As we inch closer to this year’s World Password Day, Toolbox brings you insights on the password hygiene of Internet users, both in personal and professional capacities. Experts weigh in on password best practices, or lack thereof, and how the authentication space is evolving from password to passwordless.
The prevalence of passwords in an average user’s day-to-day life has been at an all-time high. Passwords are the first and often the only line of authentication for accessing enterprise applications or social media platforms. With passwordless tech gaining ground, the continued use of passwords on a significant scale remains doubtful.
But until robust passwordless access mechanisms become the mainstays for authentication, passwords will continue to play a significant role for users. According to OneLogin, 41.4% of companies leverage up to 25 applications that require individual passwords.
Ahead of the World Password Day on May 5, 2022, Toolbox spoke with several cybersecurity experts who shared what the day entails.
Gunnar Peterson, CISO of Forter, told Toolbox, “It is especially fitting that we collectively celebrate World Password Day in light of recent breaches this quarter that have resulted in terabytes of stolen proprietary data and untold financial cost. The day is a reminder that the simplest of defenses in our toolbelt, credential and identity management, can be the difference between a secure system or an unimaginable incident.â€
Do Organizations Have Solid Password Hygiene?
USwitch.comOpens a new window surveyed over 2,000 users to understand their password habits. The result does not evoke an adequate sense of password hygiene among the respondents, both in picking a strong password and keeping it safe.
Neil Jones, director of cybersecurity evangelism at Egnyte, told Toolbox, “For as long as I can remember, easily-guessed passwords such as 123456, qwerty, and password have dominated the global listing of most commonly-used passwords.â€
“Unfortunately, weak passwords can become a literal playground for cyber-attackers, particularly when they gain access to your organization’s remote access solution and can view corporate users’ ID details.â€
USwitch discovered that 30% of its survey respondents used their birth year, 39% included pets’ names, and 15% used the word ‘password’ in their passwords. In fact, according to the UK’s National Cyber Security Center, ‘123456′ was still used by a whopping 23 million account holders as of March this year.
Some other gems used by 24% of Americans at some point, as discovered by GoogleOpens a new window , include ‘abc123,’ ‘password,’ ‘welcome,’ ‘admin,’ ‘Iloveyou,’ and ‘11111.’ Brute force attack, anyone? According to Avast, all it would take a threat actor to break a six-character small caps password is 10 minutes.
Weak passwords are a sure-shot way of inviting trouble but can still provide limited protection. For instance, using hobbies in passwords isn’t ideal but can protect the user’s account if the hobby remains unknown to the outside world.
Patrick Beggs, CISO of ConnectWise, told Toolbox, “In the early days of the world wide web, you were probably able to get away with a password as simple as ‘12345′. Times have changed since then, but humans remain predictable. Research has found that women typically include personal names in their passwords while men often use their hobbies. And experienced hackers also know the common vowels, numbers, and symbols that often appear in passwords.â€
What’s undoubtedly alarming is that over 25% of respondents said they wrote their passwords down on a piece of paper. Password theft is on the rise and is the primary resource that enables credential stuffing attacks.
Stolen passwords are also a valuable commodity on darknet marketplaces frequented by cybercriminal groups such as Lapsus$, which are on the prowl to find their next target. The use of stolen credentials, cookies, etc., is why Lapsus$ was able to cause havoc across multiple global organizations such as Microsoft, Okta, Samsung, NVIDIA and Globant in just the past three months.
See More: Locked Away: How Far Are We From a Passwordless Future?
“Colonial Pipeline, SolarWinds, Twitch. All of these organizations have one thing in common: they suffered data breaches as a result of stolen passwords and credentials,†pointed out Tyler Farrar, CISO, Exabeam. “Credential theft has become one of the most common and effective methods cyber threat actors use to infiltrate organizations of all sizes and access sensitive data.â€
The fact that 51% of people reuse the same passwords for work and personal accounts (First Contact data) is an indicator of how vulnerable organizations and individuals can be. The compromise of either personal or work accounts can wreak havoc for everyone.
The threat surface increases further when considering that 43% of U.S. adults have shared their passwords with a partner or family member. Password sharing is most common (22%) for entertainment accounts such as Netflix, and Hulu, followed by email (20%), social media (17%), and shopping accounts (17%).
While humans may be at fault for exposing themselves and their organizations through weak passwords or a careless attitude towards keeping them a secret, Sumit Srivastava, solutions engineering manager at CyberArk India, said, “Humans aren’t the only target for attackers that seek to compromise credentials as their easiest pathway to an organization’s critical data and assets.â€
“Humans remain a lucrative and relatively easy target; the average staff member has more than 30 digital identities, and over half have some kind of sensitive access. But software bots – little pieces of code that do repetitive tasks – exist in huge numbers in firms around the world and are also a prime target.â€
Srivastava pointed out that 68% of bots have been granted access to sensitive data and assets to carry out their intended functions. He adds that currently, machine identities outweigh human identities by a factor of 45x on average.
“Attackers specifically go after bots because they know that in many cases their passwords are not being rotated. They also know that bots generally have over-permissions, have more access than they need, and are not monitored like human identities for any anomalies,†Srivastava added.
“A compromised bot allows an attacker to maintain access and stay there undetected. Even today, we still see bots that backup all servers or domain admin accounts. In some cases, these bots are still using default passwords. Hard-coded passwords and secrets scattered throughout the environment are among the practices that must be eradicated in favor of centralized, robust password management, for both humans and machines.â€
To counter this, Farrar suggests shedding ‘set it and forget it,’ which is a major driver of credential-driven attacks. He advises data-driven behavioral analytics solutions to monitor malicious activity and potential compromise continuously.
Keith Neilson, a technical evangelist at CloudSphere, believes that it is time that passwords are put to rest. “Instead of putting emphasis primarily on the best practices for passwords, we must shift the attention over to secure access and next-generation authentication. This involves the development of new and improved alternatives to password management, which will need the implementation of robust cyber asset management systems,†Neilson told Toolbox.
He adds that “cyber asset management that enables authentication will become a greater priority when challenging authentication methods such as behavioral biometrics and liveness detection become more prevalent, since they need a far more sophisticated collection of cyber assets and rules.â€
Neilson’s argument certainly holds when you consider the following: 85% of data breaches were caused by human errors, making them the weakest link in cybersecurity. The data is from the Psychology of Human Error 2022 reportOpens a new window by Tessian and Stanford University researchers.
Yet, in 2021, 55% of respondents to Lawless Research’s study said businesses are responsible for providing account security. 44% said they have the primary responsibility to keep information safe, while the remaining 1% want the government to take care of their account security.
Neilson concluded, “While newer ways will undoubtedly replace the traditional password, they will continue to be used as a fallback and ‘master key.’ Enterprises will increasingly adopt more advanced authentication methods and the cyber asset management capabilities that support this evolution.â€
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!