Hints and tips for World Password Day
Today is World Password Day, in case you hadn't already noticed, a day to promote better password management and safer password choices.
With billions of sets of stolen credentials circulating on the dark web, naturally there is plenty of advice and opinions on offer from the industry, so here's a look at some of what experts are saying about passwords, the vulnerabilities they represent and how they might be replaced.
Benoit Grangé, chief technology evangelist at OneSpan says:
Passwords are a problem. Passwords are inconvenient and riskier than other authentication options available today because they can be guessed, stolen, or cracked. While we won't see passwords go completely away anytime soon, a passwordless approach could be the answer to many user friction and security challenges. A recent VISA survey found consumers are ready to leave the password behind. Seventy percent of consumers believe that biometrics are always more comfortable as they do not involve memorizing passwords.
With a plethora of other data pointing to a continuing upward trend in biometric usage, new risk-based multifactor authentication with fingerprint, face, or iris recognition could be the solution that will finally free us from the burden of endless passwords, opening the doors to a brighter, passwordless future.
This is echoed by Steve Maloney, executive vice president of trusted identity platform Acuant. "2021 has already been filled with a myriad of password leaks and breaches and these trends point to the need for businesses to utilize trusted, privacy minded technology. Solutions like verifiable credentials and digital IDs can help, as can the use of cryptography and PKI (public key infrastructure) when appropriate. Securing access credentials through identity verification is critical to consumer safety, and with the technology available today there does not have to be compromise on security versus a good user experience."
David Sygula, senior cybersecurity analyst at CybelAngel offers advice to follow if your passwords have been part of a breach. "If you have been part of a breach, reset all your passwords, ensure two-factor authentication is in place and be cautious of unusual activity associated with your accounts. Use one password for one account, and think of using passphrases, which are easier to remember than complicated chains of characters. 'I am 42 years old.' is for example both a strong and easy password to remember. You can also use a password manager to store your passwords safely in one vault, besides, it helps make signing into accounts stress-free."
Further password creation advice comes from Ed Williams, director of Trustwave Spiderlabs for EMEA at Trustwave:
Despite passwords being so simple, there's still a lot of education to be done. For example, did you know that a password made up of eight characters takes an average of one day to crack, whereas one with 10 characters would take an average of 591 days? That’s just two more taps of the keyboard and you’ve enhanced your security by 591 percent. As humans, we struggle with randomness and all too often use guessable patterns when creating passwords, be it a base word, a year appended to the end, or character substitution, e.g. '[email protected]'.
Passwords may not seem like much compared with other impressive security solutions or tools but a well thought out password really could make the difference between your data, and that of your organisation, being vulnerable or secure. Why not use today as a reminder to check your password security and make the life of a hacker more difficult.
Russell P Reeder, CEO of cloud-based data protection company Infrascale cautions against sharing passwords. "Believe it or not, one of the more common reasons passwords are compromised is because people share their credentials. Quite simply -- never, ever share your password(s)! Also, be mindful of phishing -- this is where you receive an email or text message asking for you to confirm your details or take some other action where you need to enter your personal credentials. These types of acts are becoming increasingly sophisticated and can look very legitimate, like an email from your bank. As a good rule of thumb, unless you make a request, don't ever enter your credentials. Or, if you have any doubts, contact the organization requesting the information directly."
Advice for businesses comes from Tim Sadler, CEO and co-founder of email security company Tessian. "To prevent account takeover and business email compromise, CISOs and their teams should help educate employees about their social media footprint, cybersecurity best practices and how to spot impersonation attacks. They should also reinforce the need for strong passwords that don’t include names or names of pets, birth dates, location, or other information that’s easy to find online. Even better, use a password manager like 1Password to randomly generate impossible-to-hack passwords. And while it can be tempting to reuse passwords that are easy to remember, never reuse or duplicate any passwords for personal or professional accounts. A bad actor could guess just one password and gain access to multiple accounts."