Global Password Day may not have the same level of prominence as say Groundhog Day, but cybersecurity experts believe dedicating a day to relay the importance of having strong and diverse passwords is of paramount importance.
The mere fact that the vast majority of breaches in 2017 leveraged a stolen or weak password and the primary bit of information stolen was usernames and passwords should be all the evidence required to convince people and organizations to implement stronger password hygiene. If further proof is needed Verizon Data Breach Investigations Report noted that 81 percent of all hacking-related breaches fell into this category.However, neither of those facts is convincing people and companies to change their poor password ways.
So what should be done?
The basics are pretty simple to implement:
- Generate more complex passwords
- Use distinct passwords for each application
- Use Multifactor Authentication
- Secure Admin Passwords
Then there are other scenarios that are perhaps even more important if not particularly top of mind. Chris Stoneff, Bomgar's vice president of security solutions, pointed out a company must be prepared to protect itself from an employee who is let go on less than happy terms.
“If any of those employees or contractors left the company on bad terms, you may have a loose, hostile element out there who knows how to break into your network using an otherwise untraceable account.
It's not uncommon. I've known people who continued to log in to systems at a previous employer just because they could,” he said.
Others make the case Global Password Day is a good time to call for the elimination of passwords. Ryan Wilk, VP of customer success at NuData Security, is on this team.
"The use of passwords to control account access is more a quaint artifact of a simpler era than an effective security measure. Static passwords are easily stolen and re-used, leaving the user and organization vulnerable to account takeovers and theft. Fortunately, there's an effective alternative for validating identities. Users are unique in the ways they interact with their devices and online across web sessions, and passive biometrics and behavioral analytics use that uniqueness to build a digital identity profile that lets organizations ensure the user is who they say – and not a fraudster using a stolen password,” he said.
Michael Magrath, director of global regulations and standards at VASCO Data Security, said it's hard to believe that most consumer website only offer the username/password option even though this proven to be an unreliable security measure.
“While no security solution is 100 percent secure, in 2018 organizations not deploying risked based authentication solutions are hoping they can dance between the raindrops, yet most consumer-facing websites today do not offer any alternatives to ‘User Name, Password' and a narrow set of challenge questions that can often be answered with Facebook searches,” he said.