May 5, 2022 (updated May 7): Today is World Password Day. We bring you some thoughts and hints from industry leaders and experts.
Milind Borate, Co-Founder & Chief Development Officer, Druva: Your cybersecurity implementation is only as strong as the weakest link. Don't let a weak password be that weakest link. Setting a strong password and implementing Multi-Factor Authentication (MFA)are essentials of a cybersecurity practice
Sandeep Jain, Senior Director of Software Engineering, Forcepoint India:Though biometrics have become increasingly common for identifying ourselves on our devices, the password’s popularity continues as the primary way digital platforms and devices are secured. Passwords have persisted, despite their flaws, because they strike a level of compromise between security and convenience that works for the vast majority. This is boosted by the use of additional security like multi-factor authentication, where additional verification is needed on a second device. It makes it so simply stealing a user’s password isn’t enough to get access.
Sumit Srivastava, Solutions Engineering Manager India at CyberArk: Humans aren’t the only target for attackers that seek to compromise credentials as their easiest pathway to an organization’s critical data and assets. Humans remain a lucrative and relatively easy target; the average staff member has more than 30 digital identities, and over half have some kind of sensitive access. But software bots – little pieces of code that do repetitive tasks – exist in huge numbers in firms around the world and are also a prime target.
Bots are a major component of digital business. They need information - and access - so they can do what they do. Attackers specifically go after bots because they know that in many cases their passwords are not being rotated. They know also that bots are generally over-permissions, have more access than they need, and are not monitored like human identities for any anomalies. A compromised bot allows an attacker to maintain access and stay there undetected. Even today, we still see bots that backup all servers or domain admin accounts. In some cases, these bots are still using default passwords. A compromise here becomes a ‘game over’ issue for the targeted organization. |
Hard-coded passwords and secrets scattered throughout the environment are among the practices that must be eradicated in favour of centralized, robust password management, for both humans and machines
Sophos shares 5 tips for home users and small businesses
DECIDE WHICH DATA IS CRITICAL, AND PROTECT IT PROPERLY: It’s OK to decide that you aren’t going to back up everything all the time, but you should make a list of the data you need to keep safe, and a rota that lets you keep track of when you last backed it up. If you have a process you use to ensure you pay the household bills regularly, use that system to keep on top of your backups, too. You don’t need a high-tech system: even just adding a visible weekly check-box to the calendar in your kitchen wall is a good way to do it.
REMEMBER THE 3-2-1 PRINCIPLE: The 3-2-1 rule suggests having at least three copies of your data, including the master copy; using two different types of backup, so that if one fails, it’s less likely the other will be similarly affected; and keeping one of them offline, and preferably offsite, so you can get at it even if you’re locked out of your home or office.
DON’T LEAVE BACKUPS WHERE CYBERCROOKS CAN FIND THEM: Many people keep backups so they are always online, such as in a live cloud storage account or on a network-attached storage (NAS) device. But if your backups are accessible online, they’re also accessible to any crooks who compromise your account or your network. Indeed, ransomware crooks make a point of searching for online backups and wiping them out as part of the attack, hoping to force you into paying up.Remember the 3-2-1 rule: think of online snapshots and real-time backups as just one of the two backup types you keep, and make sure you always have at least one other backup that’s offline. Whether you’re at home or at work, remember to unplug offline backup devices and put them somewhere safe unless you are in the process of backing up or restoring, and remember to logout explicitly from cloud backup accounts when you aren’t using them.
DON’T MAKE BACKUPS THAT EVERYONE CAN READ: Encrypt your backups so that if they’re lost or stolen, the thief can’t simply read out all your precious data for themselves. Windows has BitLocker, Macs have FileVault, and Linux has LUKS and cryptsetup, which can be used to create encrypted drives and partitions.There are also numerous archiving tools, some free and open source, that can create encrypted backup files, such as WinZip and 7-Zip.Note that FileVault and BitLocker are proprietary to Apple and Microsoft respectively, so you will need a matching operating system setup to restore your data. Also, BitLocker for removable drives isn’t available on home-user Windows versions. You’ll need to upgrade to Windows Pro for that.
LEARN HOW TO DO THE “RESTORE” PART OF THE PROCESS: We’ve helped numerous people over the years who made backups regularly and carefully, but weren’t able to get back the files they wanted when they needed to. Ironically, none of these cases happened because the user forgot or lost their decryption password – they simply weren’t well-practised enough in using the restore process to do it reliably, or even at all. Don’t be one of those people!
Matt Shelton, Director, Technology Risk and Threat Intelligence at Mandiant, provides some key points that can help in fostering cyber hygiene within the organisation.
-Whenever possible, use Multi-Factor Authentication (MFA) prioritizing banking, email, and social media accounts. Hardware tokens like Yubikey and software tokens like Google Authenticator are more secure than SMS-based MFA. SMS-based MFA is still more secure than just using a password!
