We have a dedicated day to profess our love to those who matter in our life, like Grandparents Day, Mother’s Day, Brother’s day. Then we have days like Women’s Day and Labour Day. Next we have days to mark the significance of particular things in life, like AIDS Day, Health Day. Similarly in the world of technology there are days to create awareness regarding a few aspects of it such as World Telecommunication and Information Society Day (WTISD) and World Password Day to enjoy its benefits. This World Password Day is celebrated on the first Thursday in the month of May, which happens to be 4th of May, this year.
The way security means to keep our houses safe has evolved with time, Digital protection has become absolutely vital to our day-to-day existence too. We are often recommended to keep changing our passwords for netbanking, or email accounts or even social media profiles at regular intervals. Not only this, we are advised to keep them as unique as possible so that it gets difficult for the hackers to break them. This is all because our data is not just unique but precious and valuable.
World Password day is to promote and celebrate the concept of strong passwords. But at the same time, we see the coming of 2-factor or dual authentication. It is nothing but using a regular password followed by another means of authentication like sending an OTP to your phone or email to confirm it is actually you. One might feel that this dual authentication diminishes the need of a strong password, but just to remind you the first step of this new authentication process involves a regular password (it should be strong and complex) first.
On this World Password Day, the industry’s top notch shared their views with the Associate Editor of Channel360MEA on the significance of strong password and how this day reminds people to create robust passwords and means to store them. Below are the PoVs…
“The history of passwords dates back to the Roman empire. Initially, they were called passcodes, carved into wood, and soldiers passed them around via the active guard to validate soldier and guard movement. They were a shared resource and multiple people could be aware of the current “secret”. Today, the most common storage medium for a password is the human brain. We assign a password to a system or application, recall it when it needs to be used, and remember it each time we change it. Our brains are full of passwords and, often, we forget them, need to share them, and are forced to document them using unsecure methods like paper or spreadsheets. These insecure methods for sharing passwords have caused the press to report front page news articles on data breaches and compelled organizations to educate employees on the insecure methods for password storage and sharing. A better method to document passwords is needed that is highly secure, documents distributed access, and promotes sharing and collaboration with minimal risk—no matter where the access occurs.
In reality, people should not be expected to remember every password they need, nor is it safe to reuse passwords across multiple services and applications. This has spawned an entire market for personal password managers, privileged access management for businesses, and password-less technology like Microsoft Hello and Apple TouchID.
Since Covid, we truly have a work from anywhere world, and the cloud is ideal for situations when passwords need to be available outside of the organization, across multiple geographical locations, and when on-premise technology is incapable or cost-prohibitive for meeting business objectives and minimizing risk.
On Password Management Day, consider the risks of remembering, sharing, documenting, and reusing passwords. Security best practices today have better methods, including password services in the cloud, to minimize the need to remember passwords.” Morey Haber, Chief Security Officer, BeyondTrust
“World Password Day, observed every year on the first Thursday in May, serves as a timely reminder to users about the importance of strong and secure passwords. Despite being one of the main barriers against cybercriminals, there are still bad practices when it comes to managing and creating passwords. The use of insecure passwords, such as “123456,” remains prevalent, and technological advances have rendered once-secure passwords vulnerable to brute-force cyberattacks.
To achieve a secure and strong password, it should be at least 14-16 characters long, consisting of different letters, upper and lower case letters, symbols, and numbers. Using personal details, such as dates of anniversaries or birthdays, or the names of family members, should be avoided, as they can be easily guessed. Unique and unrepeatable passwords should be created for each service accessed, and password managers should be used to store them securely.
Two-factor authentication (2FA) provides an additional layer of security and is a recommended practice to prevent unauthorized access. Periodically updating passwords, checking for breaches, and changing them every few months are also essential steps in maintaining password security.
Every day, cybercriminals create new attacks aimed at stealing user passwords. Techniques such as phishing have managed to breach thousands of services by stealing credentials, especially here in the UAE, where on average, organisations are attacked 1345 times per week in the last 6 months compared to 1207 attacks per organization globally. This risk can be easily remedied by establishing secure passwords, making it much more difficult for cybercriminals to guess these combinations, ensuring the highest level of security for our devices.”
