Cyber

World Password Day 2022 reminds the importance of digital hygiene

Matthew Giannelis
Matthew Giannelis

World Password Day 2022 May 5th reminded of the importance of digital hygiene as hackers continue to ramp up their efforts.   

World Password Day is an annual reminder to change our passwords. As we move into a more technologically advanced world. Intel first started World Password Day to create awareness for the importance of password security.

It’s the perfect opportunity to talk about strong passwords. Weak passwords, or poor password use, has become a primary driver for breaches.

History of World Password Day:

The history of World Password Day goes back to Mark Burnett being the first to celebrate it and wrote a book called Perfect Passwords.

Intel started the first official World Password Day to create awareness for the importance of password security.

Today – 2022

Cyber attackers are actively targeting and leveraging compromised passwords not only to gain access to businesses, but to quietly pivot and traverse businesses so they can accomplish their goals undetected. Considering this, businesses are implementing solutions – both technical and training – to ensure employees are not only using strong passwords but are doing so in a secure manner.

In today’s digital world, secure passwords are no longer enough because they still represent a single point of failure. Even if you have the longest, most secure password in the world, if that password is compromised cyber attackers have full access to your account, system, and data.

Lance Spitzner, Senior Instructor at the SANS Institute and an expert in human risk and security awareness said, one of the most effective and proven approaches for strong authentication is called Multi-Factor Authentication, or MFA for short.

“MFA is when multiple factors of authentication are used before access is granted. This way, if your password is compromised, your account, system, and data are still safe as the other factor or factors still protect you,” he said

“MFA is becoming a popular solution, but there can be a great deal of confusion about exactly how MFA works as well as the different implementations of it. As such, here’s a short explainer to better prepare you to train your workforce on this highly effective approach to strong authentication.” said Spitzner

What is MFA?

MFA, an acronym for Multi-Factor Authentication, is considered one of the strongest methods of authentication.  Microsoft estimates that MFA defeats 99% of authentication-based attacks. 

While not foolproof, MFA is one of the most effective steps organizations can take to dramatically reduce the risk of a breach. At its simplest level, MFA is multiple levels of authentication in which an individual authenticates not only with a password (something they know), but some type of unique code or device they have. Even if their password is compromised, their account and data are still safe because the cyber attacker does not have access to the second form of authentication. Unfortunately, that is where the simplicity of MFA stops, and things can get a bit complicated.

First, there are many different terms to describe MFA (Multi-Factor Authentication).  Some organisations or vendors call it Two-Step Verification, Two-Factor Authentication (2FA), One-Time Password (OTP), or Strong Authentication.  All are implying the same thing, authentication requiring two or more forms of authentication—usually a password and something else such as a unique code sent to, or generated by, your mobile device.

In addition, there are multiple ways to implement MFA. While the below list is by no means exhaustive, some of the most common methods are included below.

1. SMS Code: A one-time, unique code is sent to your mobile device via SMS text. You then use this code along with your password to authenticate and log-in.  This is the most used approach, likely because it is the easiest to set up: An individual user simply needs to register their mobile phone number with their account so that when they try logging in with their username and password, a code is sent to their mobile device to serve as that secondary means of authenticating. While easier, however, this approach also has a risk. If someone can somehow redirect or take control of your phone number (such as via SIM swapping) then the attacker will get your unique code. In another attack method, cyber attackers will pretend to be a bank or IT support and trick victims into giving up this unique code and then quickly use the code to log in as the victim.

2. Code Generator: Your mobile device has an authentication mobile app (such as Google Authenticator) that generates the unique one-time codes for you. You download the mobile app to your mobile device, then to enable MFA for your accounts you sync the authentication app with each account. These authentication apps can support hundreds of accounts at the same time. Another approach is you are issued a physical token that generates the one-time, unique codes for you.  Using a mobile app or physical token to generate codes is considered more secure than SMS codes, as there is no way for cyber attackers to take over your phone number. However, this method is still vulnerable to cyber attackers tricking or fooling people into giving up the unique code. 

3. Authentication Notifications: Some mobile authentication apps (like Microsoft’s Authenticator) also make it so that when you log into certain websites, instead of requiring a one-time use code, the website pushes an authentication request to your mobile app asking if that is you trying to log in. If so, you approve the authentication request via your device. This is an approach also commonly used in the Apple eco-system. It’s considered a more secure approach in that there is no code for cyber attackers to try and trick out of people. However, if a cyber attacker gains access to your password and tries to login as you, they can keep trying to authenticate until you approve the authentication request on your mobile phone.

4. FIDO: You are given a physical device that connects to your laptop or computer and is registered with the websites you regularly log into. When the device is connected to your computer (via the USB port or connected via NFC technology) and you visit these websites, the device authenticates you. Yubikey is a commonly used publicly available example of such a physical device supporting the FIDO standard. This approach is the most secure method of authentication, as there is no unique code or authentication request and there is nothing for cyber attackers to trick or fool out of their victims. Many consider this to be the best phishing resistant solution. However, this method can also be the most complex for organizations to support, and many websites do not yet support the FIDO standard for authentication.

So, what approach should your business support? 

“In most cases, this will be decided by your security or risk management team. Regardless of which method you select, any one of them is better than just passwords alone,” Spitzner said.

To effectively implement any form of MFA, key goals will include:

  • Reiterate how people benefit from this method, as it can help defend against most authentication-based attacks.
  • Try to keep the concept of MFA as simple as possible. There are so many different terms and variations of MFA floating around that it is common for people to get confused. Do not overwhelm them; teach them just what they need to know.
  • Emphasize how MFA is not only a solution at work, but a solution that people should implement at home to protect their most important accounts (bank, retirement, investments, personal email, etc).

