Some of the most notorious data breaches of the modern era, including the Colonial Pipeline, were a result of a stolen password or credentials. This year’s World Password Day serves as a reminder of the importance of continuously implementing proper security practices. Several cybersecurity experts have provided valuable insights at what you can do to avoid having your passwords being one of the 15 billion available on the Dark Web.
Patrick Beggs, CISO, ConnectWise
“In the early days of the world wide web, you were probably able to get away with a password as simple as ‘12345’. Times have changed since then, but humans remain predictable. Research has found that women typically include personal names in their passwords while men often use their hobbies. And experienced hackers also know the common vowels, numbers, and symbols that often appear in passwords.
Cybersecurity breaches are at an all-time high, but there are three simple things we can all do to protect ourselves. First, prioritize length over complexity, because we aren’t very good at remembering complex passwords, and longer ones are more secure. Second, only use platforms with multi-factor authentication — a password alone is not enough to protect you. And finally, never reuse. Most breaches happen when a password from one platform is used with another system that shares the same password.
If you follow these three simple steps, your passwords should be strong enough to stop a determined hacker from causing damage.”
Tyler Farrar, CISO, Exabeam
“Colonial Pipeline, SolarWinds, Twitch. All of these organizations have one thing in common: they suffered data breaches as a result of stolen passwords and credentials. Credential theft has become one of the most common and effective methods cyber threat actors use to infiltrate organizations of all sizes and access sensitive data.
We strongly support efforts, like World Password Day, that raise public awareness and can help to combat this pervasive issue. We advocate for the best practices that ensure cyber hygiene and protect personal and professional passwords and credentials to prevent credential-based attacks from continuing.
Credential-driven attacks are largely exacerbated by a ‘set it and forget it’ approach to credential management, but organizations must build a security stack that is consistently monitoring for potential compromise. Organizations across industries can invest in data-driven behavioral analytics solutions to help detect malicious activity. These analytics tools can immediately flag when a legitimate user account is exhibiting anomalous behavior indicative of credential theft, providing greater insights to SOC analysts about both the compromised and the malicious user, which results in a faster response time.”
Neil Jones, director of cybersecurity evangelism, Egnyte
“For as long as I can remember, easily-guessed passwords such as 123456, qwerty, and password have dominated the global listing of most commonly-used passwords. Unfortunately, weak passwords can become a literal playground for cyber-attackers, particularly when they gain access to your organization’s remote access solution and can view corporate users’ ID details.
Similarly, not a day goes by where I don’t hear another customer in a public setting like a pharmacy or a supermarket vocally share his/her email address and/or personal or business phone number, to obtain affinity club credit for a transaction or to earn a discount. That private contact information – combined with weak password administration – can represent a data breach just waiting to happen.
In commemoration of World Password Day, here are practical tips to protect your company’s mission-critical data:
- Institute Multi-Factor Authentication (MFA) – One of the most effective ways to prevent unauthorized access is by requiring additional validation of login credentials during a user’s authentication process. This can be as straightforward as a user providing his/her password, then entering an accompanying numeric code from an SMS text.
- Educate your employees on password safety – Educate your users that frequently-guessed passwords such as 123456, password, and their favorite pets’ names can put your company’s data and their personal reputations at risk. Reinforce that message, by reminding users that passwords should never be shared with anyone, including your IT team.
- Inform users about the dangers of social engineering and spear-phishing – Remind users that unanticipated email messages, texts, and phone calls can be attempts to capture their login and password credentials. When proper login credentials are entered, malware can be initiated that will place your organization at risk of an even wider and more destructive cyber-attack.
- Keep personal and business contact information separate – Remind your users that maintaining separate email accounts and contact details for affinity clubs and discount programs protects their personal privacy and your company’s valuable data. Users should never provide business login credentials (such as their email addresses) in public forums, particularly within earshot of others.
- Establish mandatory password rotations – Discourage the usage of system default passwords and easily-guessable employee credentials, by forcing employees to change their passwords on a routine basis.
- Update your account lockout requirements – Prevent brute force password attacks, by immediately disabling users’ access after multiple failed login attempts.”
