufficient, and stolen credentials are common causes for breaches and hacks that often result in millions of dollars in damages and data loss. It’s more important than ever before for companies to rely on two-factor authentication that also incorporates additional login tokens or one-time codes to fully obtain access. This adds another layer of security to help address the password problem but still hasn’t solved it entirely, as hackers can still gain access through authentication code interception techniques and SIM swapping.
While two-factor is a step up from traditional password safety, modern-day problems require modern solutions, and passwordless authentication may hold the future key to more effectively securing credentials. Passwordless authentication is an intriguing and hopefully superior option in the near future, but it’s not a standalone panacea for security concerns. Coupling in additional measures such as zero trust, crowdsourced cybersecurity and proactive threat detection will keep enterprises secure and information safely protected in the future.
Mike Parkin, Senior Technical Engineer, Vulcan Cyber:
Passwords are one of those things that haven’t been up to the job for years, but no one’s presented a solution that works better, and people are willing to accept. As computing power’s gone up, the requirements for a password to be considered “secure” have gotten longer and more complex to the point where users are tired of dealing with them. Passphrases are easier to remember, but who wants to type a fill sentence every time they log in? Given length and complexity requirements, it’s no wonder we still see passwords written on sticky notes around screens and under keyboards.
Multi-factor authentication schemes can go a long way to fixing the problem. Even if an attacker has an ID and password, they can’t get in without that physical or biometric factor. Unfortunately, a lot of users find them inconvenient or too technically challenging to use for everything that needs it. Hopefully, World Password Day will give people enough of a nudge for them to adopt both good password hygiene and multi-factor authentication for day-to-day use.
Hank Schless, Senior Manager, Security Solutions, Lookout:
Last year, there were 1,862 data breaches, according to the Identity Theft Resource Center’s 2021 Annual Data Breach Report. That is an all-time high and a 68% increase over breaches in 2020. According to Lookout, 80% of people’s emails are leaked on the dark web as a result of data breaches.
When data breaches happen, passwords for online accounts are also commonly leaked, leaving consumers at risk for identity theft. In order to keep your information safe Lookout has shared the top 20 passwords found on the dark web.
Top 20 Passwords Found On Dark Web:
- 123456
- 123456789
- qwerty
- password
- 12345
- 12345678
- 111111
- 1234567
- 123123
- qwerty123
- 1q2w3e
- 1234567890
- DEFAULT
- 000000
- abc123
- 654321
- 123321
- qwertyuiop
- Iloveyou
- 666666
Lucia Milică, Global Resident CISO, Proofpoint:
Passwords are one of the first critical barriers between a person, a threat actor and a successful cyberattack. One of the most common mistakes that people make is reusing the same ID/email address and password across multiple sites and devices. Password reuse is exacerbated by the increasing volume and success rates threat actors are reaping with advanced credential phishing campaigns that use fake websites resembling the login page of a legitimate online service to steal usernames and passwords.
We recommend consumers use different passwords, especially on critical financial and data-driven accounts. If available, be sure to turn on multi-factor authentication (MFA) for as many accounts as possible. If MFA is not an option for the account, use a password manager. A password manager creates randomized passwords that are safely stored, encrypted, and accessible across all personal devices and reduces the burden of trying to remember complicated login credentials across multiple websites. If you use a passphrase as part of your password, make sure you never use common words or phrases, names or dates associated with you or direct family members. It’s also best to change all passwords twice a year and change business passwords every three months.
Since 95% of cybersecurity issues can be traced to human error, it remains important for businesses to implement a people-centric approach to security. Ensure that your remote and in-office employees receive training and education on basic cybersecurity best practices, including identifying a credential phishing attempt and how to securely manage passwords.
Neil Jones, Director of Cybersecurity Evangelism, Egnyte:
It’s hard to believe it’s been a year since the Colonial Pipeline ransomware attack. The good news is that cybersecurity requirements for infrastructure providers like Colonial have become more formalized since the cyber-attack occurred, and there’s broader corporate awareness of ransomware’s impact.
However, recent geopolitical events in Europe and global supply chain pressures remind us that service disruptions from ransomware are just as likely now as they were a year ago. And, organizations even have to manage data infiltration allegations via social media that may or may not have even occurred.
There are several proven approaches that organizations can follow to help prevent ransomware:
- Develop a comprehensive incident response plan.
- Utilize a solution with ransomware detection and recovery.
- Educate executive management about ransomware’s impact.
- Perform cybersecurity awareness training, including implementing effective data protection policies like strong password protection and multi-factor authentication. It’s also critical that they understand any company can be a potential victim, regardless of size or location.
Without adequate preparation, disruptions are likely to become more severe. For years, we’ve realized how vulnerable global organizations are to potential attacks, but many of our concerns were dismissed as fear, uncertainty and doubt (FUD). Colonial was an important inflection point for public and private sector infrastructure security, but organizations need to remain vigilant to stay a step ahead of cyberattackers.