Technology leaders have urged businesses to take stock of their own and their staff’s diligence in setting secure passwords to mark World Password Day, and offered advice to employers on how to instil this diligence in their workforce.
The annual event, marked on the first Thursday of May, aims to showcase the explosive growth in online fraud and identity theft, with a strong authentication password being the first line of defence.
“Passwords are the oldest, secure and convenient way to authoritatively establish identities. Their benefits far outweigh the limitations and hence the many attempts to eliminate them completely have failed time and again,” said Rajesh Ganesan, vice-president at IT management software provider ManageEngine.
“A more pragmatic approach is to impart awareness about password hygiene to people, in much the same way as personal hygiene, where strong and healthy individuals lead to strong and healthy communities.”
But as other technology leaders point out, the very fact that World Password Day exists should serve as a warning of the need for these most basic of security tools to be used to maximum effect.
“For years, employees have been sitting at their desks, logging onto the corporate network with their username and password and going about their day,” said Jamie Davidson, ANZ regional sales manager of Apple management solutions company JAMF.
“However, the need for World Password Day suggests that despite the fact that cyber attacks have driven significant increases in cyber security awareness and training, there’s been a failure to turn increased awareness into the enforcement of security best practices.”
According to Mr Davidson, many passwords are easily accessible to hackers for a price, giving them “a stepping stone to getting data that is truly valuable”.
“Not only should user passwords vary between sites, they should be frequently changed, whether that be a managed process from the site or service being accessed, or a simple matter of discipline from the end user,” he said.
“At the same time, with today’s more mobile workforce, the approach to identity and security will continue to evolve. IT managers increasingly need to be able to remotely manage users and their passwords and provide access to corporate applications.”
He added: “As cyber attacks continue on trusted institutions, password usage and their security will continue to be a critical ingredient in creating great security hygiene.”
Michael Warnock, Australia country manager at Aura Information Security, agreed that “the very existence of World Password Day should in itself be a stark reminder to both businesses and IT users of the need to be ever vigilant”.
“Weak passwords are still a primary way that hackers attack accounts, and the reuse of passwords can also lead to multiple accounts being breached,” Mr Warnock said.
“To help minimise the risk of bad password practices amongst employees, today’s business, IT and HR leaders should be frequently advising their staff on how to create strong passwords and encourage them to use different ones across different platforms, as well as between work and personal devices.
“Fostering a culture of cyber security awareness, supplemented by regular training and education, is also very important. Ultimately, good security for businesses starts with staff education and effective security policies — and that includes never revealing your passwords to anyone, or including passwords in documentation (emails, work instructions, application user guide etc.).”
According to Mr Warnock, businesses can devise a formal policy on password creation for their workforces, which should:
- Advise employees to choose a unique phrase or string of words that’s easy to remember but difficult to guess for hackers. “It could be a favourite song title or lyrics, or your favourite food,” he said.
- Encourage them not to reuse their work password elsewhere, and particularly not to reuse passwords across both work and personal devices and accounts.
- Implement a password manager application to manage multiple different passwords.
Meanwhile Nick FitzGerald of IT security business ESET offered these tips for enhancing the effectiveness of passwords:
- Deactivate unused accounts. “Old and unused accounts are often easier for hackers to compromise because they’re unmonitored, and, if these accounts were created many years ago, they’re more likely to have a weak password,” he said. “Deactivating old or rarely used accounts means hackers have fewer passwords to attribute to a user’s current, active accounts, and a smaller chance of guessing what their current password might be.”
- • Save the strongest passwords for the most important accounts.
- Mix it up. “Strong passwords should be long, or at least use more than just letters. Users looking to better protect their accounts should use a passphrase; a sentence that contains uppercase and lowercase characters, punctuation or symbols, and numbers. Passphrases work best when they’re easy to remember, but avoid alluding to song lyrics, movie titles, or personal identifiers.”
- Use a password manager to encrypt and store all your different passwords.
However, Phil Kernick, co-founder and CEO of CQR Consulting, went even further, stating that passwords are not the be-all and end-all.
“Nearly all the advice you’ve ever been given about passwords is bad, and most of the rest of it is just plain wrong,” he said.
“We use passwords to prove who we are, but only for cyber, never for the real world.
“If you ever have to interact with the police, they don’t ask for your password, they ask for your driver’s license, which connects your photo, your signature and other identifying material to both you and the plastic card you show them. But not for cyber. For cyber, it’s just 12345678.”
Mr Kernick added: “For World Password Day, we need to move past passwords, and into real identity, using multifactor authentication. It’s the only way to stay safe online.”
Adam Zuchetti is the editor of My Business, and has steered the publication’s editorial direction since early 2016.