Weak passwords continue to exist in 2024

Concept artwork of handwritten passwords on sticky notes, generated by Blue Willow.

World Password Day, the first Thursday in May, has come round again — highlighting one of the vulnerabilities in our cyberdefences.

Darren Guccione, CEO and co-founder, Keeper Security, noted that weak and compromised credentials remain the leading cause of breaches. "In a new study by Keeper Security, 92% of IT security leader respondents revealed that cyberattacks are more frequent now than one year ago — and are growing more sophisticated," he said. 

"While no one likes updating their passwords, World Password Day is a great time to recognise and enforce this critical best practice. Passwords act as the first line of defence — protecting access to applications, systems, secrets and IT resources." 

Keeper Security found that only 25% of people are using strong, unique passwords for all their accounts, which leaves 75% of individuals with dangerously weak password practices. The same study found that a third of respondents (34%) use strong passwords, but repeat variations of them (for example, Chick1n&R1ce+123 and 123+Chick1n&R1ce). This practice is vulnerable to credential-stuffing attacks*, Guccione said. 

"In addition, 14% of all respondents use passwords that are both simple and repeated across their accounts. Best practices include protecting accounts with a password that is not easily guessed and has not been used for any other account," said Guccione. 

"It’s recommended to use a password of at least 16 characters, with a variety of numbers, uppercase and lowercase letters, and symbols. Multifactor authentication (MFA) should be enabled everywhere possible.

"Adopting a trusted password manager helps secure passwords – as well as passkeys, files, payment details and sensitive info – and eliminates the headaches that come with updating and remembering them. At the end of the day, generating strong, random passwords for each account and storing them in an encrypted digital vault is the simplest, most secure and effective method to manage the plethora of passwords we all have to contend with."

Said Adam Brown, Managing Consultant, Synopsys Software Integrity Group: "Passwords are not a good form of authentication anymore; even 'leet' speak** passwords such as P@55w0rd are in every attackers dictionary. However, their close relatives passphrases*** do still have a chance of beating attacks. Yes, they take a little longer to type, but they are just as easy to remember and have a much better resistance to password busting techniques. Try using memorable phrases."

Brown agreed with Guccione that repeating authentication data for different places is not a good idea. "It’s also important not to reuse (passphrases) - all it takes is one service provider to have poor data and password storage methods and that passphrase is out there in the wild along with your email address and other personal data, therefore attackers then have access to any other sites you use that same passphrase on," he said.

"World Password Day serves as an important reminder of how much individuals and enterprises, must continually practice caution and care when handling their accounts and online data. Exercising good password hygiene is key to keeping you - and your workplace - safe online, but that is only the tip of the iceberg when it comes to ensuring data security," Andy Ng, VP and MD for Asia South and Pacific Region, Veritas Technologies pointed out.

"In the last two years 68% of organisations in Singapore have been hit with a successful cyberattack,
so it is critical that we do not get complacent with basic security measures. While organisations may enforce strong password update policies for employees, they are still numerous ways to exploit a system’s vulnerabilities, making them open to data breaches. 

"Not only that, with emerging technologies enabling more advanced and dangerous forms of phishing attacks, malware and ransomware, companies must now implement more advanced security frameworks and measures. When it comes to keeping accounts and data secure, I recommend enhancing your current login security by adding multifactor authentication (MFA), to create an extra layer of identity confirmation."

Passwords have a role to play with operational technology (OT) as well. Nicholas Miles, Staff Research Engineer at Tenable, explained that OT, which typically controls or manages industrial equipment, operates in completely separate layers whose access is controlled by firewalls.

“Surprisingly, the most sensitive devices running at the lowest layers - programmable logic controllers (PLCs), often have the weakest access controls. Historically, this has been due to the fact that they’re protected behind multiple layers of firewalls and only someone physically onsite is able to access them directly. However, emerging malware threats like Stuxnet, CrashOverride, Pipedream, Havex, and BlackEnergy demonstrate the ability to breach even air-gapped systems. This can be accomplished by infecting a technician's laptop which is later connected to the network containing PLCs," he said.

“It’s therefore becoming more and more important to make sure every piece of equipment - including PLCs - is protected with the strongest possible access controls. If available, cryptographic keys provide the best access control. You cannot guess or brute-force a properly generated cryptographic key, and cryptographic keys are a lot easier to manage and control, including the ability to easily and rapidly revoke them if compromised.

