This year’s World Password Day is observed against a backdrop where the COVID-19 pandemic is serving up the perfect storm for bad actors and cybersecurity nightmares.
Almost every country in the world has seen at least one COVID-19 themed attack, some with devastating impact.
A surge in the number of remote workers, often unmonitored connected devices, and lots of risky online connections – all combine to present a dangerous concoction for businesses attempting to weather the current public health crisis.
Each year on the first Thursday in May, World Password Day promotes better password habits. Because passwords have for quite some time been critical gatekeepers to our digital identities in the cyberworld – allowing us to access online shopping, dating, banking, social media, remote working and communications – ensuring secure passwords is of utmost importance.
“World Password Day 2020 is an important opportunity to reflect on the evolution of authentication and identity management, at a time of unprecedented digital dependency, due to the global shift to remote working as a result of COVID-19,” said Peter Bagge, Vice President, Asia Pacific, OpenText.
“This World Password Day takes place in the shadow of a ‘new normal’ existence for much of the world’s population, characterized by soaring levels of home work,” said David Higgins, Technical Director, CyberArk.
“This has resulted in a blurring of previously distinct lines between work and home devices – with more remote workers using personal devices to access work systems – opening up a vast new potential attack surface,” he added. “Combine that with common employee practices like saving passwords in browsers or reusing passwords and this new landscape becomes a playground for attackers.”
Higgins sees effective authentication of all devices now becoming even more crucial in order to protect not only PII but the critical data and assets of the organizations we work for.
Concurring, Bagge said: “Cybersecurity is more important than ever given the new demands being placed on our networks as businesses shift rapidly to remote working environments. Employees have become digital nomads working on and off VPN — checking their bank accounts, accessing emails, connecting to their employer’s time management systems — increasingly using a single device to do so while the humble password remains at the forefront of identification.”
While it’s been over a decade since the practice of Bring Your Own Device (BYOD) became popular, Bragge observed that the current situation means individuals are relying even more on their own devices to access public and corporate networks, automatically and seamlessly. “They demand zero friction when it comes to security, and will innocently circumvent security measures if it means getting their job done more efficiently.”
He warned: “While many businesses and consumers have started to take a more proactive approach when it comes to cybersecurity, now more than ever, with cybercriminals becoming adept at exploiting the COVID-19 pandemic for the various scams and attacks they carry out, companies need to implement a robust set of cybersecurity policies, practices and solutions to keep devices and enterprise data secure.”
What do we do with these things called passwords?
According to the LastPass Psychology of Passwords Report, 91% of people know password reuse is insecure, yet two-thirds do it anyway. Half of respondents have not changed their passwords in the past 12 months even after hearing about a breach in the news.
“There’s a lot of debate out there about the best password policy and whether or not they should be long, short, how complex etc.,” said Roger Grimes, data-driven defense evangelist, KnowBe4. “The National Institute of Standards and Technology (NIST) has drastically changed their advice recently, stating that long and complex passwords shouldn’t be required and they don’t need to be changed unless they’ve been compromised in some manner.”
While this issue has been continuously debated, Grimes said that many security professionals do not agree with NIST’s advice. “The most important thing to remember is to never reuse the same password for multiple sites. It’s also recommended to use multi-factor authentication whenever possible.”
Bagge added: “Over the years, the traditional password has been joined by a multi-layered approach to security. Fingerprints, voice and facial recognition are increasingly being used to secure both devices and services. As such, many in the tech industry have been talking about killing the password for years, but we are starting to see a real trend toward relying on mobile devices for what some call ‘zero sign-on’ access.”
Some tips on observing #WorldPasswordDay
- Change an old password to a long, strong one
- Turn on two-factor authentication for your important accounts
- Password protect your wireless router
- Don’t store passwords on your computer or phone
- Log off when you’re done with a program
- Periodically remove temporary internet files