Spitzner added, if you are going to train your organisation how to use MFA and the benefits of doing so, one of the best ways to prepare yourself is to start using it yourself. Don’t just set up MFA for your work accounts but also enable it for your personal accounts like your personal Gmail account, Amazon account, or other sites that support it. This way you not only become more familiar with the technology, but you will be exposed to the different methods and approaches for implementing MFA.”

Proofpoint ahead of World Password Day 2022 (May 5th) reminded of the importance of digital hygiene as hackers continue to ramp up their efforts.   

Much of password management comes down to striking the balance between convenience and security, where convenience often wins. Historically, Australians have put password protection on the back burner, with Proofpoint research finding 42 per cent of working Australian adults use the same password across multiple accounts. 

At the same time, email and SMS phishing attacks continue to cost Australians millions, with March 2022 recording the highest amount of money lost to scams on record, with phishing the type of scam most recorded according to the ACCC’s Scamwatch.  

An important myth to dispel is the notion that cybercriminals are physically ‘hacking’ passwords. What is far more common is cybercriminals relying on people to hand over their information through phishing emails and SMS messages, often posing to be legitimate organisations asking you to log in.  As you log in through the malicious link, cybercriminals can harvest your login information or infect your device with malware to gain access to passwords. Popular targets include Microsoft Office, Australia Post, and Amazon.

The pandemic rapidly expanded our digital identities, with many Australians creating dozens of new accounts during lockdown from food delivery apps to the latest streaming platform. Likewise, we continue to digitize our wealth and assets through crypto wallets and cloud storage. The more accounts created equals more passwords and therefore higher risk of compromise.

When it comes to password hygiene, we still have a long way to go. This is of course supported by multiple reports and statistics over many years including a 2019 study conducted by Google which found: 

  • 59% of its users use their name and birthdate in their password.  
  • 43% have shared their password with someone. 
  • 20% have shared their email account password. 
  • Only 45% would change their password after a breach. 

The Ponemon Institute’s ‘The 2020 State of Password and Authentication Security Behaviours Report’ showed the results of a survey of more than 3,000 individuals and IT specialists.  One of the most surprising findings was that 50% of IT professionals reuse their passwords across workplace accounts compared to 39% of the average users. In 2020 Verizon studied 868 breaches involving hacking and a staggering 80% were linked to passwords whether they be stolen or lost. 

Password Management

While most people understand the importance of password security, many still don’t follow best practices and reuse passwords. By following the tips outlined below, you can make your passwords more secure. And don’t forget to change them regularly.

  • Use a secure password management application that can recall multiple passwords and automatically inputs them when needed. Using a password management application removes the need to remember and juggle multiple passwords, which makes users more inclined to use more secure and longer passwords. 
  • When it comes to password creation, avoid common words, phrases, names, and dates associated with you or direct family members. Threat actors can easily cross reference any data captured on you to arrive at the correct combination to break into your accounts. You should also change personal passwords twice a year and avoid reusing passwords across accounts. For business passwords, we recommend every 3 months and putting an automated system policy in place that places a deadline on refreshing passwords. That policy can determine passwords requirements and prevent recent passwords from being used.

Adrian Covich, Senior Director at Proofpoint said, since 90% of cyberattacks require human interaction to be successful, it remains important for businesses to implement a people-centric approach to security.

‘Ensure that both your remote and in-office employees receive training and education on basic cybersecurity best practices, including how to identify a credential phishing attempt and how to securely manage passwords.” he said.

Jacqueline Jayne, Security Awareness Advocate APAC at KnowBe4 added, more than a third (34%) of office workers across APAC are still using the same password for more than one account. 

“The average person has anywhere between 70 and 100 passwords (I have over 200), and it is simply not possible to remember them all. Especially when you consider that passwords need to be unique, complex, and depending on where you read it, anywhere between 8 and 20 characters,” she said. 

There’s a saying, you should change your passwords every three months. That is true if you’re using the same password for different sites. But most people become lazy when forced to change passwords often.

People tend to change one letter or one number. This doesn’t deter hackers, so it’s important to update them every year! And don’t forget to use a password manager to help you manage your passwords!

World Password Day – Roadmap

YearDateDayWhere
20225th MayThursdayUnited States
20234th MayThursdayUnited States
20242nd MayThursdayUnited States

Interesting facts about this day include:

  • 1961 marked the year when the Massachusetts Institute of Technology (MIT) created the computer password. This made it possible for multiple people to use a shared computer system.
  • In 1976, Public-key cryptography was created to enable users to authenticate each other without exchanging a cryptographic key.
  • A study done by Morris and Thompson in 1978 demonstrated that it is easier to guess passwords through personal information than it is to decipher them.
  • 1986 marked the year when the two-Factor Authentication was adopted.

The best password practices should be followed long after World Password Day. After all, they will help you protect your personal information and keep it safe. And don’t forget to change your passwords!!!

By Matthew Giannelis
Follow:
Secondary editor and executive officer at Tech Business News. An IT support engineer for 20 years he's also an advocate for cyber security and anti-spam laws.
Previous Article Kristin Harder Cartelux appoints ex Audi Global Head of Media, Kristin Harder
Next Article Intercom Office Intercom launches local data hosting capabilities in Australia
Leave a comment

Leave a Reply

World Password Day 2022

Tech Articles

Attitudes Toward Work Manifest The Rise of AI

Did Our Collective Attitudes Toward Work Manifest The Rise of Artificial Intelligence? (AI)

It’s definitely something to think about. There’s a fine line…

Role of Medical Robots Australia

Medical Robots Revolutionising Healthcare In Australia (2024)

Australia has seen a rise in the adoption of medical…

IT managed services Australia

The Rise Of Managed IT Services In Australia

As we stand at the crossroads of technological advancement and…