Password protected? The lessons from World Password Day
Thursday 5th May marks the fourth annual World Password Day, an international initiative to promote good password practice among consumers, employees and businesses. It comes hot on the heels of another annual initiative: the release of the latest Verizon Data Breach Investigations Report (DBIR), which analyzes the type and frequency of worldwide security incidents worldwide. Interestingly, the report states that a hefty 63% of data breaches over the previous year were attributable to lost, weak or stolen passwords.
This is clearly a very topical issue, and one that businesses, employees and even consumers have a responsibility to address together. While it is impossible to reduce the risk of password-related cybercrime down to zero, 63% is far too high.
Some of the World Password Day website’s advice will seem familiar to IT and security professionals. Users are advised to create strong (read: long and complex) passwords and to use a unique password for every account, which we’ve all heard before. Indeed, it makes perfect sense. Strong passwords are far less likely to be cracked by automated password crackers, or guessed by stealing your personal information. What’s more, using a unique password for every account dramatically reduces the potential impact of a breach should one password be broken or stolen.
One of the traditional problems with this approach has been that users find it impossible to remember several complex passwords, and so begin storing them on scraps of paper or sticky notes on their desktop PC casing. Fortunately, as World Password Day advises, this flawed method for remembering is no longer necessary. Password manager applications are widely available, with many that can be installed directly on the user’s smartphone. If the phone itself is lost or stolen, then provided a remote wipe capability is also installed, there’s no danger.
Finally, standard passwords can be dramatically strengthened by introducing multi-factor authentication, whereby a randomized element like a single-use token, or a unique factor like a fingerprint, are used to add a second layer of protection. Multi-factor authentication is becoming increasingly common in end-user scenarios as well as within enterprise networks, and is certainly something that we would also recommend.
However, one element of good password practice that isn’t highlighted on the World Password Day website, is the need to change the default passwords on networking equipment such as routers, switches and even firewalls. When deploying new equipment under pressure from the business to restore a critical service, or to get that new application up and running, it’s easy to overlook or forget the need to move away from the factory default credentials.
As such, our key advice to organizations this World Password Day is to ensure that no default passwords are in place on any of your network devices. It’s a simple, straightforward, yet very effective means of tightening your network security and ensuring that the good password practices you are trying to instil in your employees are followed through at a device level, across your networks.