Towards stronger passwords

Weak passwords have been a common attack vector for hackers to breach accounts. On World Password Day, it is apt for everyone to reflect on the need to strengthen their own passwords

While in general we have become wiser to the need for stronger passwords for accessing our various accounts, yet facts point out in general many people are still inclined towards straightforward weak passwords because they want them to be easy to remember, which makes a potential hacker’s job a lot easier. On the other hand, there is also the habit of using a common password across accounts, which means if the password is compromised, then the hacker can access all accounts. That is a disaster that people walk into with their eyes wide open. According to an industry research, more than 81% of data breaches are due to weak passwords.

On the occasion of World Password day today ( first Thursday of  May), it is apt to reflect on how we can look at strengthening our passwords. And while we do that, there is also talk about replacing passwords with passkeys that will allow us to access our accounts the way we login to our devices, although there are passwordless technologies around already.

While passwords have been around since ancient times and much prior to the digital age, it is the need for multiple passwords across diverse applications and accounts that make it quite challenging for users. This drives users towards insecure methods of storing passwords.

Morey Haber, CTO and CISO at BeyondTrust

According to Morey Haber, Chief Security Officer at BeyondTrust, “The history of passwords dates back to the Roman empire. Initially, they were called passcodes, carved into wood, and soldiers passed them around via the active guard to validate soldier and guard movement. They were a shared resource and multiple people could be aware of the current “secret”. Today, the most common storage medium for a password is the human brain. We assign a password to a system or application, recall it when it needs to be used, and remember it each time we change it. Our brains are full of passwords and, often, we forget them, need to share them, and are forced to document them using unsecure methods like paper or spreadsheets. These insecure methods for sharing passwords have caused the press to report front page news articles on data breaches and compelled organizations to educate employees on the insecure methods for password storage and sharing.  A better method to document passwords is needed that is highly secure, documents distributed access, and promotes sharing and collaboration with minimal risk—no matter where the access occurs.”

He adds that in reality, people should not be expected to remember every password they need, nor is it safe to reuse passwords across multiple services and applications.

Joseph Carson, Chief Security Scientist, Delinea

This has spawned an entire market for personal password managers, privileged access management for businesses, and passwordless technology like Microsoft Hello and Apple TouchID.

“Since Covid, we truly have a work-from-anywhere world, and the cloud is ideal for situations when passwords need to be available outside of the organization, across multiple geographical locations, and when on-premise technology is incapable or cost-prohibitive for meeting business objectives and minimizing risk.  On Password Management Day, consider the risks of remembering, sharing, documenting, and reusing passwords. Security best practices today have better methods, including password services in the cloud, to minimize the need to remember passwords.

Joseph Carson, Chief Security Scientist, Delinea says, “ World Password Day serves as a reminder to reflect and think about your password health. If you’re anything like me, you are not a fan of passwords – having to frequently change them and choose the next great password that is better, longer and more unique than the previous one.  This World Password Day, let’s take a moment and think about how we can remove passwords from our lives and into the background, while making our digital lives safer. A great place to start is by using a Password Manager.”

He adds, “A Password Manager will let you know when your password needs to be changed, when it’s weak, or when it’s reused. Even better, when used in conjunction with multi-factor authentication (MFA), it takes away the tedious take of choosing – and remembering – your next great password.  Let’s use this World Password Day to move passwords out of our lives, into the background, and make our digital world a safer place.”

Paul Ducklin, principal security researcher, Sophos

According to Paul Ducklin, principal security researcher, Sophos, “ It is time to get rid of accounts you aren’t using. Lots of sites force you to create a permanent account even if you only want to use them once. That leaves them holding personal data that they don’t need, but that they could leak at any time. If a site can’t or won’t close your account and delete your data when asked, consider reporting them to the regulator in your country.”

He elaborates that users need to fix their recovery settings as there is a possibility that your account credentials could fall into wrong hands.

“Revisit your account recovery settings. You may have old accounts with recovery settings such as phone numbers or email addresses that are no longer valid, or that you no longer use. That means you can’t recover the account if ever you need to, but someone else might be able to. Fix the recovery settings if you can or consider closing your account.”

Anton Shipulin, Industrial Cybersecurity Evangelist at Nozomi Networks discusses the risks involved with the convergence of OT systems with IT systems.

Anton Shipulin, Industrial Cybersecurity Evangelist at Nozomi Networks

“In the past, OT systems were isolated from the Internet and other external networks, making them less vulnerable to unauthorized malicious access. However, with the increasing use of conventional network protocols, and operating systems, OT systems are now more exposed to cyberattacks than ever before. One of the most common ways that cybercriminals get access to OT systems is through default, weak or compromised passwords.”

He adds, “To mitigate this risk, organizations must implement a strong password management process. This includes using strong, complex passwords that are difficult to guess or brute force and changing them regularly. Passwords should also be unique for each system or application and should never be shared or reused. Additionally, organizations should consider implementing multi-factor authentication, which requires users to provide additional verification beyond just a password, such as a fingerprint or security token. But these practices should of course consider strict requirements for the continuity of OT operations. Most of the relevant OT cybersecurity standards and national regulations have requirements for a strong password management process.

By implementing the password management process, organizations can significantly reduce the risk of cyberattacks and protect their OT systems from unauthorized access. It is important for organizations to prioritize password security as part of their overall OT cybersecurity strategy, especially in the rapidly evolving IT and OT convergence.

Ed Skoudis, SANS Technology Institute College President

Ed Skoudis, SANS Technology Institute College President opines that weak passwords are a component of one of the most common attack vectors a penetration tester can leverage to breach an organization.

“For organizations of any size or sector, strong and secure passwords are a critical line of defense against malicious attackers and evolving TTPs. However, the complexity of ensuring passwords are impenetrable can often lead to a false sense of security while countless vulnerabilities are left unchecked. “

He mentions three simple steps to quickly improve password effectiveness:

1. Think of them as “passphrases” rather than “passwords.” Combining a series of words, asopposed to just one or two words, instantly makes it more difficult for attackers to breach the account.

2. Leverage special characters within passwords and passphrases, especially spaces. Manypeople don’t realize that including spaces is a simple way to remain one step ahead of the attackers.

3. Utilize enhanced multi-factor authentication mechanisms, such as SMS text messages,especially for email and collaboration channels like Slack and Microsoft Teams.