What is World Password Day?
World Password Day is a reminder for users to update weak or old passwords to ensure the security of personal and corporate information. As cyber threats continue to evolve and malicious actors develop new attack techniques, a sound cybersecurity posture requires more than just a strong password to prevent any compromise.
As many employees continue to work remotely from anywhere or even in a hybrid model, it is essential to have a strong password for all platforms as they no longer have the same level of on-site IT support and security to assist them.
World Password Day: how do cybercriminals commonly compromise passwords?
One of the most important elements to avoid compromises is to understand how cybercriminals may attempt to access your critical data. Attack techniques continue to evolve and become more sophisticated, offering cybercriminals a vast toolkit to exploit users. Here are some techniques to watch out for:
Social engineering attacks:
attacks such as phishing by email and SMS, where users are prompted to provide their credentials, click on malicious links or attachments, or access malicious websites.
Dictionary attacks:
- the attacker uses a list of common words, called a dictionary, to attempt to access passwords by anticipating that individuals have used common words or short passwords. Their technique also consists of adding numbers before and/or after common words to account for people who think that simply adding numbers before and/or after makes the password more complex to guess.
Brute force attack:
- an approach in which adversaries randomly generate passwords and character sets to repeatedly guess passwords and compare them to an available cryptographic hash of the password.
Password Spraying :
- A form of brute-force attack that targets multiple accounts. In a traditional brute-force attack, adversaries try multiple password guesses against a single account, which often leads to account lockout. With password spraying, the adversary tries only a few of the most common passwords against multiple user accounts, attempting to identify individuals using a default or easily guessable password, thereby avoiding the account lockout scenario.
Key logging attack:
- by installing key-logging software on the victim's machine via generally a form of phishing email attack, the adversary can capture the victim's keystrokes to capture their username and passwords for their various accounts.
Traffic interception:
- criminals use software such as packet sniffers to monitor and capture network traffic containing password information. If the traffic is not encrypted or uses weak encryption algorithms, capturing passwords becomes even easier.
Man-in-the-middle:
- In this scenario, the adversary inserts themselves between the user and the targeted website or application, typically by impersonating that website or application. The adversary then captures the username and password that the user enters into the fake site. Often, email phishing attacks direct unsuspecting victims to these fake sites.
World Password Day: how can users prevent password compromise?
Users can adopt a number of tactics to ensure that malicious actors cannot compromise their personal information through the above techniques. These should include: strong passwords, multi-factor authentication, and single sign-on features. In addition to this, a solid cybersecurity training is essential to protect you, your family and your employer against compromises.
Create a strong password
It is important to develop passwords that are impossible to forget and difficult to guess, even for someone who may know intimate details of your life, such as the name of the street where you grew up or the name of your first dog.
Although it may seem imperative to add numbers and special characters to common words in order to develop a strong password, cybercriminals can leverage a number of attack techniques to crack it.
Avoid using the following elements in a password :
- Anniversaries
- Phone numbers
- Company information
- Names including films and sports teams
- Simple obfuscation of a common word ("P@$$w0rd")
Instead, World Password Day reminds us of best practices for securing your information:
- Take advantage of unlikely or seemingly random combinations of uppercase and lowercase letters, numbers and symbols, and ensure that your passwords contain at least ten characters to guarantee a strong password
- Do not share passwords with anyone else.
- Do not use the same password for multiple accounts, as this increases the amount of information a cybercriminal can access if they manage to compromise your password.
- Change your password every three months to reduce the likelihood of your account being compromised.
- Use a password manager to generate unique, long, complex, and easily changeable passwords for all online accounts and for the secure encrypted storage of these passwords via a local or cloud-based vault. This will allow you to more easily ensure that you are using the strongest passwords possible, as you will only need to memorise the password for your password vault.
Authentication measures and additional protection that users should take on World Password Day
A single line of defense is no longer effective in keeping advanced cyberattacks at bay. To truly ensure a strong security posture, multiple tactics are required. Consider the following:
Multi-Factor Authentication (MFA):
- multi-factor authentication confirms the identity of users by adding an additional step to the authentication process, whether through tokens physical or mobile application-based. This ensures that even if a password is compromised, malicious actors cannot access the information.
Single Sign-On (SSO):
- single sign-on allows users to leverage a unique and secure username and password for multiple applications within an organisation.
Cybersecurity training and awareness:
- as cyber threats evolve and malicious actors develop new techniques to target individuals, users must remain aware of cybersecurity and stay up to date with the state of the threat landscape. Free training courses such as Network Security Expert (NSE) 1 and NSE 2 from Fortinet can help educate individuals of all ages on how to protect themselves. With Fortinet programs Training Advancement Agenda (TAA) and NSE Training Institute, Fortinet continues to work to bridge the skills gap through training and certifications, career opportunities, and key partnerships.
As individuals increase the time they spend online for work, online learning, and communicating with their family and friends, and as cybercriminals are intensifying attacks targeting these users , it is important to perform a security posture review on all accounts, updating weak and outdated passwords as you go.