The annual World Password Day raises awareness of the importance of having robust and resilient password hygiene practices in place. We hear from various industry experts who discuss best practices for password security.
Cian Heasley, Security Consultant at Adarma: “It’s common for people to resort to simple, easy to remember passwords reused across most, if not all accounts. This is a recipe for disaster and could result in identity theft or account takeover. Length and complexity are essential for a strong password, as passwords with these characteristics require more effort and time for an adversary to crack. Passwords should contain at least 10 characters and include a combination of special characters, as well as upper-case and lower-case letters, and numbers. Having said this, the rule of thumb when it comes to passwords is that you should never reuse them. Reusing passwords is a massive red flag and can leave users’ accounts susceptible to being compromised.
“To maintain healthy password habits, it’s important that people make their passwords manageable. This can be done by striking a balance between memorable and complex passwords. People are more likely to forget an overly complex password, making it of no use. Users should try to make use of passphrases where they can arrange unrelated words in an odd order to create a powerful password.
“Password managers are a useful tool for overcoming the challenges of traditional password security methods as they help to maintain good password practices. Password managers generate complex, random and unique passwords for all the individual sites a user visits and stores them all securely so users don’t have to worry about remembering them. They also alert users if they are reusing the same password across different accounts and notifies them if a password appears within a known data breach so that they know to change it.
“The capabilities of each password manager vary between providers. For example, LastPass produces a master password by appending an email and a password and then hashing it. This then produces a vault key, which is hashed again with the password before it’s stored on the cloud. Furthermore, these tools have become even more useful and efficient in recent years due to technological improvements. Some password managers have incorporated biometrics into their authentication, allowing users to login to their account through touchID instead of via their master password. This eliminates the need to type out the same password with each attempt, considerably improving the user experience.”
Thomas Richards, Principal Security Consultant at the Synopsys Software Integrity Group: “The username/password combination remains at the core of all digital authentication; the use of which will not end in the foreseeable future. While MFA adds an additional layer of security to better protect systems and end-users from compromise, passwords are still a core component of such MFA authentication.
“Password compromises can often be attributed to other security issues such as vulnerable software or poor development practices. When caused by poor password hygiene, there is likely a technical control which isn’t fully implemented, such as the requirement for strong/effective passwords. Humans tend to choose the easiest approach and without policies to require strong/long passwords, users prefer to default to weak/short passwords.
“I wouldn’t necessarily support the notion that more education alone is the way forward; however, companies should continue their cybersecurity training – including training around password security best practices. In this training, the curriculum should incorporate what constitutes a strong password. Companies should also stay up to date with industry standard best practices for password security.
“Password managers provide many benefits that assist people with managing the many different passwords needed in today’s world. They provide secure storage, feedback if a password is considered weak, and can generate complex passwords as needed. All of these things help the user maintain their passwords according to best practices to reduce the risk of a compromise. Companies that have created password managers have put great thought into protecting passwords. Strong encryption is used for all storage and transmission of the password so that even the hosting company is compromised, the data is always encrypted with only a key or password the user knows.
“Password managers are also easy add-ons to web browsers, mobile phones, or are even part of the operating system or browser. This integration makes using them very easy for the user. Apple Keychain is an excellent password manager that is deeply integrated within the iOS and mac ecosystem; however, it is limited to only Apple devices. The Google Chrome web browser has built-in password manager capabilities much like the Apple Keychain. With Chrome being cross-platform, the user is able to take their passwords with them when not on an Android device.
“Strong passwords are the foundation of Internet security best practices. Passwords should be as long as possible and contain a mixture of upper- and lower-case letters, numbers and symbols. I also recommend to people that instead of using a single word with variations, create a three- or four-word sentence. The length and complexity of a sentence greatly reduces the chance of a password being brute-forced in a password cracking attempt. For added security, enable Multi-Factor Authentication where possible on any web application that allows it. Multi-Factor Authentication, coupled with a strong password, provides a robust defence for your Internet accounts against attackers.”
