World Password Day is celebrated every year on the first Thursday of May.
Another World Password Day has come and gone, reminding us of the importance of strong and secure passwords. Many individuals and organizations have grown complacent about maintaining quality password hygiene. However, cyber threats are as dangerous as ever and breaches and hacks are happening increasingly frequently.
Read below for important insights from security experts on World Password Day and how businesses and their employees can keep themselves safe.
Tom Ammirati, CRO, PlainID
“Incidents of compromised passwords are so common these days they barely cause a stir. However, this seeming lack of attention doesn’t make the potential consequences any less serious. This is why initiatives like World Password Day are important. Data is the currency of the digital world, and bad actors will go to significant lengths to get hold of it. Most of us know the basics of good password hygiene — but regularly we choose to bypass the rules. The net result is that as many as 82% of hacking-related breaches leverage weak, stolen, or otherwise compromised credentials, according to the 2022 Verizon DBIR Report. And passwords, all too often, are the origin point of a successful attack.
It’s for this very reason that identity focused cyber security solutions are becoming even more prevalent. Security risk vectors are dynamic and fluid, and as a result, data breaches continue to challenge even the most resilient of enterprise architectures. To keep pace with the demands of digital work and life, organizations are implementing next level technologies, processes, and policies to ensure that trusted identities have authorized access to digital assets. The goal is to allow the ‘right’ users to have access to the ‘right’ resources — and ensure the wrong ones don’t. If we can do that, then potentially we can prevent many of these breaches.”
Tyler Farrar, CISO, Exabeam
“Password managers are secure enough but unfortunately are still susceptible to breaches. However, it is important to understand what an attacker can actually obtain from the password vendors themselves. In most cases, an adversary should not be able to obtain a list of master passwords from the password manager’s customer list because 1) it is heavily encrypted and 2) the password manager vendors do not store customers’ master passwords. If a breach does occur, those master passwords are rarely able to be obtained. Other customer information such as email addresses or phone numbers might be able to be extracted, but not the master password.
“Password managers mean you’re putting all of your eggs — or in this case sensitive passwords — in one basket. You better make sure that basket is secure. Users should have a long and complicated master password that is handwritten on a piece of paper and locked away in a protected location such as a drawer, closet, or safe.
“Individuals should also make sure to take steps to protect personal hardware. Adversaries can install a keylogger, a program that records every keystroke made by a computer user, without detection. When a keylogger is installed, an attacker can see every keystroke and if a user is entering a customer’s master password the attacker then has the keys to the kingdom, so to speak. Taking small steps like installing antivirus software can help avoid this scenario.
“Also — don’t forget your master password! If a password manager is maintaining industry standards, they should not have the ability to view or recover your master password. This reinforces the importance of having a written copy of the master password in a secure location.
Christopher Rogers, technology evangelist at Zerto, a Hewlett Packard Enterprise company
“While employees are usually discouraged from re-using the same passwords across multiple apps and websites, many organizations have become complacent in enforcing such rules, particularly since the explosion of remote working caused by the pandemic. Taking advantage of this, credential reuse or ‘stuffing’ is when cybercriminals gain access to a set of valid credentials (usually via a data breach) and then use bots to try those same credentials across hundreds of other online accounts. If the credentials have been re-used anywhere, credential stuffing will expose this, giving those same criminals legitimate access to other accounts as well.”