” Ram Narayanan, Country Manager, Check Point Software Technologies, Middle East
“World Password Day serves as a reminder to reflect and think about your password health. If you’re anything like me, you are not a fan of passwords – having to frequently change them and choose the next great password that is better, longer and more unique than the previous one.
This World Password Day, let’s take a moment and think about how we can remove passwords from our lives and into the background, while making our digital lives safer. A great place to start is by using a Password Manager.
A Password Manager will let you know when your password needs to be changed, when it’s weak, or when it’s reused. Even better, when used in conjunction with multi-factor authentication (MFA), it takes away the tedious take of choosing – and remembering – your next great password.
Let’s use this World Password Day to move passwords out of our lives, into the background, and make our digital world a safer place.” Joseph Carson, Chief Security Scientist, Delinea
“World Password Day is a day to reflect on just how vulnerable a poor password can leave us. As more and more of the processes and tools we use in our everyday lives, the number of passwords we need to create and remember also increases. Creating passwords for each and every online account we open can be exhausting, but the consequences of opting for passwords that are easy to guess or are reused across many accounts can be dire. As data breaches and mass-scale thefts of personal data increase in frequency, it is vital now more than ever to be password savvy to help prevent your personal details from being compromised. World Password Day reminds us to take a moment to review our defences and take corrective measures to ensure our safety for us.”
Demes Strouthos, General Manager, ESET – Middle East
Passwords are a critical component of our digital life, and are needed for preventing unwanted access to, and potential security breaches of, our personal and sensitive information. World Password Day is a useful reminder for people and organizations to take password security seriously and to embrace good password practices, like using strong passwords that are both unique and accessible, not using the same password for multiple accounts, and changing passwords every 3 months.
One of the tactics that users should adopt to maintain good cyber hygiene, besides strong passwords, is using multi-factor authentication (MFA) to secure their online accounts. MFA adds an extra layer of protection by requiring additional credentials such as a one-time passcode that hackers cannot obtain even if they have the username and password. Fortinet’s identity and access management (IAM) solution offers MFA capabilities that make it harder for cybercriminals to compromise personal information.
Passwordless authentication is also a promising solution to overcome the limitations and risks of passwords and to provide a better user experience and a stronger security posture for organisations. For example, the global FIDO Alliance is helping to reduce the world’s reliance on passwords by providing open and free authentication standards using UAF, U2F and FIDO2. However, passwordless authentication is not yet widely adopted and supported, and it may have its own challenges and drawbacks.
As the WFA (work from anywhere) trend increases, and with cybercriminals ramping up attacks against these users, it’s important to regularly perform a security posture check across all accounts—updating weak and outdated passwords as needed. Kalle Björn, Sr. Director, Systems Engineering – Middle East, Fortinet
“Despite passwordless authentication being a recent trend, passwords will definitely continue to serve as the simplest and most effective means to secure identities in 2023. They are easy to use, can be changed if needed, and do not demand additional software or hardware to function.
As crucial as they are for identity security, passwords can also be vulnerable to various attacks. Weak and easy-to-remember user passwords are usually the main cause behind these attacks. Additionally, seldom changing passwords and using the same login credentials for multiple online platforms and personas creates a higher risk of falling victim to password attacks.
The only way in which organizations can withstand password attacks is by adhering to the password best practices recommended by regulatory standards. Employing longer passwords, as suggested by NIST, works wonders in defending against sophisticated password attacks. Including all character types and symbols, and avoiding dictionary words, common patterns, and usernames in passwords enhances their complexity and security. Compliance regulations like the GDPR, HIPAA, and the PCI DSS also recommend that companies use multi-factor authentication (MFA) methods to bolster identity security.” Manikandan Thangaraj, Vice President, ManageEngine
In the past, OT systems were isolated from the Internet and other external networks, making them less vulnerable to unauthorized malicious access. However, with the increasing use of conventional network protocols, and operating systems, OT systems are now more exposed to cyberattacks than ever before. One of the most common ways that cybercriminals get access to OT systems is through default, weak or compromised passwords.
