The LastPass by LogMeIn Global Password Security Report surveyed over 43,000 businesses and individuals, revealing:
- Each of us shares six passwords with our co-workers – if one of those passwords is hacked, every employee that has that password can be compromised.
- 50 per cent of users don’t create different passwords for work and personal accounts
- Another LastPass survey also found that 62 per cent of workers reuse passwords
According to the Australian Government, poor passwords can easily become the weakest link in protecting your personal information online. Though tools like biometric authentication are on the rise, passwords won’t disappear that quickly. You can unlock your iPhone 50 times a day with your face or thumbprint, but it still requires a passcode at set-up and will ask for that code every time the phone is restarted.
Today is World Password Day – so here are the tips and insights from the experts:
Lindsay Brown, Vice President, APAC and Japan at LogMeIn
- The most secure passwords are randomly generated, with multiple types of characters (numbers, letters, and symbols), and password managers can be used to both store and generate them.
Tools within the app can create complex passwords so you can easily generate a different one for each website or app, helping to defend against hacking.
- Password managers can identify passwords that are at greatest risk and use the results to prioritise updating weak, reused, and compromised passwords.
- Password managers can also automatically change your password for you, by launching a website and amending the password in the background, so you can instantly enjoy stronger passwords.
Phil Kernick, Co-Founder and CEO, CQR Consulting
Nearly all the advice you’ve ever been given about passwords is bad, and most of the rest of it is just plain wrong.
We use passwords to prove who we are, but only for cyber, never for the real world. Think about that for a moment. If you ever have to interact with the police, they don’t ask for your password, they ask for your driver’s license, which connects your photo, your signature and other identifying material to both you and the plastic card you show them. But not for cyber. For cyber it’s just 12345678.
For World Password Day we need to move past passwords, and into real identity, using multifactor authentication. It’s the only way to stay safe online.
Jamie Davidson, ANZ Regional Sales Manager, JAMF
For years, employees have been sitting at their desks, logging onto the corporate network with their username and password and going about their day. However, the need for World Password Day suggests that despite the fact that cyber attacks have driven significant increases in cyber security awareness and training, there’s been a failure to turn increased awareness into the enforcement of security best practices. Passwords, widely available for a price, can get hackers into places that are a stepping stone to getting data that is truly valuable. Not only should user passwords vary between sites, they should be frequently changed, whether that be a managed process from the site or service being accessed or a simple matter of discipline from the end user.
At the same time, with today’s more mobile workforce, the approach to identity and security will continue to evolve. IT managers increasingly need to be able to remotely manage users and their passwords and provide access to corporate applications. As cyber attacks continue on trusted institutions, password usage and their security will continue to be a critical ingredient in creating great security hygiene.
Michael Warnock, Australia Country Manager, Aura Information Security
The very existence of World Password Day should in itself be a stark reminder to both businesses and IT users of the need to be ever vigilant in protecting access points to their sensitive data.
Weak passwords are still a primary way that hackers attack accounts, and the reuse of passwords can also lead to multiple accounts being breached. To help minimise the risk of bad password practices amongst employees, today’s business, IT and HR leaders should be frequently advising their staff on how to create strong passwords and encourage them to use different ones across different platforms, as well as between work and personal devices.
Fostering a culture of cyber security awareness, supplemented by regular training and education is also very important. Ultimately, good security for businesses starts with staff education and effective security policies – and that includes never revealing your passwords to anyone, or including passwords in documentation (emails, work instructions, application user guide etc.).
In addition, businesses may also want to take the following steps in creating a robust password policy:
1. Advise employees to choose a unique phrase or string of words that’s easy to remember but difficult to guess for hackers. It could be a favourite song title or lyrics, or your favourite food.
2. Advise employees not to reuse their work password elsewhere. After all, if a hacker does manage to access your business or personal password, and it’s the same across all of your accounts, this will give them access to everything. Instead, encourage employees to have different passwords for use on their personal devices and work devices, so that if questionable security practice at home is breached, it doesn’t affect your whole business.
3. Finally, implement a password manager application to manage multiple different passwords. In essence, this is a vault that is protected by a master password and keeps all your passwords in one place. Most offerings provide mobile apps as well, so you can manage your passwords on your iOS and Android devices too.
Mark Perry, APAC Chief Technology Officer, Ping Identity
Today’s consumers and IT business users face a digital sprawl which makes it tough to manage passwords and can result in data breaches. Hackers are well aware that many people use the same passwords on multiple sites, many of which can easily be guessed resulting in an individual falling victim to a phishing scam. Today, however, there are technologies such as two-step or multi-factor authentication which enable IT users to remove passwords from regular workflows which not only improves their overall experience but also results in a net win for security when conducted correctly.
One great way of implementing multi-factor authentication that’s both secure and convenient is using push notifications from a mobile device. Unlike the phone numbers used for SMS messages, using push notifications allows users to rely on device secrets that don’t move from phone to phone and are much harder to spoof. Any additional authentication factors will add more security to the login experience. In addition, features like QR code authentication can take passwordless authentication to a new level by removing the need for customers to remember which user name they used when registering for a service.
Rajesh Ganesan, Vice President, ManageEngine
Passwords are the oldest, secure and convenient way to authoritatively establish identities. Their benefits far outweigh the limitations and hence the many attempts to eliminate them completely have failed time and again. A more pragmatic approach is to impart awareness about password hygiene to people, in much the same way as personal hygiene, where strong and healthy individuals lead to strong and healthy communities.
In business environments, the technology infrastructure offers varieties of methods for information access, often protected by different types of accounts having varied levels of access to information. These accounts are typically protected by passwords and for teams running IT, these passwords are the keys to the kingdom. They have become one of their top priorities among IT leaders to fully devise a strategy and implement strong password management systems.