Matt Shelton, Director, Technology Risk and Threat Intelligence at Mandiant on World Password Day:
- Whenever possible, use Multi-Factor Authentication (MFA) prioritizing banking, email, and social media accounts. Hardware tokens like Yubikey and software tokens like Google Authenticator are more secure than SMS-based MFA. SMS-based MFA is still more secure than just using a password!
- Enterprises should disable mobile-push on employee MFA tokens. Mandiant has observed an increase in threat actors abusing mobile-push functionality over the last several years
- Practice good password hygiene by using complex and long passwords that are unique for each site you visit. A strong password doesn’t have to be difficult to remember as long as it’s long! Consider using a long phrase that’s easy to remember
- Consider using a password manager to store unique and complex passwords for every site you visit. When choosing a password manager, use an industry recognized provider and never store your passwords in a document on your desktop!
- There’s no longer a need to change passwords on a regular basis as long as you practice good password hygiene. Instead, change your password when you know a site you have an account on has been breached. Many password managers will proactively alert you when this happens
Tyler Moffitt, Sr. Security Analyst at OpenText Security Solutions on World Password Day
Ineffectiveness of 8-character passwords
- It doesn’t matter how randomized your password is or if it includes a capitol/special character. What matters is length. The longer your password is, the stronger it will be.
- Passwords need to be as long as possible: The parameters people have of 8-characters minimum is terrible because you can crack such passwords easily.
- Graphic cards are evolving and becoming better.
- Ex) The 2080ti graphic card (1 generation old! ) costs about $1000 per card. So if you buy 4 of them, that’s a $4000 investment from a criminal, and you put them together in password cracking rig, you can crack 15-characters in 15 hours using Hashcathttps://twitter.com/hashcat/status/1129441728761610242?s=20&t=O6JRsLg-WJCLYLHqm9Kkmg
- How many people have 15-character passwords? How many times is the IT department making that requirement for passwords to be super long?
- The recommendation for consumers and SMBs for creating long passwords would be to include using phrases and incorporating spaces since every different character you add, whether that be a letter, number, space, or special character, is an exponential increase in security.
- You could have the most random, jumbled 8-character password and yet these passwords are no more secure than 8-character passwords consisting of easy to remember phrases.
- Advice for SMBs
- Makes passwords longer and incorporate phrases (anything easily rememberable for yourself)
- Do phishing simulations to find out who in your company is happy to hand out their password.
- Humans are capable of remembering long phrases
- For businesses users, get APIs and hook in their passwords requirements with these leaked passwords so they can make sure out of the billions of passwords leaked, that whoever is making the password, won’t be using of them and will be using something totally unique. (https://haveibeenpwned.com/)
- You can plug APIs into Google and chrome. These extensions notify you when a password has been used or leaked.
- You could also internally, discuss the secureness of passwords and ask staff to change their passwords if they are well-known.
Nathan Wenzler, Chief Security Strategist, Tenable
“While progress has been made to encourage people to use multi-factor authentication (MFA) and other tools that don’t solely rely on passwords, there’s still much work to be done. The use of passwords is still common in most organizations, especially when it comes to non-human service accounts that often have administrative access to core databases and applications.
“In addition to implementing MFA, take security up a few notches by using a strong Privileged Account Management tool, implementing policies that require least use privilege for all accounts, strong auditing for all service accounts, and limiting the applications and data that can be accessed.
“And don’t forget Active Directory! Approximately 90% of Fortune 1000 organisations still use Active Directory for account management. It’s no surprise that cybercriminals are still targeting AD given how widely used it is and that most organizations still don’t manage their credentials well.
“So, organizations should use World Password Day to review how they’re securing domain admin credentials, audit AD implementation to ensure it’s secured against exploits and leverage strong real-time monitoring to stay on top of unexpected changes to credentials, passwords or AD itself.
“We’ve made great strides in the Information Security community to educate users about why strong passwords are still needed and getting them to leverage MFA. But, we still have a long way to go to strengthen our password posture against attackers and compromise.”
Mr. Huzefa Motiwala, Director – Systems Engineering for India & SAARC, Palo Alto Networks
“As enterprises continue with hybrid work models, the resulting digital transformation will put Cloud adoption at the forefront. This equates to greater emphasis on data and asset confidentiality in multiple spaces. Strong identity management will be essential to prevent breaches. Without robust Identity & Access Management (IAM) policies in place, even the most advanced tools in the security stack will not be enough to comprehensively secure the enterprise.
The latest Cloud Threat Report by Palo Alto Networks’ threat intelligence team Unit 42 analysed 680,000+ identities across 18,000 cloud accounts from over 200 different organizations and discovered that:
- Nearly all cloud identities (99%) are overly permissive, and many grant permissions that are never used.
- 53% of cloud accounts allow weak password usage (<12 characters) – 44% allow password reuse.
- 62% of organisations have publicly exposed cloud resources.
These findings indicate that when it comes to IAM in the Cloud, organisations struggle to put good governance in place, opening the door for malicious actors to have wider access to cloud environments. This has given rise to Cloud Threat Actors, i.e., individuals or groups that threaten organisations through directed and sustained access to their cloud platform resources, services, or embedded metadata.
Therefore, on World Password Day 2022, pushing for strong password policies on the enterprise and individual levels is the need of the hour. Such policies must include:
- Complexity – using more than 12 characters along with a mixture of symbols, numbers, and alphabets.
- Expiry and repetition limits – passwords expire after a set amount of time and cannot be repeated.
- Brute-force prevention – users are locked out after a number of failed attempts.
As the lines between home and corporate networks blur, these policies will be of particular importance to end users as they lack 24×7 access to enterprise-grade security. So, understanding the need for strong cyber readiness, undertaking the necessary practices to ensure the same, and adapting these practices for an ever-evolving threat landscape will be crucial. Additionally, going beyond password policy and embracing methods like multi-factor authentication and biometric identification could help in providing a much-needed extra layer of security.”
Mr. Mahesh Kulkarni, MD & Co-Founder, AFour Technologies
In today’s fast-evolving and mutating digital age, securing your information and protecting your privacy is extremely important. With our AI-backed analysis, we have realized that the key to any smooth-functioning digital process is its security. As a rule, password protection needs to be robust – more so today, due to the transition to a blended model of working, where many people blend their personal and professional working methods, as well as devices. Similar or shared passwords might become a liability to the individual and to their company, making both parties prone to attacks. This World Password Day, we urge everyone to secure their accounts, information, and privacy by strengthening their passwords and also to use 2-factor authentication wherever possible. Small steps like this will go a long way in securing entire ecosystems of data and privacy.’