World Password Day falls on the first Thursday in May each year and is intended to raise awareness of password best practices and the need for strong passwords. It seems like we all have even more passwords with each passing year, though, and there are some conflicting ideas of what password best practices are, which makes the idea of password security more challenging for the average individual.
The Need for…or Death of…Passwords
The idea of passwords and the need for effective authentication methods are not new. It was 15 years ago at the 2004 RSA Security Conference that Bill Gates—then CEO of Microsoft—predicted the demise of passwords. “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
While Gates’ general observations were-and are-true, it seems like password usage has actually increased and the issues with passwords continue. “Despite daily headlines of data breaches, people continue to use unsavory security practices by using their favorite bands or loved ones as their password,” proclaimed Juliette Rizkallah, CMO of SailPoint. “Just this month, Britain’s National Cyber Security Centre published a list of the 100,000 most commonly breached passwords worldwide. Not surprisingly, ‘123456’ was the most frequently hacked password. ‘Ashley’ was the most widely breached name with almost half a million compromises and as I mentioned earlier, ‘Blink-182’ also made the list with nearly 300,000 breached accounts.”
A survey of IT decision-makers by OneLogin found that more than 90 percent of organizations in the United States and nearly 100 percent of the businesses in the United Kingdom have policies in place for password complexity. However, about a third of US companies surveyed and more than half of the UK companies do not require special characters and about 65 percent of the organizations surveyed from both countries fail to check passwords against common password lists.
“Confirmation of identity is still a significant challenge as it has always been, with the prevalence of digital transactions in all interactions the issue became much more significant in risk and impact,” explained Dan Pitman, principal security architect with Alert Logic. “Yet, human beings are not good at evaluating risk outside of the physical world, can I jump over a gap versus will I get hacked are worlds apart so for most people who have not been a victim of malicious activity it is very difficult to understand what their real risk is.”
Don Duncan, the security engineer at NuData Security, said, “Passwords continue to be a weak link for both customers and online retailers as users reuse passwords across accounts or create weak combinations. This reuse allows hackers to break into all accounts for a particular user.”
The prevailing logic when it comes to password security is that everyone needs to have passwords that are complex-long jumbles of random characters that don’t even attempt to emulate an actual word-and that every password for every account must be unique. That is a very high bar to ask people to meet.
Chris Morales, head of security analytics at Vectra, declared, “They are not. These are simply hard to remember phrases that are quickly forgotten and reused in multiple locations. Even worse, many websites offer easy to remember questions with information such as mother’s maiden name or favorite pets names to reset a password. This is the kind of data that could be easily attained using social media.”
Shahrokh Shahidzadeh, CEO at Acceptto, goes a step further by pointing out there’s a good chance your passwords are already compromised and you should operate under that assumption. “Acknowledging that all credentials have already been compromised, even those that have not yet been created, combined with the weakness of existing user identity and access controls in place, will drive a transformative shift in cybersecurity.”
Shahidzadeh added, “Hackers and cybercriminals have progressed to the point of requiring the average consumer to take the “best defense is a great offense” strategy. By assuming that every credential you have ever created (or yet to create) has already been stolen, the only way to protect your digital identity is to no longer rely on passwords and use new, AIML-based cognitive identity management solutions that continuously authenticate based on biobehavioral traits which can’t be mimicked or stolen.”
Morales offered some advice for stronger authentication. “Easy to remember phrases are stronger than 12 digit passwords using numbers and characters. Multi-factor authentication, leveraging who you are (biometrics) and what you have (Authenticator app tied to a specific device), are much stronger than any password regardless of what list that password might be on.”
Alert Logic’s Pitman discussed some of the challenges that exist with current password practices. “Passwords are not a new thing, pre-dating technology – Perhaps one issue is in the name – that it is a word – some effort has been made to re-brand them as pass “phrases” which highlights that they should be of a longer form but the password word has stuck.”
Pitman stressed that forcing users to follow complexity policies and frequently change passwords is actually counterproductive when it comes to improving authentication security. “Working towards multiple factors of authentication wherever possible is a must, ideally this should follow the banking example of device authorization plus a passphrase or other type of check. But the primary issue for the end-user market is that the entire ethos around passwords is detrimental to good practice when choosing them. Forcing changes often and the aforementioned “complexity” requirements drive bad behavior.”
Peter Galvin, a chief security officer at nCipher shared, “While we’re all drowning in passwords, they’re what we still trust to give and get access-and for now, they’re here to stay. Given the lengths to which people will go in order to get their hands on them, we really should be doing as much as possible to keep them safe and secure. For organizations, this means having a centralized security policy and effective encryption key management to assure control of data across every physical and virtual server on and off your premises.”
Joseph Carson, a chief security scientist at Thycotic, offered, “World Password Day is a day to review your password hygiene to ensure you are up to date with the latest best practices. It is always important to review your current password habits and one of the most important topics this year is which of your passwords is alone, meaning you have not pared it with another security control such as two-factor authentication.”
Carson continued, “Passwords are usually the only security protecting most people’s sensitive information, and this year you should do a detailed review of what your bad habits are. Most passwords can be easily cracked, with approximately 20 percent of passwords using commons known words that are available in dictionaries, making them easily guessed.”
Perhaps we need to change this to World Authentication Security Day or something like that moving forward. As Pitman suggested, the word “password” itself implies that your authentication should be based on a word, which is a fundamental problem in and of itself. Whatever you do, take today to review your password and authentication policies, and consider what these experts have shared to help guide ways you can change or improve it.
originally posted on Forbes.com by Tony Bradley
