World Password Day: Experts Share Best Practices For Avoiding Password Pain

Love them or hate them, passwords play an essential role in keeping personal details private. Passwords have never been more critical as credential thefts are on the rise.

In fact, a 2022 report found that compromised credentials cause 54% of security incidents for organisations, so whether it be for business or pleasure, passwords can help to keep digital environments secure. 

This is where World Password Day comes into play. Spearheaded by Intel in 2013, World Password Day reminds us of the importance that one passphrase can have.

With the backdrop of this important day, we’ve spoken to several cybersecurity experts about their thoughts on how to improve digital security continually. 

The double-edged sword of password-securing technology 

With so many passwords, it can be frustrating for most people to remember countless variations of the same credential, especially when some services will force password resets after one too many misremembered mistakes.

This is when individuals and organisations alike often turn to password managers to help store their details in one convenient system. However, as Tyler Farrar, CISO at Exabeam, suggests, “password managers are secure enough but unfortunately are still susceptible to breaches”.

Farrar notes that “password managers mean you’re putting all of your eggs — or in this case sensitive passwords — in one basket. You better make sure that basket is secure. Users should have a long and complicated master password that is handwritten on a piece of paper and locked away in a protected location such as a drawer, closet, or safe."

"Although this might be a retro way to approach it if it’s not connected to the internet, online criminals can’t access it. Individuals should also make sure to take steps to protect personal hardware. Adversaries can install a keylogger, a program that records every keystroke made by a computer user, without detection," Ferrar added. 

"When a keylogger is installed, an attacker can see every keystroke, and if a user is entering a customer’s master password, the attacker then has the keys to the kingdom, so to speak”. By “taking small steps like installing antivirus software”, “can help avoid this scenario." 

Christopher Rogers, Technology Evangelist at Zerto, a Hewlett-Packard Enterprise company, also recognises why it’s so easy to get into the habit of reusing the same password.

He observes that “while employees are usually discouraged from reusing the same passwords across multiple apps and websites, many organisations have become complacent in enforcing such rules, particularly since the explosion of remote working caused by the pandemic”. 

Yet, bad actors are taking advantage of this; “Credential reuse or ‘stuffing’ is when cybercriminals gain access to a set of valid credentials (usually via a data breach) and then use bots to try those same credentials across hundreds of other online accounts. If the credentials have been re-used anywhere, the credential stuffing will expose this, giving those same criminals legitimate access to other accounts as well”. This is why some organisations will opt for extra verification measures.

MFA: Putting the multi in multi-layered security

Whilst the importance of a complex, secure password cannot be overstated, adding additional layers of security should also be encouraged. Andy Bates, Practice Director for Security at Node4, recommends the use of “Multi-factor authentication (MFA), for example”, which “acts as a second layer of authentication”. 

This technology means that “even after the username and password have been entered correctly, the system will require additional verification, Bates said.

"This acts as a safety net, so even if an unauthorised individual obtains valid credentials, they still cannot gain access to your systems. A quick text to the employees’ phones or a message to their personal email to ensure that it is a legitimate request will help filter out any attacker who slipped through the first line of defence”.

Overall, “39% of people have had their password compromised in the last five years, showing that” individuals  “must be more consistent with password security”. Bates summarises, advising to “use World Password Day as a reminder to change your passwords, utilise MFA and protect your personal information - but I believe this should be the last one of its kind – Multi-Factor Authentication Day is the way forward!”.

It takes a village

Whilst there is an emphasis on businesses to keep their systems secure, there also needs to be increased employee awareness if these efforts are to be successful.

As Terry Storrar, Managing Director, Leaseweb UK, notes, when “away from the office, employees are now far more likely to practise poor cyber hygiene”.

This could include “connecting to unsafe networks, transferring work data to personnel devices, or sharing unencrypted files, and threat actors are relentlessly taking advantage of these vulnerabilities”. 

However, as concerning as these practices are, they are often relatively simple to fix. Storrar says that “the simplest way we can do this is by developing good daily routines that work to manage the most common cybersecurity risks facing our organisations.

Examples of this include keeping software up to date, backing up data, and maintaining good password practices. At the end of the day, lack of education and human error are two of the largest contributors to data breaches”.

Businesses need to start implementing more safeguarding protocols and make cybersecurity training not just accessible for all employees, but a basic part of onboarding”.

Tom Ammirati, CRO at PlainID, also shares this sentiment; “Most of us know the basics of good password hygiene - but regularly we choose to bypass the rules”. However, due to this reluctance, “the net result is that as many as 82% of hacking-related breaches leverage weak, stolen, or otherwise compromised credentials, according to the 2022 Verizon DBIR Report. And passwords, all too often, are the origin point of a successful attack”

“For this very reason that identity-focused cyber security solutions are becoming even more prevalent. Security risk vectors are dynamic and fluid, and as a result, data breaches continue to challenge even the most resilient of enterprise architectures”. 

To keep pace with the demands of digital work and life, “organisations are implementing next-level technologies, processes, and policies to ensure that trusted identities have authorised access to digital assets. The goal is to allow the ‘right’ users to have access to the ‘right’ resources - and ensure the wrong ones don't. If we can do that, then potentially we can prevent many of these breaches”.

A passwordless future?

Whilst the majority do view passwords as an adequate level of protection, there are also shortcomings to address. Jasson Casey, CTO at Beyond Identity, admits that “passwords can be guessed or obtained through social engineering tactics or easily stolen while they are unencrypted.

"The fact is, there is no such thing as a “strong” password. This is only important if the adversary has to unencrypt passwords. However, malware is more than happy to steal a 4 or 4,000-character password in the clear, regardless of whether it contains numbers and special characters," he said.

Instead, the CTO says organisations “can switch to a modern, secure, phishing-resistant MFA that leverages the combination of biometrics and Passkeys based on the Fast Identity Online (FIDO) standards."

"Each year, we 'celebrate' World Password Day, and then cybercriminals continue to exploit password-based authentication. Only by adopting passwordless, phishing-resistant MFA technologies can organisations make it much more difficult for adversaries”. 

 “Ask yourself this: Why would you not start the journey to a passwordless future and shut the proverbial front door adversaries use in the vast majority of attacks? So think of today as 'World Password-less Day' and begin removing the single largest vulnerability facing your organisation”.