Over the past decade, we have done the absolute most when it comes to passwords. We have written love letters, pontificated on strategies, and even offered tips on how to teach your mother the tricks of the trade. And it makes sense that we have done so much when it comes to our numeric and unique character friends. Once a password is compromised, the flood gates are open. The eye-popping number of credential stuffing data breaches this year taught us as much. The 2019 edition of Akamai Technologies’ State of the Internet Report, the company reported it had detected 3.5 BILLION credential-stuffing attempts in just the past 18 months. Nearly half of those were targeted at companies in the financial services sector—not a shock at all. Despite the targeting of financial services, we know that rich pickings are to be had, across any industry, if hackers gain legitimate access to organisation’s data and systems. Passwords are important for everyone.
So, in the face of this ongoing onslaught of attacks, what are we to do when we feel like we've said and done it all with passwords? We need to educate, educate, and educate some more because of the sad fact of the matter is we are still making rookie mistakes when it comes to passwords.
There are two schools of thought when it comes to passwords—those that love them and those that want them to go away. While I do think ‘death of the password’ is coming at some point, we still have some work to do, and talking about passwords is a critical part of your cybersecurity no matter the expert level. Even if we feel like we are tediously repetitive, and the requirements to include lower case, upper case, numbers AND special characters might seem like overkill (but I promise it’s worth it). In spite of rigmarole, today, I’d like to meet you where you are—whether you are a self-confessed password newbie, expert or somewhere in between, there are steps we can all take to manage our password like a boss (and a CISO).
You are taking baby steps to strengthen your password game but don't know where to start. Here are three fundamental best practices to get you started. First, keep it long—the longer and more complex the password is, the safer you will be. Second, keep it unique—the best thing you can do is make all your passwords unique at every site (do not reuse passwords). Finally, keep it mindful—always be aware of where you were on the Internet and take specific note of anything or anybody that has asked you to log in. Once you have mastered these three steps, you can graduate to the next step.
You know what makes a good password, but you are still doing a few things that don’t make you a master just yet. There are two recommendations I have for you as you start to take passwords more seriously. The first is to start looking into a password management tool. There are a ton of useful commercial tools and solutions that help make this overall process of keeping long, complex, and unique passwords manageable. I use a password management tool myself. The second recommendation I have for you is to start changing your passwords every 30 days and change your password every time you hear of a data breach that has ties to you in some way.
Ah, the password pro. You’ve mastered the password, and are a model student. But did you know there are even more steps you can take to ensure your security? I would encourage you to look into using biometrics. This comes from the idea that the best password to use is the one you don't have to. While biometrics is a radical idea for beginners and people who are middle of the road, if you can swing it, that is the next step I would take for pro status. The concept of biometrics is using your fingerprint, face, or voice to gain access to your sensitive data. This creates a significantly safer environment as they are much harder to manipulate than passwords and two-step identification and two-factor authentication. To me, the use of biometrics is the future for passwords, but we have a while before we are all fully on board. You also don’t have to use biometrics to forgo passwords in some instances. I also encourage you to checkout as a guest online instead of creating an unnecessary account on a website that requires a password.
By now, we have deduced that poor password practices create a gateway for attackers to get access to whatever they want quickly. And while we can debate the longevity of passwords, the fact is they’re the most widely used and accepted means of authentication. Passwords are here to stay. Be your own boss and protect yourself and your organisation one password at a time.
Charles Poff, CISO, SailPoint