Why World Password Day Still Matters

We all know passwords are a pain.  We find it hard to keep track of them. We forget them and get locked out of accounts. They get stolen in breaches. Yet despite many predictions of their imminent death in recent years, they are still a cornerstone of security, both for enterprises and consumers

Verizon’s 2018 Data Breach Investigations Report estimated that more than 80% of enterprise data breaches involved the use of weak or stolen passwords. Meanwhile, Shape Security’s 2018 Credential Spill Report estimates that there are over 130 million malicious login attempts on consumer and business accounts every single day.

That’s why the first Thursday of May each year is designated as World Password Day, to encourage better password practices and reduce the risk of breaches.

Guidance on good practice boils down to four core principles:

1. Create strong, complex passwords
2. Use a different password for each account
3. Get a password manager to store passwords so you don’t have to remember them all
4. Use multi-factor authentication to ‘layer up’ security

Don’t default

While those are a good foundation, we would also add some additional guidelines. There’s the issue of default security passwords on networking and security equipment. All too often, these don’t get changed when the equipment is deployed, which is the equivalent of giving hackers a free pass to their networks.

We strongly recommend that organizations check the passwords on their security devices. Most compliance regulations, including PCI-DSS, require default passwords to be changed as soon as the device is installed (the risk reports generated by AlgoSec report will automatically detect and flag if default passwords are in use on security devices). The same advice also applies to public cloud accounts – remember that many companies have had breaches from AWS S3 data storage services as a result of poor password practices.

A question of privilege

Another area where it it’s important for organizations to think about protecting access credentials is for privileged accounts. These are the high-level systems that IT and security teams use to manage enterprise resources – such as firewalls and network management consoles. Some of the largest-ever data breaches, such as Edward Snowden’s disclosures and the hack on the U.S. Office of Personnel Management involved abuse of privileged credentials.

To address this specific problem, Privileged Account Management (PAM) solutions are increasingly popular. But network and security administration processes are complex, and there are common circumstances in which privileged account credentials need to be shared – which reduces the level of control over those privileged account credentials.

For example, an enterprise security team may use PAM to secure access to corporate firewalls, so that these controls cannot be easily tampered with. But if changes need to be made to a range of devices on the network, to provision a new application or enable new connectivity, the external management console being used to process the changes needs to have the privileged credentials for those devices – which undermines the reason for using a PAM solution.

To address this, AlgoSec recently introduced support for PAM in its core solution, integrating with CyberArk’s Privileged Access Security Solution to enable joint customers to further reduce their attack surface. The integration gives seamless access from AlgoSec to security devices protected by CyberArk’s product, without the need to duplicate or save privileged credentials outside of the PAM solution. This integration also natively supports the corporate password rotation policy.

Despite our negative feelings about passwords, we can’t afford to overlook their importance: they’re often the first and the last line of defense against hackers. Applying a little care in looking after them goes a long way to strengthening your security posture.