Advice on Improving Your Organization’s Password Hygiene this World Password Day

As many businesses navigate a deployed workforce, this year’s World Password Day provides businesses and employees with the opportunity to evaluate and improve their cybersecurity, beginning with a simple, yet often overlooked practice: enabling strong passwords. 

Passwords are required to access multiple tools and services that are required to keep a business running, from logging into a laptop or desktop to email accounts and vendor profiles. By juggling so many different logins, users often fall into poor habits, such as repeating passwords, using common phrases and failing to update their passwords on a regular basis. This World Password Day, experts from nine tech companies have provided their tips and strategies to help secure credentials and protect businesses from the cyber attacks that have risen in recent months.

Bryan Becker, product manager and researcher, WhiteHat Security:

“The recent credential stuffing campaigns against the World Health Organization and Gates Foundation and breach of children’s site Webkinz reinforce the importance of setting a different username/password combination for every application you utilize as an end user to protect your own information and your employer’s. It is essential to practice security mindedness as you browse the web to lessen the impact data breaches will have on you and your organization once they occur. Some other tips you can practice to secure yourself online are:

• Utilize multi-factor authentication on any application that supports it. This can prevent an attacker from gaining access to your account even if they determine your username/password combination
• Only log into sites that send your credentials and other sensitive information over SSL. A quick way to determine this is if the URL you are viewing is prefaced with ‘https://’
• Whenever you’re checking your email in a web browser and are sent messages with hyperlinks, hover your mouse over the links and verify where the link is really going to take you to by looking at the URL that appears on the lower left corner of the screen. It’s possible the blue highlighted URL written in the email body is actually a disguised malicious link.

There’s no better time to reinforce taking these precautions than World Password Day, and I hope everyone uses this day to promote better password habits to their employees, colleagues and even family members. Passwords are essential to keep our digital identities private, and we must do everything we can to make sure they don’t fall into the wrong hands.”

Jeff Hussey, CEO, Tempered

“It’s a common misconception that having a password that is lengthy with complex requirements will be enough to keep your credentials secure. However a recent study found that 74% of IT decision makers’ organizations were breached in the past via privileged access credential abuse.

For years, the traditional tools to prevent credential-based attacks have been firewalls, password policy, URL filtering, and 2-factor authentication. These technologies continue to play a role, but they remain susceptible to attacks and are challenging to manage at scale.

On World Password Day, it’s important to understand that there’s now another option: invisibility. In simple terms, hackers can’t hack what they can’t see. So, instead of the costly and complex process of installing even more locks on the doors to your network, you can now make your network invisible to these bad actors. You start with cryptographic identities and zero-trust at the network level, along with multi-factor authentication (MFA) to decide who gets to see which endpoints. Then it’s no longer a matter of determining which vulnerable endpoints need to be secured, because no endpoints are visible, much less vulnerable to hackers.

It’s called Airwall, and it is the ideal solution for companies that need to protect their valuable data and critical for the new world of work-from-home employees.”

Mihir Shah, CEO, Nexsan, a StorCentric company

“For individuals seeking to protect their personal information and secure their online accounts, a strong password is a critical first line of defense. But, if you are a commercial, nonprofit or government organization, a password, regardless of how unique or how often it is updated, will barely scratch the IT security surface. The only true protection for an organization’s high value data is to aggressively lock it down using a hardened storage solution that has been engineered with the understanding that attempts at corruption or deletion can come from anyone, anywhere and at any time. The solution must be capable of recognizing and rejecting every such attempt, regardless of whether it’s from a virus, ransomware, spyware, user mistakes, software error – or a new threat that hasn’t even been discovered yet.”

JG Heithcock, GM, Retrospect, a StorCentric company

“World Password Day reminds us of just how critical it is to take every precaution to protect ourselves and our data. And certainly, a unique password is a great place to start, but, you can’t stop there. Cyberthreats like ransomware are becoming increasingly pervasive, affecting homes and businesses alike. However, by proactively employing a data protection strategy that includes an effective and efficient backup solution, you will be able to thwart cybercriminals and ensure your data remains private, secure, accessible and recoverable.”

Jay Ryerse, VP, Cybersecurity Initiatives, ConnectWise

“Passwords are often associated with inconvenience — and for good reason. Employees and consumers alike are overwhelmed by the thought of remembering login details for 100-200 websites and making them difficult for bad actors to guess. That’s why this World Password Day, it’s important to look at the practical solutions to this impractical problem, accelerated by more and more aspects of our lives going online.

To ensure your personal and work-related accounts, as well as the sensitive data residing within them, remain secure:

• Use a password manager…but do your research. Some have been breached in the past, and you want to make sure your choice is reliable, safe and up to date
• Use a different, complex password for every website.This reduces your risk of credential stuffing attacks, where hackers take login details harvested from breached websites to log into users’ accounts on other, unaffected sites. A password manager makes this process much easier as it will create lengthy, unique passwords for each site
• Remember that the longer the password, the longer it takes for digital adversaries to crack it, thus deterring successful brute force attacks
• Avoid overused practices like adding an exclamation point at the end, including phrases associated with family or pets, or using incremental numbers. Hackers use these well-known patterns to guess your password, and you’ll just make their jobs easier
• Give only fake answers to security questions that would help you recover your password, so hackers cannot mine that information from snooping on you online. One example would be your mother’s maiden name. With some social media searching, this would be easy to identify, so choose a made up name only you would know
• Implement multi-factor authentication wherever available to create extra hurdles for cybercriminals

There will always be varying degrees of account compromise. If someone hacked my LinkedIn, they might post something embarrassing, but it’s easy to change the password and regain control. However, if they broke into my online bank account or used my credit card on Amazon to rack up charges, we’d be looking at significant damage. Wouldn’t it be better to prevent all of these incidents, though? Implementing these best practices across your online presence will do just that–and protect both you and your company on an ongoing basis.”

