Ensuring Strong Cyber Hygiene on World Password Day

As many employees continue to work remotely from anywhere or even in a hybrid model sometimes in the office, it is critical to have strong passwords for all applications or platforms as employees no longer have the same level of on-site IT and security support to help when working from anywhere.

What is World Password Day?

World Password Day is a reminder for users to update weak or old passwords to ensure personal and corporate information security. As cyber threats continue to evolve and bad actors develop new attack techniques, a good cybersecurity posture requires more than just a strong password to avoid compromise.

How Do Cybercriminals Steal and Compromise Passwords?

One of the most important parts of avoiding compromise is understanding how cybercriminals may attempt to gain access to your critical data. Attack techniques continue to evolve and become more sophisticated, giving cybercriminals a vast toolkit to use to exploit users. Here are some techniques to look out for:

• Social engineering attacks: Attacks such as phishing through emails and texts, where users are tricked into providing their credentials, clicking on malicious links or attachments, or going to malicious websites.
• Dictionary attacks: Attackers use a list of common words, called “the dictionary,” to try to gain access to passwords in anticipation that people have used common words or short passwords. Their technique also includes adding numbers before or after the common words to account for people thinking that simply adding numbers before or after makes the password more complex to guess.
• Brute force attack: An approach in which adversaries randomly generate passwords and character sets to guess repeatedly at passwords and to check them against an available cryptographic hash of the password. 
• Password spraying: A form of brute force attack that targets multiple accounts. In a traditional brute force attack, adversaries try multiple guesses of the password on a single account, and that often leads to account lockout. With password spraying, the adversary only tries a few of the most common passwords against multiple user accounts, trying to identify that one person who is using a default or easy-to-guess password and thus avoiding the account lockout scenario.
• Key logging attack: By installing key logging software on the victim’s machine, usually through some form of email phishing attack, the adversary can capture the key strokes of the victim to capture their username and passwords for their various accounts.
• Traffic interception: Criminals use software like packet sniffers to monitor and capture the network traffic that contains password information. If the traffic is unencrypted or using weak encryption algorithms, then capturing the passwords is even easier.
• Man-in-the-middle: In this scenario, the adversary inserts themselves in the middle of the user and the intended website or application, usually by impersonating that website or application. The adversary then captures the username and password that the user enters into the fake site. Often, email phishing attacks lead the unsuspecting victims to these fake sites

How Can Users Generate Secure Passwords and Avoid Being Compromised?

Users can adopt a number of tactics to ensure bad actors cannot compromise their personal information through the techniques above. These should include: strong passwords, multi-factor authentication, and single sign-on capabilities. In addition to these, a strong cybersecurity education is critical to protect yourself, your family, and your employer from compromise.

Creating a Strong Password

It is important to develop passwords that are impossible to forget and difficult to guess, even for a person that may know intimate details of your life like the name of the street you grew up on or the name of your first dog. 

Though it may seem compelling to add numbers and special characters to common words as a way to develop a strong password, cybercriminals can leverage a number of attack techniques to crack this. 

Avoid using the following in any password:

• Birthdays
• Phone numbers
• Company information
• Names including movies and sports teams
• Simple obfuscation of a common word (“P@$$w0rd”)

Instead, World Password Day reminds us of the best practices to secure your information:

• Leverage unlikely or seemingly random combinations of uppercase and lowercase letters, numbers and symbols, and make sure your passwords are at least 10 characters long to ensure strong password.
• Do not share passwords with anyone.
• Do not use the same password for multiple accounts, this increases the amount of information a cybercriminal can access if they are able to compromise your password. 
• Change your password every three months to decrease the likelihood that your account will be compromised.
• Use a password manager to generate unique, long, complex, easily changed passwords for all online accounts and the secure encrypted storage of those passwords either through a local or cloud-based vault. This will make it easier for you to ensure you are using the strongest passwords possible, as you will only need to memorize the password to your password locker.

Additional Authentication and Protection Measures Users for Strong Cyber Hygiene and Password Security

A single line of defense is no longer effective at keeping advanced cyberattacks at bay. To truly ensure a strong security posture, multiple tactics are required. Consider the following: 

• Multi-factor authentication (MFA): Multi-factor authentication confirms the identity of users by adding an additional step to the authentication process, whether it is through physical or mobile application-based tokens. This ensures that even if a password is compromised, bad actors cannot access the information. 
• Single sign-on (SSO): Single sign-on allows users to leverage a single, secure username and password across several applications within an organization. 
• Cybersecurity training and education: As cyber threats evolve and bad actors develop new techniques to target individuals, users must remain cyber aware and stay up to date on the state of the threat landscape. Free training courses like Fortinet’s Network Security Expert (NSE) 1 and NSE 2 can help educate individuals of any age about how to keep safe. With Fortinet’s Training Advancement Agenda (TAA) and NSE Training Institute programs, Fortinet continues to work toward closing the skills gap with training and certifications, career opportunities and key partnerships.

As individuals increase the amount of time they spend online for work, e-learning, and communicating with family and friends, and cybercriminals ramp up attacks targeting these users, it is important to perform a security posture check across all accounts—updating weak and outdated passwords as needed.

Learn more about the Fortinet free cybersecurity training initiative and Fortinet’s Training Institute, including the NSE Certification program, Academic Partner program, and Education Outreach program which includes a focus on Veterans.