Users understand that their passwords or security protocols are weak, but they may not understand the consequences until it’s too late.
World Password Day is held on the first Thursday each May with the intention to promote more effective password usage. Strategies related to this involve complex passwords, two-factor authentication, and password managers to securely store comprehensive passwords as well as security questions/answers associated with them.
Of course, Password Day should be an everyday occurrence and not an annual event. As a system administrator who has spent way too much of his career resetting lost or forgotten passwords, reducing the stress involved with this process for both users and administrators is a high priority.
SEE: Windows 10 security: A guide for business leaders (Tech Pro Research)
I spoke with Ivan Novikov, CEO of Wallarm, an AI-based application security platform, regarding password tips to improve your security hygiene. As a white hat hacker and penetration tester who received bounty awards from Google, Facebook, Honeywell, and others, Novikov has extensive experience in the field.
Top password priorities
Scott Matteson: What would you say are the top priorities involving passwords, other than making sure they are as complex as possible?
Ivan Novikov: Ensure that the passwords used on public websites are not stolen or PWNED passwords, which can be checked at this online resource:
If your password has been PWNED, make sure to change your password as soon as possible and make it unique for each site. There is a special government service that can help you check:
After password resets, Help Desks should force password changes to prevent users from sticking with the default password, which is usually standard and well-known
Reliable password managers can be used as an add-on to your web browser. It manages your passwords, creates random unique passwords for different logins to ensure security, and will automatically input passwords for convenience. Password managers should work on all browsers, including Google Chrome, Safari, Firefox, Internet Explorer, or you can use the browser’s built-in password management functionality.
An even better way is to use a reliable authentication tool such as Google Authenticator, with multiple factors of authentication, including a password or pin, something you have (like your mobile device), and something you are (e.g. a fingerprint, face scan, iris scan, etc.)
Ultimately the guiding principle for consumers today should be to limit the potential exposure of their personal data online. The simplest rule of thumb is to share as little as possible so there is less to be found and used by criminals and scammers. The less personal information available, the less likely it can be stolen and used by hackers.
SEE: Password management policy (Tech Pro Research)
Scott Matteson: How far along do you think we are towards establishing biometrics or other avenues, which can eliminate the hassle of passwords altogether?
Ivan Novikov: Biometrics are emerging as a popular form of authentication. You see biometrics being used in the latest smartphones, laptops, and consumer apps.
It’s a mistake to think we’ve arrived at complete reliance on biometrics. While biometrics will strengthen password requirements in the near future, it might be a while before they replace passwords altogether. Besides, you only have 10 fingerprints. The downside of using biometrics is that a password can be changed or certificate revoked, in the case of a compromise. Once a piece of biometrics is compromised, it is almost certainly a direct path to identity theft.
Scott Matteson: How frequently do you think critical passwords should be rotated in the business and consumer community and why?
Ivan Novikov: Cybercriminals are opportunistic, and they don’t take vacations. They are also increasingly sophisticated, playing more patient and stealthy attacks out. They work overtime to leverage stolen data to break into accounts. That’s why it’s critical for businesses and consumers both to keep their critical passwords secure.
While the earlier doctrine recommended frequent (once every three months) password changes, the newer thinking is that trying to remember the multitude of passwords that change frequently is counter-productive; the process of changing or writing down the password creates more risk than it solves. A password should certainly be changed following any major data breach. Nonetheless, a better overall approach is to use a password manager with strong, generated passwords. Better yet, establish an authentication solution that doesn’t rely on passwords at all.
Another consideration with passwords is ‘credential stuffing.’ Even if a breach was not targeted at a specific account, a frequent methodology hackers use is to sequentially try all the passwords that were found to correspond to a specific email in stolen databases. Because people frequently reuse passwords, this technique, called credential stuffing, leads to a compromise more often than a brute-force attack.
The lesson here is that it’s more important that critical passwords are unique and not used elsewhere than how frequently they rotate.
SEE: How to reduce user account lockouts and password resets (free PDF) (TechRepublic)
Scott Matteson: What are your thoughts on two-factor authentication? Is it here to stay or is it bound to be replaced?
Ivan Novikov: Multi-factor authentication is here to stay, given the growing sophistication of cybercriminals and the proliferation of attacks. As data privacy continues to take center stage in tech, politics, and the media, organizations will feel pressure to augment their defenses with emerging technologies, such as biometrics. It’s difficult for even talented hackers to figure out complex passwords and hack someone’s fingerprint. Criminals often take advantage of weaknesses rather than look for the biggest security challenges.
Scott Matteson: What are the common pitfalls/weaknesses with password management?
Ivan Novikov: One of the hopes of biometrics is determining the most efficient and easiest way to help users adopt strong security practices. Having unique, multi-variable passwords that are not “memorable”—and therefore not easily hacked—is difficult on users. They commonly write down passwords in accessible places, make a discoverable file, or use passwords across accounts, which compromises data security.
Realistically, it’s security professionals who need to innovate around the user demand for usability. People understand that their passwords or security protocols are weak. But the desire for high usability or retention, ease of access, or other incentives can push security prioritization aside. They may not understand the consequences until it’s too late.