Grant McCormick, CIO, Exabeam

“For World Password Day 2020, we’ll look at some of the most prevalent password-related risks associated with the sudden remote work transition. First, we’ve seen multiple credential stuffing campaigns — where bad actors use passwords from previously breached sites to break into accounts on unaffected sites — initiated against organizations crucial to both working from home and handling the global pandemic. In April, cybercriminals put large numbers of account information belonging to both Zoom users and employees of the WHO, CDC and Gates Foundation, up for sale online, likely gathered from other breaches. This is particularly dangerous for individuals and organizations because these credentials could be used to access corporate accounts then move laterally through the network to cause deeper damage. 

Technology consumers, that happen to be physically restricted by the COVID-19 lockdown, should bring their own lockdown to password management: by establishing different passwords for all of their accounts, immediately changing passwords on sites that have been breached and using multi-factor authentication wherever it is available. 

Hostile cyber actors are not sheltering in place — very much the contrary. To remediate incidents involving user credentials and respond to adversaries, organizations must move fast and consider an approach that is closely aligned with monitoring user behavior – to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioral characteristics, when abnormal events have occurred.

Second, Zoombombing and eavesdropping threats have risen in prevalence. Zoom launched into action to upgrade its encryption standards, and many organizations using the tool moved quickly to ensure password and host setting best practices. For companies, accessing Zoom accounts in concert with SSO / identity access management (IAM) platforms is critical. We also recommend making passwords a default requirement for all Zoom meetings, requiring all employees add passwords to existing meetings and ensuring each meeting owner changes screenshare settings to ‘host only.’ All organizations should also utilize end-to-end encryption and continuously update their video conferencing clients and broader endpoint software stack. This advice applies to all B2B video conferencing solutions.

While most remain hopeful about therapies and even a cure for COVID-19, credential-based attacks and digital privacy issues will remain long after the pandemic. Thus, these practices should remain top of mind year-round in 2020 and beyond.”

Johan Pellicaan, VP & Managing Director EMEA, Scale Computing

“Password protection is the frontline of security processes for any business, and employees are the first line of defense for any organization implementing an all-encompassing cybersecurity strategy. With the potential for threats such as phishing emails and ransomware attacks ever-rising, especially in the current remote working landscape, it’s never been more important to get each element of this cybersecurity strategy right.

Precautions like advanced passwords and multi-factor authentication are important cogs in a truly secure remote working operation, as are things like a VDI deployment running on a hyperconverged edge computing solution. With VDI technology in place, end users can log in securely to any machine on a network and then access their emails, files and applications as usual. They aren’t limited to PC terminals — they simply load their personal desktop or applications on their mobile phone or tablet, significantly boosting workforce agility.

Furthermore, by remotely monitoring user profiles – regardless of location – IT teams can reduce security risks by identifying potentially suspicious activity and logging out inactive users. A VDI deployment can also offer a cost-effective and secure method to extend network access beyond the office walls to provide remote access to employees wherever they are located.

The majority of businesses find that managing BYODs brings a considerable number of security and admin challenges. However, by integrating BYODs onto an officially sanctioned VDI environment, employee mobiles and tablets can be more effectively protected from potential security risks, so information is better secured from accidental disclosure and loss.”

Yev Pusin, Director of Strategy, Backblaze

“This World Password Day reminds us that while backing up is key to protecting your data, the simple task of protecting your computer, systems, and online accounts with strong passwords is an effective measure to securing your data as well. A strong password strategy means using best practices like different passwords for every service, changing passwords frequently, remembering that 123456 is never a good password, and using a secure password manager to keep everything sorted.

A strong password is a good start, but you can really lock your accounts down by adding two-factor authentication to any accounts that have the option (and remember to create backup codes)!

These simple steps could halt cyberattacks such as credential stuffing or hacking of personal details. But ultimately, using passwords effectively requires a disciplined approach that always stays one step ahead of cybercriminals. Stay safe out there!”

Wieger van der Muelen, Global IT-Security Manager / CISO at Leaseweb Global

“As the COVID-19 crisis continues, so too does the spike in phishing scams and spam attacks on remote workers as hackers relentlessly use it to their advantage. Not only are workers having to adapt to working from home full-time, but the IT teams of the organisations they belong to must contend with adapting current IT systems to fit with a home environment. It is at times like these – more so than usual – that it is vitally important that simple security measures are followed. Simple yet effective steps like ensuring passwords are suitably protected spring to mind. Regularly updating passwords, having different ones for different applications stored in a password manager, and two-factor authentication are all practical steps towards making it much more difficult for hackers to infiltrate information. While the chaos around COVID-19 ensues, with all of its social and financial pressures, the last thing a company wants is to fall prey to a ransomware or phishing attack. By acting smart now, we can all avoid that risk.”

##