Heard of World Password Day? Mark Brown of BSI’s cybersecurity unit wants you to sit up and pay attention
World Password Day mightn’t be as well known as it should be, but my consulting services team wants to encourage all device users to review how they use passwords, and to follow best practice to help reduce risks or data breaches, to strengthen information resilience.
It’s not glamorous but it is important. A password is a key access point used daily for all device activity, starting with logging into your device, whether it be a mobile device or laptop, accessing applications, browser logins and other platform usage.
Alarmingly, we are still seeing the top three most common passwords in use being 123456, 123456789 and qwerty.
And equally, the risks of using weak credentials have increased dramatically during the past year, as most organisations rushed to give their users remote network access which, in the process, left organisations vulnerable to the types of attacks that could provide attackers with an easy foothold in the target network.
Attackers are exploiting the current hybrid work environment as they know that they can find more ways to take advantage of organisations and their employees.
We are encouraging all organisations and individuals to review, update and strengthen their passwords and policies. Implementing proactive and regular employee security awareness training as part of the organisational security strategy will also help increase the overall security posture and resilience of the organisation.
Weak credential management, the absence of strong passwords and a lack of employee awareness and training all present significant risks for individuals and organisations, especially as cybercriminals continue to try and capitalise on the COVID-19 pandemic.
By implementing good password hygiene, users can become more resilient in relation to the challenges that exist.
How to strengthen password hygiene
This World Password Day, the BSI team have advice to support users in beefing up their password hygiene.
Refrain from well-known character substitutions when creating a password. For example, replacing an ‘s’ with a ‘5’ or a ’$’ is of no value, as hackers and malicious actors can simply utilise password-cracking technologies to use replacement characters to gain access.
Always use a secure connection when logging in or accessing a platform and do not select yes when prompted to auto save a password.
Implement strong password policies backed with multi-factor authentication (MFA) to keep individual access and organisational access secure. Biometrics add an additional layer of security, including Touch ID, Face ID, or Fingerprint Managers.
Never store passwords on devices or in written form on a notepad. Instead, use a password manager to store them in a safe place. For example, 1Password, Keepass or Lastpass.
Resist using a common password pattern — such as ‘Summer2020!’ — to reduce the chance of access from an attempted password spraying. A very well-known pattern is to use a common word (a company name, a season, or a city), capitalise the first letter, add a number (usually a year), and then a special character (! is probably the most common one).
Implement non-standard password replacements such as using ‘_R’ instead of an ‘s’. The more unusual the password, the more secure the password will be.
Passwords should contain ten characters using uppercase and lowercase letters as well as numbers and special characters - a good password is a long password
Refrain from using personal information such as a part of an address, a surname, a spouse’s name, a pet’s name, favourite football team, date of birth or the name of the platform the password is being created for.
Consider using a ‘passphrase’ that will not be forgotten easily and incorporate a mix of characters.
Never use the same password across multiple accounts.
BSI is in the business of improving standards and enabling organisations to turn standards of best practice into habits of excellence, ‘inspiring trust for a more resilient world’, and it’s clear to our organisation that boosting good practice in the fields of cybersecurity and information resilience is a key part of evolving in that direction for any business.
• Mark Brown (pictured) is global managing director with BSI’s consulting services division, in charge of cybersecurity and information resilience