Sadiq Khan, CISO at BlueVoyant: “World Password Day is of extra importance this year because of a rapid increase in attacks designed to get around measures that make account logins more secure. First and foremost, it’s still important to use strong passwords. BlueVoyant continues to observe large volumes of compromised credentials being sold on Dark Web forums, which are in turn used to breach victim organisations. Organisations should ensure they have monitoring in place to detect when their credentials are compromised and potentially being sold by cybercriminals.
“In addition to password hygiene, Multi-Factor Authentication (MFA) should be enabled by default across all organisations. MFA is a more secure way of authenticating compared to merely using a password, requiring users to provide at least two verification factors in order to access a device or account. BlueVoyant has seen threat actors move on from potential victim organisations once they determine MFA is in place, and move on to the next target looking for an organisation that doesn’t have it.
“However, given the uptick in organisations using MFA in their cyber defence, there has been a recent increase in MFA-bypass attacks. These attacks rely on social engineering techniques to lure and trick users into accepting fake MFA requests. Some specific methods of attacks include sending a large amount of MFA requests and hoping the target finally accepts one to make the noise stop, or sending one or two prompts per day, which attracts less attention, but still has a good chance the target will accept the request.
“Attackers will also use more aggressive social engineering, such as Vishing (voice phishing) that requires calling the target, pretending to be part of the company and telling the target they need to send an MFA request as part of a company process. Sometimes attackers even use bots to call, instead of an actual person.
“In the past few months, some well-known hacking groups have gotten around MFA controls to breach very large companies that are household names.
“The best defence is training employees. They should know if they are ever unsure about an MFA request, to reject it. Instead, they should only accept MFA requests they know they have initiated.”
Hadi Jaafarawi, Managing Director – Middle East, Qualys: “Passwords have been around for years and they will continue being used. Why? They are an extremely simple approach to enforce some degree of security that works when everything around it is done correctly.
“The challenge with passwords is that they have become increasingly complex to manage sufficiently, due in part to the sheer number of accounts that users hold. The rules around passwords can make them harder for people to remember, so they either reuse one password for multiple accounts or write them down. Equally, best practices for secure passwords can be missed. Take something like enforcing a limit to the number of times users can attempt to enter a password so that attackers can’t use dictionary attacks or password libraries to brute force their way in. This might be obvious for applications that are customer-facing, but those rules should also apply to internal applications or cloud services too.
“In today’s world, passwords alone are not enough to keep IT access secure. As such, tools like Multi-Factor Authentication (MFA) – which requires users to provide two or more verification factors to gain access to a resource – have become available to further improve security hygiene. Companies, no matter the industry or size, must recognise the value of strong security and doing the small things, like implementing MFA, right.
“What can companies be doing to improve password hygiene? For starters, ensure that users cannot use a simple dictionary word as their password, and enforce different controls so they cannot reuse the same password multiple times. It is important to apply rules on length of passwords and the variety of characters used, in addition to looking out for poor security practices such as missing MFA or lack of role-based access control.
“A great approach to identity management is required across the Middle East. For example, the Kingdom of Saudi Arabia’s Essential Cybersecurity Controls requires Multi-Factor Authentication (MFA) for remote access, while the UAE Information Assurance (IA) Regulation requires strong authentication for access to physical and digital systems. Bahrain’s National Cyber Security Centre highly recommends the use of MFA for accounts in its Cyber Essentials guide too.”
Toni El Inati – RVP Sales, META & CEE, Barracuda Networks: “Simply put, protecting user credentials is one of the most important things organisations can do to defend against ransomware and other cyberattacks. In fact, the 2021 Verizon Data Breach Investigations Report (DBIR) reveals that threat actors value credentials more than any other data type, including personal data. Once compromised, stolen credentials can be used in a myriad of malicious ways including unauthorised access, credential stuffing, password spraying and brute force attacks.
“Despite significant awareness, employees still utilise weak passwords so user training needs to go hand in hand with tools and policies. Password management is a critical first step, but it’s not enough. Companies need to deploy anti-phishing protection as well as the right application and edge security solutions. Passwords aren’t going away anytime soon and the with 80% of all basic web application attacks still relying on stolen credentials, neither are attacks.”Click below to share this article