“If asymmetric cryptographic access controls are unavailable on a PLC, passwords should be used following best practices. This includes periodic password rotation and minimum complexity requirements. Of course these passwords need to be properly stored and secured. Gateways and systems such as human machine interfaces (HMIs) running at higher layers should be protected by multifactor authentication, and every interaction should be logged and monitored."

Chern-Yue Boey, Senior VP, Asia-Pacific, SailPoint, suggested that passwordless techniques are the way to go.

“With as many as 4,000 password attacks occurring per second globally, the vulnerability of user passwords has become more pronounced with a tenfold increase in attacks in the past year alone. Despite years of industry discourse on the perils of weak passwords, organisations continue to underestimate the risks associated with relying solely on passwords to safeguard valuable information – with login and access passwords serving as the Achilles heel exploited by hackers to breach corporate networks," he said.

"Passwordless solutions have emerged as a promising alternative, incorporating technologies such as biometrics, authenticator apps and tokens. However, it remains crucial for organisations to recognise that these alone do not ensure security. Malicious actors often also exploit weaknesses in business systems lacking least privileged access controls – especially in today’s dynamic threat landscape, where compromised identities often serve as the primary trigger for majority of data breaches.

"The consequences of this oversight are costly, making businesses susceptible to a barrage of attacks once cyberattackers get one foot in the door. In fact, IDC’s recent report found that a staggering 59% of enterprises in APJ have fallen victim to ransomware attacks, with 32% ultimately paying the ransom. Furthermore, the advent of AI has exacerbated the risk for businesses, empowering even novice cybercriminals with accessible means to launch even more complex and sophisticated threats."

Boey added that more layers of security should be considered. "Instead of viewing passwordless authentication as a standalone solution, organisations should seamlessly integrate it with a robust identity security framework. Given that organisations are set to manage up to 10% more identities over the next 3 years, it is critical for organisations to have the capability to manage access levels across all identities within the entire IT ecosystem. 

"A unified, integrated identity security approach gives organisations full visibility into their identity landscape, enabling them to swiftly detect and prevent unauthorised attempts to access privileged information or systems, and detect any irregular activities early as a reliable fail-safe.” 

Philip Sow, Manager, Systems Engineering, South East Asia and Korea at Proofpoint, listed a number of best practices. “We recommend consumers use different passwords, especially on critical financial and data-driven accounts. Be sure to turn on multifactor authentication if available for as many accounts as possible. 

"If MFA is not an option for the account, use a password manager. A password manager creates randomised passwords that are safely stored, encrypted, and accessible across all personal devices and reduces the burden of trying to remember complicated login credentials across multiple websites. If you use a passphrase as part of your password, make sure you never use common words or phrases, names or dates associated with you or direct family members. It’s also best to change all passwords twice a year and change business passwords every three months," he advised.

Miles had similar advice for OT practitioners. “For this World Password Day, remember that relying on a single password for access control carries the most risk, especially in an OT environment. With some OT devices, that might be the only security mechanism a device supports. However, where possible, it's best to use cryptographic controls and multifactor authentication and rotate and protect your passwords!” he said.

Sow added that the human factor is significant. "Since 95% of cybersecurity issues can be traced to human error, it remains important for businesses to implement a human-centric approach to security. Ensure that both your remote and in-office employees receive training and education on basic cybersecurity best practices, including how to identify a credential phishing attempt and how to securely manage passwords,” he said.

Ng observed that Singapore businesses are increasingly implementing Zero Trust policies, with cybersecurity teams using monitoring tools to track network infrastructure and system access devices for unauthorised or suspicious activities. "Thus, even if a hacker were to enter your system via a
compromised account, your security team can be activated if they start making suspect actions in
your servers, minimising any damage they can do," he said. 

"The Principle of Least Privilege, or restricting specific data, resources and applications to a user for their specific tasks, can also restrict the actions of any malicious actor who has breached your servers.
 
"Protecting our logins and accounts is really step one in a larger journey in securing our data from
threats. This World Password Day, I hope more organisations and individuals recognise the rapidly
evolving attack vectors of cyberthreats, understand the increased targeting of human elements in
these processes, and establish processes and technology to defend themselves better."

*Credential stuffing refers to the practice of using a stolen password with services other than the one it was linked with. People who reuse their passwords could easily lose more than expected as a result.

**Leet speak refers to the practice of replacing letters with similar-looking numbers or symbols to create stronger passwords. 'E' could be replaced by '3' for example, and 'a' with '@'.

***When the words that make up a phrase are used as a password, the resulting password is called a passphrase.