Contactez-nous Suivez-nous sur Twitter En francais English Language

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN



Expert Commentary: World Password Day (May 2)

May 2024 by Experts

May 2 is World Password Day, an annual awareness day highlighting the importance of proper password hygiene, to keep pace with evolving threats.

As compromised passwords/credentials continue to be one of the most common cause of data breaches, I wanted to reach out and share some expert commentary from leaders across the cybersecurity and tech space on the importance of this day as well as insights into best practices for improving password security posture.
The commentary from experts

Krishna Vishnubhotla, Vice President Product Strategy, Zimperium
As crucial as they are for mobile security, passwords can also be vulnerable to various attacks. One of the biggest problems we’ve seen is the increasing occurrence of password reuse and how it exposes organizations to serious breaches. Simply put, when users repeat passwords for both corporate and personal logins, the organization is at risk. Hackers understand this, which is why they are increasingly using mobile phishing campaigns via SMS, messenger apps and even fake QR codes to harvest passwords.

The only way in which organizations and individual users can withstand password attacks is by adhering to the password best practices such as switching up the passwords you’re using, employing longer passwords, including all character types and symbols, and avoiding common passwords in general. Multi-Factor Authentication (MFA) also adds an additional layer of security to better protect systems and end-users from compromise.

Narayana Pappu, CEO at Zendata
I would like to start with three stats and one technique: The average user in a developed country has between 100 and 150 accounts. Studies have shown that 53% of users use the same password across multiple accounts, and there is a 27.7% chance of an organization experiencing a data breach in the next two years. Credential stuffing (using leaked passwords from one account to gain access to other accounts) is a common technique used by hackers, creating a huge exposure for both users and companies. Along with using different passwords across different platforms, changing passwords often, and enabling 2FA, users can protect themselves by logging in with OAuth-based logins (login with Facebook/google, etc., that tend to have better security) instead of creating a separate account. Logging in using email or text (works similar to 2FA) and considering password alternative login solutions like Beyond identity that have gotten significant adoption in the least few years. Companies should consider adaptive authentication methods that consider factors like device reputation, IP address, and user behavior that can help detect and prevent unauthorized access attempts.

Patrick Harr, CEO at SlashNext
For years, strong passwords have been a cornerstone of cybersecurity. However, in today’s era of increasingly sophisticated attacks, they are no longer enough to guarantee protection for our personal and corporate data. While creating complex passwords and changing them regularly remains essential, even the most diligent practices can’t fully prevent hackers from breaching accounts and systems.

The landscape of cyber threats has become even more complex with the emergence of generative AI tools, and in turn, has made hacking passwords easier than ever. SlashNext’s ’The State of Phishing Report 2023,’ highlights this alarming trend, revealing a 1,265% increase in malicious phishing emails since the launch of ChatGPT in November 2022. AI is now being used to create more convincing phishing attempts, which can trick users into revealing their login credentials. The report also reveals a 967% rise in credential phishing attacks specifically from Q4 2022 to Q3 2023, indicating a significant shift towards tactics that exploit stolen passwords.

In fact, just a few weeks ago, an employee at LastPass, a password manager software firm, was targeted in a fraudulent scheme, in which criminals used deepfake technology to impersonate LastPass’s CEO. Hackers were clearly targeting the company because it could have granted them access to hundreds of thousands of user accounts.

All that said, it is crucial that your passwords, and more importantly, your private data stay protected. Multi-Factor Authentication (MFA) can effectively protect against “credential harvesting,” where hackers gather stolen passwords to launch attacks. This can be as easy as a user providing his/her password, then entering an accompanying numeric code from an SMS text. In addition, changing your passwords often and using different passwords across accounts can minimize the chances of being hacked.

In the face of an AI-based attack, however, these protections might not be enough. Using security tools with AI technology is important to stop AI-fueled attacks that are aiming to steal your credentials. You have to fight AI with AI.

Chad Graham, Manager of Cyber Incident Response Team (CIRT) at Critical Start
World Password Day is a great opportunity to brush up on our digital security habits. It’s a friendly nudge for everyone, tech-savvy or not, to strengthen their passwords. Instead of the usual mix of characters and numbers, consider creating a passphrase—a short, memorable sentence that’s tough to guess but easy for you to remember. Remember, a good passphrase is just the start: avoid using the same one across different sites and turn on multi-factor authentication to add an extra layer of security. For those who juggle multiple passwords, a password manager can be a handy tool, though a good old-fashioned notebook works too, if it’s kept secure and physical!

Despite decades of advice to enterprises and consumers about following password best practices, Verizon’s recent Data Breach Index Report found that 74% of data breaches involve the human element - including stolen credentials, phishing attacks, misuse or simple user error. Stolen or weak passwords remain a leading cause of breaches, and poor password practices abound for both consumers and enterprise users alike. Recent research reveals that 52% of enterprise IT teams struggle with frequently stolen passwords, while additional research shows that 3 in 4 consumers are at risk of being hacked due to poor password practices.

These alarming statistics underscore the importance of following password best practices such as creating strong, unique passwords for every account, and enabling Multi-Factor Authentication (MFA) wherever possible. Utilizing a zero-knowledge, zero-trust password management solution can help enterprise and consumer users prevent successful data breaches stemming from phishing and password-based attacks, among other common cyber attacks.

At the enterprise level, a Privileged Access Management (PAM) solution that enforces least privilege access, and enables IT and security leaders to easily manage and secure passwords, secrets and remote access, is critical to prevent and mitigate the effects of insider and external password attacks. If a cybercriminal does gain access to an organization’s networks, PAM platforms minimize the blast radius by preventing lateral movement.

Against this backdrop, World Password Day must no longer be a day of awareness. It must be a day of action and commitment to adopting solutions that keep all users safe and enforce cybersecurity best practices.

Lionel Litty, Chief Security Architect, Menlo Security
Any discussion of passwords these days inevitably devolves into how awful passwords are and the need to either supplement or replace them. The good news is that for once there is a robust solution - phishing resistant authenticators, meaning Passkey or Yubikey-type dongles, either in addition to a password or replacing the use of a password entirely. Data shows that using these goes a long way toward addressing many credential phishing scenarios. If your organization does not mandate these yet, this should be at the top of your To-Do list. Proper support for phishing resistant authenticators should also be on your security team’s checklist when reviewing new and existing vendors.

See previous articles


See next articles

Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55

All new podcasts