-Enterprises should disable mobile-push on employee MFA tokens. Mandiant has observed an increase in threat actors abusing mobile-push functionality over the last several years
-Practice good password hygiene by using complex and long passwords that are unique for each site you visit. A strong password doesn't have to be difficult to remember as long as it's long! Consider using a long phrase that's easy to remember
-Consider using a password manager to store unique and complex passwords for every site you visit. When choosing a password manager, use an industry recognized provider and never store your passwords in a document on your desktop!
-There's no longer a need to change passwords on a regular basis as long as you practice good password hygiene. Instead, change your password when you know a site you have an account on has been breached. Many password managers will proactively alert you when this happens
Thomas Richards, Principal Security Consultant, Synopsys Software Integrity Group: The username/ password combination remains at the core of all digital authentication; the use of which will not end in the foreseeable future. While Multi-Factor Authentication (MFA) adds an additional layer of security to better protect systems and end-users from compromise, passwords are still a core component of such MFA authentication.
Password compromises can often be attributed to other security issues such as vulnerable software or poor development practices. When caused by poor password hygiene, there is likely a technical control which isn’t fully implemented, such as the requirement for strong/effective passwords. Humans tend to choose the easiest approach and without policies to require strong/long passwords, users prefer to default to weak/short passwords.
I wouldn’t necessarily support the notion that more education alone is the way forward; however, companies should continue their cyber security training – including training around password security best practices. In this training, the curriculum should incorporate what constitutes a strong password. Companies should also stay up to date with industry standard best practices for password security.
Password managers provide many benefits that assist people with managing the many different passwords needed in today’s world. They provide secure storage, feedback if a password is considered weak, and can generate complex passwords as needed. All of these things help the user maintain their passwords according to best practices to reduce the risk of a compromise. Companies that have created password managers have put great thought into protecting passwords. Strong encryption is used for all storage and transmission of the password so that even the hosting company is compromised, the data is always encrypted with only a key or password the user knows.
Strong passwords are the foundation of internet security best practices. Passwords should be as long as possible and contain a mixture of upper- and lower-case letters, numbers, and symbols. I also recommend to people that instead of using a single word with variations, create a three- or four-word sentence. The length and complexity of a sentence greatly reduces the chance of a password being brute-forced in a password cracking attempt. For added security, enable multi-factor authentication where possible on any web application that allows it. Multi-factor authentication, coupled with a strong password, provides a robust defence for your internet accounts against attackers.|
Nathan Wenzler, Chief Security Strategist, Tenable: While progress has been made to encourage people to use multi-factor authentication (MFA) and other tools that don’t solely rely on passwords, there’s still much work to be done. The use of passwords is still common in most organizations, especially when it comes to non-human service accounts that often have administrative access to core databases and applications. In addition to implementing MFA, take security up a few notches by using a strong Privileged Account Management tool, implementing policies that require least use privilege for all accounts, strong auditing for all service accounts, and limiting the applications and data that can be accessed.And don’t forget Active Directory! Approximately 90% of Fortune 1000 organisations still use Active Directory for account management. It’s no surprise that cybercriminals are still targeting AD given how widely used it is and that most organizations still don’t manage their credentials well.So, organizations should use World Password Day to review how they’re securing domain admin credentials, audit AD implementation to ensure it’s secured against exploits and leverage strong real-time monitoring to stay on top of unexpected changes to credentials, passwords or AD itself.We’ve made great strides in the Information Security community to educate users about why strong passwords are still needed and getting them to leverage MFA. But, we still have a long way to go to strengthen our password posture against attackers and compromise.
Mahesh Kulkarni, MD & Co-Founder, AFour Technologies:In today's fast-evolving and mutating digital age, securing your information and protecting your privacy is extremely important. With our AI-backed analysis, we have realized that the key to any smooth-functioning digital process is its security. As a rule, password protection needs to be robust - more so today, due to the transition to a blended model of working, where many people blend their personal and professional working methods, as well as devices. Similar or shared passwords might become a liability to the individual and to their company, making both parties prone to attacks. This World Password Day, we urge everyone to secure their accounts, information, and privacy by strengthening their passwords and also to use 2-factor authentication wherever possible. Small steps like this will go a long way in securing entire ecosystems of data and privacy
Is your website truly protected? Website security in today’s digital era is imperative, to keep hackers and cyber thieves from accessing sensitive information. Businesses risk malware spreading and escalating, as well as assaults on other websites, networks, and IT infrastructures if they don't have a proactive security policy in place. Website Security provides easy-to-use tools for protecting your site from the most common security threats. After all, your website serves as the hub of your company, brand, and all the fantastic things you're doing in the world. It deserves comprehensive protection with all the tools you'll need to keep your company and consumers safe online.
According to government sources, there were 6,07,220 cybersecurity breaches reported between June 2021 and June 2022. Therefore, it becomes crucial for businesses to have proper website security solutions in place while taking their business online. GoDaddy provides comprehensive security to help protect small business websites. Let’s look at some of the key tips that can help small businesses avoid cyber security threats in their online journey.