Passwords: Lock, set, and secure!

Dubai - Good password hygiene and high levels of awareness of different cyberattack types are proven methods for reducing the risk of an attack and protecting organisations and their employees

Often times, the only thing standing between you and ruinous financial consequences is a strong password, security experts say.

With how hectic our daily lives have become, it is hard to spare more than a thought for something that is not considered to be a task in need of immediate attention – sadly, passwords seem to fall into this category. World Password Day, though, would beg us all to reconsider.

Maher Jadallah, regional director - Middle East, Tenable, explains that World Password Day, which falls every year on the first Thursday in May, is an initiative to encourage individuals to create and use strong passwords.

“Practically everything we do in both our personal and professional lives involves an online identity,” he said. “Whether it is accessing corporate networks, utilising electronic communication and messaging services, sharing video clips with our friends and family via social sites, all require some form of identity verification for access that typically takes the form of a username and password combination.”

The issue, he says, is that vast databases containing these combinations are available on the dark web. Every time one site is breached and this information exposed, attackers will try these against other virtual locks to see if they will open more than just the compromised account. Unique password and username combinations will prevent credential stuffing, but this creates another challenge.

“When you think about the number of online accounts any person has, this can quickly mount up to be in the hundreds,” Jadallah said. “Password managers can help, allowing users to have numerous password combinations, while ensuring all these ‘keys’ are stored and accessible, but isn't this just delaying the inevitable. While strong passwords are beneficial, organisations could be doing more to implement stringent security verification; multifactor authentication, one time passcodes, and biometrics such as fingerprint, iris scan, and facial recognition all provides a much stronger lock to keep attackers out.”

Avinash Gujje, practice head – Infrastructure, Cloud Box Technologies, agrees and said that traditional passwords will never become extinct, however, the mode of the password usage will definitely change. “Today, in any IT environment, the end user password has rapidly changed into face recognition, touch based or multi-factor authentication, however the core systems still depend on traditional passwords policy due to the system dependencies.”

Duane Nicol, a cybersecurity expert at Mimecast, says that cybercriminals are capitalising on poor password hygiene and a lack of cybersecurity awareness from end users to bypass an organisation’s defences – with potentially ruinous consequences. He also noted that the Covid-19 pandemic and switch to remote work created new vulnerabilities that cybercriminals are working hard to exploit. In response, organisations should build greater cyber resilience by implementing updated security controls and prioritising regular cybersecurity awareness training to protect employees, and the business, from attacks.

“Our research has found that users that are exposed to regular cybersecurity awareness training were more than five times less likely to click on dangerous links originating from phishing emails,” says Nicol.

The research shows that 75 per cent of respondents in the UAE believe that their employees’ poor password hygiene is putting their company at risk. In addition, 50 per cent of UAE respondents expect security naïve employees to be their biggest e-mail security challenge in 2021, compared to a global average of 43 per cent.

Nicol says that good password hygiene and high levels of awareness of different cyberattack types are proven methods for reducing the risk of an attack and protecting organisations and their employees. “Effective training is engaging, interesting, and frequent, and encourages users to regularly update their passwords and teaches them how to identify phishing e-mails that could be tricking them into handing over sensitive information.”

Users, he said, should always use passphrases as these are far harder to crack, make use of IT approved password managers and ensure they aren’t using the same password across multiple platforms. Having unique passwords across personal and company platforms will ensure that if a person’s social media profile is phished for example, they aren’t at risk of having a corporate account compromised.

Similarly, Amit Hooja, CEO of NetGraph, said that becoming complacent and choosing the easiest path is sometimes driven by business decisions where organisations onboard clients with the least amount of effort and password security, as well as Two Factor Authentication.

“On the other hand, some organisations tend to address and include new and improved features in their quest for better customer experiences and sometimes fail to test for security holes in the background,” he said. “Additionally, legacy code that may have been written two years ago gets left out, is vulnerable, and opens up so many security holes.”

rohma@khaleejtimes.com