Password security

May 1 apparently is no longer just Labor Day, it has also been designated as World Password Day.

To those still actively in the workforce, Labor Day may still be an important day to mark, but truthfully cybersecurity and knowing how to create a strong password may be a more important day to observe as most of us now conduct a lot of our personal and business affairs in the digital realm.

The unfortunate reality is that the majority of online users really have very poor knowledge about protecting themselves online, starting from using a strong password to keep their email and social media accounts safe from being hacked.

Expert advice

According to software company Keeper Security’s chief executive officer and co-founder Darren Guccione, individuals and organizations alike face a barrage of cyber threats while connected to the internet.

He cited a new study by Keeper Security which showed that  92 percent of IT security leader respondents revealed that cyber attacks are more frequent now than one year ago — and are growing more sophisticated. Weak and compromised credentials, he said, remain the leading cause of breaches.

He admits that while no one likes updating their passwords, World Password Day is a great time to recognize and enforce this critical best practice. Passwords, he pointed out, act as the first line of defense — protecting access to applications, systems, secrets and IT resources.

Account protection, he said, begins with a secure password that is not easily guessed and has not been used for any other account. It’s recommended to use a password of at least 16 characters, with a variety of numbers, uppercase and lowercase letters and symbols.

Multi-Factor Authentication (MFA), he advised, should be enabled everywhere possible. Keeper Security, Guccione said, found that only 25 percent of people use strong, unique passwords for all their accounts, leaving 75 percent of individuals with dangerously weak password practices.

The same study found that a third of respondents, or 34 percent, use strong passwords, but repeat variations of them, a practice that is vulnerable to credential-stuffing attacks.

Most alarmingly, he added  14 percent of all respondents use passwords that are both simple and repeated across their accounts. Adopting a trusted password manager, he said, helps secure passwords – as well as passkeys, files, payment details and sensitive info – and eliminates the headaches that come with updating and remembering them.

Another software company executive, Adam Brown, managing consultant of Synopsys Software Integrity Group has these tips for password safety practices:

Use passphrase, different for each site or service.

Use a password manager with a strong and long passphrase for access to it.

Whenever available, use MFA, such as fingerprint or FaceID, use token utilities such as Google authenticator (where you are asked for a six digit pin that generates every 30 seconds)

Enable MFA on sites, this is common in banking where there will be a notification to your phone with a unique pin.

Be very aware of scams, especially when someone asks you for your password or if there is any unusual or fishy behavior related to access to a service you use.

Eng Guan Teong, regional director of  Check Point Software Technologies for the Association of Southeast Asian Nations and Korea, explained a little more about biometric authentication.

Biometric authentication, he explained, is like using your fingerprint or FaceID to unlock your phone and is very convenient and does seem safer than remembering passwords. However, he admitted, the problem with depending on biometric tools for security is that you can’t change it. If the attackers get hold of your fingerprint or face data, they could do some serious damage, stealing your ‘identity.’ Unlike passwords, it is not possible to change your fingerprints or face, making it difficult to mitigate the consequences of a breach.

Thus, for many, Teong acknowledged, traditional passwords are still a staple for accessing their emails, apps and personal accounts. However, he said, “we’re seeing a rise in various modes of password-less authentication, especially in the highly regulated industries like banks and corporate communication tools like Microsoft and Slack. They may come in the form of hardware tokens, MFA methods through alternate devices like emails and SMSes, one-time six-digit verification pins, etc. to authenticate users without requiring the traditional password.”

Teong noticed that users continue to leverage one key password across multiple platforms, increasing the danger to their data and credentials if hacked. He warned that  all it takes is for a single employee to have one account hacked and a threat actor could potentially access every application they use, including professional collaboration tools such as Teams, Slack and Outlook. This could result in the leak of customer data, costly ransom demands or fines, or a complete loss of customer trust that can be difficult to regain.

The impact of a breach, he said, could be even more harmful if it happens to someone with higher levels of permission than other employees. In that case, cybercriminals could maneuver their way into the network almost unchallenged and create widespread damage.

He, therefore, suggests several means to mitigate this. Firstly, organizations should mandate the use of strong, unique passwords, and regularly prompt users to change their passwords periodically. Additionally, implementing MFA whenever possible adds an extra layer of security by requiring users to provide two or more forms of verification, such as a password and a code sent to their phone. Regularly educating users about password security best practices is essential, emphasizing the importance of keeping passwords secure and not sharing them with others.

On top of that, he suggests, it is good practice to implement robust password hashing and storage mechanisms to further protect passwords in case of a data breach. This will ensure that they are not easily accessible to unauthorized parties.

Lastly, offering password management tools can assist users in securely storing and managing their passwords, generating complex passwords and auto-filling them when needed, thus enhancing both security and usability for everyone involved.