To mitigate this risk, organizations must implement a strong password management process. This includes using strong, complex passwords that are difficult to guess or brute force and changing them regularly. Passwords should also be unique for each system or application and should never be shared or reused. Additionally, organizations should consider implementing multi-factor authentication, which requires users to provide additional verification beyond just a password, such as a fingerprint or security token. But these practices should of course consider strict requirements for the continuity of OT operations. Most of the relevant OT cybersecurity standards and national regulations have requirements for a strong password management process. By implementing the password management process, organizations can significantly reduce the risk of cyberattacks and protect their OT systems from unauthorized access. It is important for organizations to prioritize password security as part of their overall OT cybersecurity strategy, especially in the rapidly evolving IT and OT convergence. Anton Shipulin, Industrial Cybersecurity Evangelist, Nozomi Networks
“Weak passwords are a component of one of the most common attack vectors a penetration tester can leverage to breach an organization. For organizations of any size or sector, strong and secure passwords are a critical line of defense against malicious attackers and evolving TTPs. However, the complexity of ensuring passwords is impenetrable can often lead to a false sense of security while countless vulnerabilities are left unchecked.
Three simple steps to quickly improve password effectiveness are:
1. Think of them as “passphrases” rather than “passwords.” Combining a series of words, as opposed to just one or two words, instantly makes it more difficult for attackers to breach the account.
2. Leverage special characters within passwords and passphrases, especially spaces. Many people don’t realize that including spaces is a simple way to remain one step ahead of attackers.
3. Utilize enhanced multi-factor authentication mechanisms, such as SMS text messages, especially for email and collaboration channels like Slack and Microsoft Teams.” Ed Skoudis, President, SANS Technology Institute College
“Timeless Tip #1: Use a password manager if you can. Password managers help you choose a completely different password for every site. They can come up with 20 random characters as easily as you can remember your cat’s name. And they make it hard to put the right password into the wrong site, because they can’t be tricked by what a site looks like – they always check the URL of the website instead.
Timeless Tip #2: Use 2FA when you can. 2FA is short for two-factor authentication, where a password alone is not enough. 2FA often relies on one-time codes, typically six digits long, that you have to put in as well as your same-every-time password. So it’s a minor inconvenience for you, but it makes things harder for the crooks, because they can’t jump straight in just with a stolen password.” Paul Ducklin, Principal Security Researcher, Sophos
“This World Password Day, I’m reminded of a string of articles over the last several months from retail to fast-food companies, where users of these sites found their accounts compromised as a result of credential stuffing attacks. Credential stuffing is a type of attack, where cybercriminals take user login credentials obtained from data breaches on other websites and services and use the same usernames and passwords on other websites and services. More often than not, these attackers will be successful using the stolen data, because many users tend to reuse passwords across multiple websites. The saying “use a strong and unique password” across each website stems from incidents like the ones mentioned earlier. It’s not easy to manage several hundred passwords, which is why it is important for individuals to leverage tools like Apple’s built-in keychain for saving passwords, as well as using professional password management solutions. These tools can help users generate strong and unique passwords that they don’t have to remember, and they can use browser extensions to auto-fill their credentials into the right website.
Despite this sage advice, it’s also important to remember that breaches and phishing attacks are still common, so it’s not just about creating strong and unique passwords. Leveraging features like two-factor or multifactor authentication (2FA and MFA respectively) can help users ensure their accounts remain secure even if their passwords are exposed somehow. “Some sites offer password-less sign-on, which leverages a second factor such as a phone, to help facilitate logging in without passwords. This isn’t as widespread of a feature across many websites, but it’s another solution to help address some of the challenges posed by passwords alone.” Satnam Narang, Senior Staff Research Engineer, Tenable
“This year marks the 10th World Password Day. Addressing the power and pitfalls of password management remains just as important to cybersecurity today as it was ten years ago. With only a third (34%) of CISOs reporting having the technology and tools available to enable their organizations to be secure, even seemingly small efforts like implementing strong passwords remain a critical first line of defense against cyberattacks.
Poor passwords are a silent vulnerability lurking in the background. One weak password can often lead to a total compromise of a business’ network, meaning that employee education and organization-wide standards for password safety are business imperatives. Use this day to stop ambivalence and spur your colleagues to change their “password123” into something fundamentally secure: a minimum of a 12-character password with at least numbers, upper and lowercase letters.” Douglas McKee, Director of Vulnerability Research, Trellix Advanced Research Center
