World Password Day: A Need to Review Your Defenses
While World Password Day can easily be lost within the shuffle of countless other ‘special days’ its importance cannot be underestimated. With rising incidents of data breach every single day, this day is a reminder on why we must take continuous action to ensure our passwords are safe.
Not many are aware that the Password Day has an interesting history. Security researcher Mark Burnett first encouraged people to have a “password day,” where they update important passwords in his 2005 book Perfect Passwords. Inspired by his idea, Intel Security took the initiative to declare the first Thursday in May as the World Password Day in May 2013. The Password Day is meant to create awareness of the need for good password security.
A strong password strategy
Studies have shown that over 80% of data breaches occur due to stolen or compromised passwords. And even though cybersecurity has always been important for organizations, the massive surge in remote work and online activities in the last one year due to the Covid-19 pandemic has raised alarms on proper cybersecurity practices. Practicing continuous good cybersecurity hygiene including effective password management is therefore the number one priority today.
“Passwords are of course a key part of our digital lives, enabling people to gain quick access to a variety of online platforms, accounts and devices. However, it can be easy to take them for granted and forget the basics of password hygiene during our busy lives, particularly now as we have so many accounts to keep on top in order to get on with our day-to-day activities,” says Raj Samani, Chief Scientist and McAfee Fellow.
According to Samani, when it comes to online safety, password hygiene has never been more relevant. He explains that passwords which include personal information, such as your name, or pet’s name, make them easier to guess. This is especially true when we share a lot of personal information online, making it easier for online criminals to make guesses about your password. You should also never share a password, even with a close relative. While this may seem harmless, sharing these details could result in critical personal information falling into the wrong hands.
Samani recommends changing your passwords about every three months at a minimum. That’s because even if a password is shared or compromised, the safety of your online information has a higher chance of being kept safe by making this change.
A fresh look at passwords
While passwords are among the easiest way to secure your assets, they are also among the easiest to exploit by cyber criminals. Even after following all the best practices for passwords, users are often susceptible to phishing, which tricks them into entering their login details into misleading platforms.
As Surya Varanasi, CTO of Nexsan, a data storage company, says, “While few would argue that creating strong passwords is a must, even after creating a seemingly impenetrable password using every best practice possible, undiscovered threats might still be able to penetrate them and expose your environment to unnecessary risk,”
In other words, if your organization has data that is too important to lose, too private to be seen and too critical to be tampered with then you must take the next step to thwart cyber-criminals.
“This can be accomplished by employing a strategy that enables you to unobtrusively offload data from what is likely expensive primary storage (cost savings is another bonus here) to a cost-effective storage solution that is engineered specifically to be regulatory compliant and tamper-proof from even the harshest ransomware attacks. And since backups have become the latest malware targets, the storage platform should include “unbreakable backup” meaning it includes an active data vault that creates an immutable copy, which makes recovery of unaltered files fast and easy – so there’s zero operations disruption and never any need to pay ransom,” he suggests.
JG Heithcock, GM of Retrospect, a StorCentric Company, says that even after employing a random mix of no less than 15 characters, many learned the hard way that this was not enough to stop today’s increasingly determined and aggressive cyber-criminals. And given that research from the Harvard Business School, shows that the WFH paradigm will likely endure, it is clear that stronger measures must also be taken.
Heithcock emphasizes that the logical step in the data protection and business continuity process for virtually any organization is an effective backup strategy. “And the good news is that there is no need to reinvent the wheel here. A simple 3-2-1 backup strategy will do the trick. This means that data should be saved in at least three locations — one on the computer, one on easy-to-access local storage and another on offsite storage. The options range from local disk, to removable media, to the cloud and even tape. And, if at least one copy is “air-gapped” meaning completely unplugged from the network, that’s even better.
Security beyond the password
With the growing loopholes in password management, security experts have been looking at several other measures to improve security beyond passwords. We have almost replaced the passwords with biometrics and facial recognition technologies, even though passwords they believe won’t die anytime soon.
Ant Allan, Vice President Analyst, Gartner observes that firms are adopting zero-trust approaches and password-fewer authentications for remote work – and in other scenarios – but true passwordless approaches, which can completely eliminate dependence on a centralized password store that is a honey-pot to attackers, face multiple hurdles. Costs can prohibit required investments in, for instance, FIDO2 security keys or multi-factor authentication (MFA).
He explains that any legacy remote access technologies don’t let organizations remove passwords from the authentication flow. Passwords will thus remain a necessary evil for some years, but security leaders must recognize the limitations of policies ability to mitigate password risks.
“Given the enhanced threat landscape, adding an additional factor, such as a token, to enable MFA is a minimum good practice. Relying on passwords alone is imprudent, even reckless,” says Allan.
Heithcock adds, “In 2021 and beyond, multi-layered data protection strategies – such as those employing strong passwords combined with thorough backup practices – will help to ensure you, your data and your organization remain protected in the event of a basic accident, cyber-attack or any other disaster.”
However, as perfect security doesn’t exist. In the end, the best strategy may have nothing to do with the software or strong passwords. Experts note that the company’s culture will set the tone. From security awareness training and education, a strong sense of password safety and management should be a critical function of an organization’s overall security program.