Gunnar Peterson, CISO, Forter
“It is especially fitting that we collectively celebrate World Password Day in light of recent breaches this quarter that have resulted in terabytes of stolen proprietary data and untold financial cost. The day is a reminder that the simplest of defenses in our toolbelt, credential and identity management, can be the difference between a secure system or an unimaginable incident.
Most of the breaches we hear about in the news are a result of businesses relying on automated access control and realizing too late when a user has been hijacked. Once an account is compromised, identity-based fraud can be extremely difficult to detect considering the advanced tactics and randomness of different crime groups like LAPUS$ and Conti.
To succeed against dynamic cybercriminals and account takeover (ATO) attacks, organizations must build robust identity management systems and invest resources into building a learning system that evolves to identify anomalous user activity. These techniques can ebb and flow with the sophisticated threat landscape we’re witnessing today.”
Aaron Sandeen, CEO and co-founder, Cyber Security Works (CSW)
“World Password Day is a day set aside not just to promote better password use, but to draw attention to the numerous password-related assaults. Tackling every password-related attack would be difficult, but addressing the problem of Password Reset Poisoning plays an important role in increasing organizational knowledge about better password use and vulnerability management.
Every online application with a login gateway has password reset capabilities. When a user forgets his password, this reset password option is useful. However, in many organizations, password reset poisoning is an attack in which the attacker obtains a victim’s password reset token and is now able to reset the victim’s password. The problem occurs when the program uses the host header to create the password reset link and then adds the user-supplied host header to the password reset link. It is crucial for companies to inform themselves of this type of password attack to protect the privacy of their employees and the business as a whole. While addressing similar password-related attacks, more vulnerabilities can be addressed and give security teams peace of mind.”
Surya Varanasi, CTO of StorCentric:
“Few would argue the fact that a strong password is an ideal first line of data protection defense. Without this basic security measure, you are leaving the door wide open to a multitude of cybercrime risks. Unfortunately, however, while highly sophisticated password tools are available, today’s cyber criminals also have extremely advanced password hacking technology at their fingertips. Which means, an increased risk of your passwords being leapfrogged, and your data being compromised.
The ideal cybercrime defense is a layered defense that starts with a powerful password and continues with Unbreakable Backup. As backup has become today’s cyber criminals’ first target via ransomware and other malware, an Unbreakable Backup solution can provide you with two of the most difficult hurdles for cyber criminals to overcome – immutable snapshots and object locking. Immutable snapshots are by default, write-once read-many (WORM) but now some vendors have added features like encryption where the encryption keys are in an entirely different location than the data backup copy(ies). And then to further fortify the backup and thwart would be criminals, with object locking layered on top of that, data cannot be deleted or overwritten for a fixed time period, or even indefinitely.”
JG Heithcock, GM of Retrospect, a StorCentric Company:
“Ransomware is a huge global threat to businesses around the world. Beyond the high-profile attacks, including Colonial Pipeline, JBS, Garmin, and Acer, many people now personally know a colleague whose business was attacked. In fact, a Coveware research study revealed that most corporate targets are small and medium businesses (SMBs), with 72% of targeted businesses having fewer than 1,000 employees, and 37% fewer than 100.
There are likely a few reasons for this continuing trend. Certainly, one is that today’s ransomware is attacking widely, rapidly, aggressively and randomly – especially with ransomware as a service (RaaS) becoming increasingly prevalent – looking for any possible weakness in defense. Another is that SMBs do not typically have the technology or manpower budget as their enterprise counterparts, leaving them more vulnerable targets.
It is therefore critical that in addition to powerful passwords, which anyone would agree is an indispensable first line of defense, there must be additional measures taken. The first is that all organizations regardless of size must be able to detect anomalies as early as possible to remediate affected resources. The next is SMBs and large enterprises alike need a backup target that allows them to lock backups for a designated time period. Many of the major cloud providers now support object locking, also referred to as Write-Once-Read-Many (WORM) storage or immutable storage. Users can mark objects as locked for a designated period of time, preventing them from being deleted or altered by any user – including internal bad actors.”
