May 4, 2017 By Douglas Bonderud 2 min read

Consumers are bad at passwords. So are companies, and they’re also bad at mandating effective authentication. As a result of this poor cyber hygiene, end users are at greater risk of having personal data stolen or accounts compromised, while businesses could face costly and time-consuming PR and remediation efforts.

As noted by Dark Reading, World Password Day is May 4, offering an ideal time for organizations and employees to take a hard look at bad cyber habits and clean up their acts.

Rolling the Dice With Poor Passwords

Passwords have been on the cyber chopping block for years now. But in the same way new communication tools can’t seem to knock email out of top spot, passwords remain the go-to for most e-commerce accounts, social platforms and corporate networks.

The problem is that users are really bad at choosing decent passwords. For example, Forbes reported that the most popular passwords in 2016 were “123456” and “password.” Alarmingly, these passwords also topped the list in 2015 and 2014.

The Dark Reading piece, meanwhile, noted that 70 percent of end users have seven or fewer passwords across all their online accounts, so it’s no surprise that 81 percent of hacking-related breaches examined by the “2017 Verizon Data Breach Investigation Report (DBIR)” tapped weak or stolen passwords. Even IT security pros aren’t off the hook, with 53 percent still using the same social network passwords they did last year, while 20 percent have never changed their passwords.

On the corporate side of the equation, many companies still aren’t using multifactor authentication (MFA). The DBIR described this as “rolling the dice” when it comes to device compromise from reused access credentials.

Cleaning Up for World Password Day

Ars Technica recently pointed out some less-than-stellar authentication designs. Its example not only allowed four-character passwords, but it also sent users a PIN in plaintext via email. What’s more, there was no mechanism to reset credentials, meaning that even if a breach occurred, users are stuck with the same problematic password.

Add in the predilection of users to select easy-to-remember and easy-to-guess passwords, then reuse them across multiple sites and never change them, and it becomes clear that even the necessary attention drawn by World Password Day won’t be enough to solve this security issue.

So what’s the solution? First, companies need to recognize that passwords won’t disappear overnight; better management is required to limit theft and reuse. Ideally, businesses should balance the need for better security hygiene with user convenience. It’s a good idea, for example, to require at least eight characters for any password, including one number or symbol. Then leverage controls that prevent employees from reusing passwords and restrict access unless passwords are regularly changed.

The next step is adaptive authentication. The idea here is to tap emerging authentication protocols, such as biometric tools and location-specific identifiers, and combine them with open source initiatives to develop universal, adaptable and secure standards that provide maximum convenience across multiple devices without compromising corporate security.

Scrubbing Out Poor Passwords

Passwords are a big problem. Users make terrible choices, and companies often overlook bad habits in favor of enterprise expediency. But cybercriminals are cleaning up, using and reusing bad passwords to compromise accounts.

World Password Day calls out the need for better cyber hygiene, but that’s only half the battle. Adaptive authentication, combined with evolving open standards, are required to help scrub out this security issue.

More from

Cloud Threat Landscape Report: AI-generated attacks low for the cloud

2 min read - For the last couple of years, a lot of attention has been placed on the evolutionary state of artificial intelligence (AI) technology and its impact on cybersecurity. In many industries, the risks associated with AI-generated attacks are still present and concerning, especially with the global average of data breach costs increasing by 10% from last year.However, according to the most recent Cloud Threat Landscape Report released by IBM’s X-Force team, the near-term threat of an AI-generated attack targeting cloud computing…

Testing the limits of generative AI: How red teaming exposes vulnerabilities in AI models

4 min read - With generative artificial intelligence (gen AI) on the frontlines of information security, red teams play an essential role in identifying vulnerabilities that others can overlook.With the average cost of a data breach reaching an all-time high of $4.88 million in 2024, businesses need to know exactly where their vulnerabilities lie. Given the remarkable pace at which they’re adopting gen AI, there’s a good chance that some of those vulnerabilities lie in AI models themselves — or the data used to…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today