World Password Day 2022: Gone Are the Days of Password123
In honor of World Password Day, the first Thursday of May every year, cybersecurity professionals strive to provide new insights and tips to help individuals and organizations keep their valuable data safe from relentless cybercriminals.
As the pivotal first line of defense for our online accounts, systems, and networks, passwords play a critical role in the privacy and security of our digital ecosystems. Unfortunately, passwords are easy to share, steal – and increasingly, easy to guess or crack via so-called “brute force” attacks. Once compromised, passwords can provide digital thieves with a virtual passport to your most sensitive data and systems.
Choosing a new password is a task often performed in haste, but which deserves careful consideration. Here are seven quick tips for better password protection:
- Screen Passwords for Compromises: Check to see if a password has been previously compromised before using it. One good resource to vet passwords is the “known compromised” password corpus, Have I Been Pwned?
- Forget What You Know About Complexity Rules: Users tend to formulate predictable passwords. The National Institute of Standards and Technology (NIST) recommends screening and blacklisting previously breached passwords and avoiding repetitive or sequential characters (“aaaaaa” or “1234abcd”), or context-specific words, like the name of the service, the user’s name, and derivatives.
- Don't Worry About Periodic Resets: The use of password expiration is losing favor as research shows it doesn't really do much for security. NIST suggests avoiding forced periodic resets, but strongly recommends changing passwords with any evidence of compromise.
- Use Lengthy Passphrases: Longer passwords are harder to crack or guess, surpassing the effectiveness of any other complexity rule. NIST recommends passwords of at least eight characters, and organizations should strive for longer minimums, as well as designing systems that accept passwords with as many as 64 characters to encourage users to utilize passphrases.
- Enable MFA (When Available): With the pandemic causing more people to work remotely, more organizations have been investing in and adopting multi-factor authentication (MFA), one of the best ways to mitigate the risk of passwords, and a common component of zero trust architectures. A problem that arises, however, isn’t that MFA is not available, but that users and administrators don’t take advantage of it when it’s already there. One study found 78% of Microsoft® 365 administrators do not have MFA activated within their environments.
- Give Users a Password Manager: When MFA is unavailable or not being utilized, password managers can provide a great middle ground for managing risks when passwords are sole forms of authentication. Password managers automatically create longer passwords with complex, random strings of characters every time a user creates a new account – yet the user only has to remember a single passphrase.
- Double-Check Practices for Choosing Master Passwords: When using a password manager, it’s advisable that master passwords be thoroughly hardened. NIST suggests choosing long passphrases for master passwords, storing them offline, and avoiding password managers that allow recovery of the master password.
Tired of Pesky Security Prompts That Keep Making You Prove That “You’re Still You”?
In addition to the password enhancement tips provided above, solutions such as CylancePERSONA™ provide increased protection that can lead to a more password-friendly future. CylancePERSONA provides continuous authentication with machine learning (ML) and predictive artificial intelligence (AI) to dynamically adapt a security policy based on user location, device, and other factors and protect against human error and well-intentioned workarounds.
How CylancePERSONA Works
- User Location - CylancePERSONA uses ML and predictive AI to identify behavioral and location patterns of multiple users to determine risk. Known work locations can also be preloaded.
- Network Trust - CylancePERSONA determines the frequency of network use and adjusts security dynamically based on profiles. For example, accessing a public Wi-Fi for the first time would adjust the risk score accordingly.
- User Behavior – This soon-to-be-released feature of CylancePERSONA will add the ability to determine and build a contextual risk score, based on how and when a user normally accesses data. The feature works by identifying when the user’s behavior seems consistent and trustworthy.
- Device and App DNA – Another soon-to-be-available feature, this capability will enable CylancePERSONA to determine whether a specific device or set of applications are compliant and up to date, adjusting security policy based on device and app “DNA” profiles.
Final Thoughts
As we mark the 10th World Password Day, initially started by Intel in 2013, it’s a great reminder to check for potential areas of vulnerability and explore options to keep systems and networks safe from inherent insecurities and threats.
Passwords persist because they're easy to use, easy to design logins around, and are a well-known and well-tolerated security measure. While they continue to reign as the primary (and often sole) form of authentication, there are smart steps to take for better password protection.
Many organizations, encouraged by analyst findings such as the Forrester Research Report indicating 70% of enterprises are still password-centric, have added stronger layers of protection with the enablement of MFA and zero trust.
In addition to the recommendations of NIST and other trusted cybersecurity advisors, solutions such as CylancePERSONA can offer an alternative method of protection to help keep organizations secure. Visit BlackBerry to learn more about CylancePERSONA, or to schedule a free trial.