This year for World Password Day we have covered the history and misconceptions of passwords in Password Myths vs. Reality and dove into the benefits of password managers in Beyond Username and Password: Protecting Your Digital Identity. To wrap up the annual reminder of staying safe and secure online, we asked our group of (ISC)² Blog Volunteers for their insights and advice.
What is your best advice as a cybersecurity professional to those outside of the industry when it comes to setting passwords?
Continue to educate yourself, regardless of the industry you are in, the safety of data is not limited to the cybersecurity professionals, but to everyone who finds themselves on the internet. You can do so by reading blogs and following cybersecurity news. Always try to avoid using your personal details when setting your password and I recommend using a minimum of 10 characters key that includes alphabetical, numerical, special characters, randomly mixed in a zigzag manner (no specific method). Multi-factor authentication (MFA) is a newer way of protecting yourself online, this helps you to get multiple layers of confirmation before an account is logged on. This makes it a little harder for criminal actors to breach your security and should be used when available. - Oluwafemi Kolawole, (ISC)² Candidate
My first piece of advice about setting passwords is to never use the same password twice. To make that practical, use a password manager from the vendor you trust the most – Apple is a good one if you’re in the Mac ecosystem. Secondly, like so many of us have two different locks on our front doors – a lock on the knob and a deadbolt – extra layers of security offer extra protection. You’ll hear a lot about the limitations of different kinds of 2FA. While some are better, any form of 2FA is better than none. Use it as much as you can stand it, especially for banking, email and password managers. - Jonathan Levine, CISSP
In your own words, what makes a secure password?
I believe the complexity of a password determines how secure it is. A secure password is devoid of personal details. It should consist of at least 12 random characters with a combination of upper- and lower-case letters, numbers and symbols, for example, [email protected]&Artio153 shows a strong mix of the important elements of a secure password. - Biobele Lawson, CC
Your password should be applied in such a way that you alone can easily remember it while it is quite a hard task for others or the bad guys to crack. For example: ‘#nC0ur&g3’, this could mean the word ‘Encourage’ to you, but, you have carefully chosen your characters to confuse anyone guessing but easily remembered by you.
- The Minimum length of 12 will be fine and not too cumbersome. For example: ‘#nC0ur&g3dm!’ to read ‘Encourage them!’. You can also apply it as long as the system threshold can take.
- A mix of Strings of Characters is the way to go! Alpha-Numeric, Block and small letters, Special Characters with Symbols. For example, ‘#nC0ur&g3dm!’.
- Do not write your passwords on your screen sticker or diary. Keep it handy in your mind and not handy otherwise.
- Ensure you look around while inputting your password to ensure someone around you is not surfing through your shoulders. This will minimize the shoulder surfing attack which is another non-technical way of spying and grabbing your password.
- Leverage on password vaults and managers.
- Do not disclose your password to trusted or un-trusted parties.
- Do not use the same password on all your accounts as individuals.
- Organizations should leverage on Single Sign-On (SSO) frameworks for seamless enforcements with mitigation of single-point of failure in mind. - Chinatu Uzuegbu, CISSP
As we move toward passwordless sign ins, how do we continue to keep our organizations and personal information safe?
Passwordless is much better than using passwords, this is due to the mechanism using tried and tested PKI mechanism and being more resistant to phishing. However, all passwordless environments are not the same. For secure environments, hardware bound FIDO credentials provide the best protection against phishing and therefore an extra layer of data protection. - Saqib Ahmad, CISSP
As organizations increasingly embrace the use of passwordless sign-ins, a key area of concern is how organizations will continually secure their information assets. Although passwordless sign in is gradually eliminating an over-dependence on traditional passwords and its inherent risks, this method also poses its own security risk. For instance, the use of security tokens and OTPs could pose a risk in the event of device theft. To safeguard information assets, It is critical to implement authentication options with added features or layers of protection such as anti-phishing features and the deployment of Mobile Device Management Solutions to minimize the risks associated with device theft. - Biobele Lawson, CC
In a recent LinkedIn poll, we asked industry professionals which security feature they feel is the most impactful for the safety of their organization. While 55% said Zero Trust, many expressed the challenges of getting there (see comments on LinkedIn).
The truth is that you cannot achieve an acceptable level of security hygiene with only passwords, combining it to promote multi-factor authentications in various affordable ways is the way to go, even with individuals, not just organizations. Please also be informed that you may not achieve an acceptable level of Multi-Factor Authentication if you do not employ the Zero-Trust Policy. I can also assure you that implementing Zero Trust is not expensive if you are granular in your approach and if you work with the NIST Zero-Trust Architecture alongside with the Zero-Trust Architecture of the various vendors such as Microsoft and others. It may seem cumbersome from the outset but getting it right by involving all necessary stakeholders and vendors would promote a good security ambince for you and your organization. - Chinatu Uzuegbu, CISSP
I believe what an organization is more important than the size of an organization when choosing a password solution. Therefore, for organizations of any size that are dealing with sensitive data, I would propose FIDO based credentials in addition to passwords or moving to hardware bound passkeys completely. Such solutions are provided by companies such as Okta, Yubico etc. - Saqib Ahmad, CISSP
Which password solution do you feel is the most secure and accessible for the following:
Small Organizations (under 100 users) - Multi-factor authentication, it is not as expensive, especially with the authenticator apps, and if organizations implement considering the loopholes around authenticators and harden the operating systems accordingly. - Chinatu Uzuegbu, CISSP
Mid-Size Organizations (101 – 1,000 users) - Multi-factor authentication with a standard third party such as OAUTH or OKTA with options suitable for the user to go with. Email verification code or one-time code from a mobile device. This is also relatively cheap and quite secure if the necessary system hardenings apply. - Chinatu Uzuegbu, CISSP
Larger Organizations (1,001+ users) - Multi-factor authentication with organization’s provisioned security key or token with the hope that this could align with the budget of the organization. It promotes a higher level of security. - Chinatu Uzuegbu, CISSP