World Password Day 2023: a CISOs Playbook

World Password Day 2023: a CISOs Playbook

Intel initiated the idea of World Password Day and denoted the first Thursday of May to create awareness about it and address the critical need for solid passwords.

As the cybercrime industry becomes more sophisticated, it has exposed businesses to various threats and vulnerabilities. Cybercriminals are on the prowl to steal credentials of compromised systems or users and then move laterally into the business network. As World Password Day approaches May 4th, let’s focus on the best password management strategies CISOs can consider to strengthen their defensive posture.

  • On world password day 2023, security leaders can focus on the following aspects to strengthen password management.
  • Ensure the teams do not use personal account passwords for their professional IDs.
  • Get an in-depth understanding of supplementing password guidelines shared by the Cybersecurity & Infrastructure Security Agency (CISA).
  • Design and enforce password management strategies with effective training modules.

Business leaders must add a security layer by strong authentication for critical passwords to prevent cybercrimes. Most operating Systems (OS) have lenient password management policies that allow users to create and store easy passwords. One of the most inherent thefts of the internet since its inception is security.

CISOs need to be aware of all the potential ways cybercriminals can leverage to steal credentials and utilize them for their malicious intent.

Top Password Security Risks

Phishing or Sniffers or Keyloggers

The easiest way to access a user’s password is to let them tell themselves. It is one of the most significant ways cyber attackers can bypass password authentication.

Attackers target users and trick them into typing their passwords into malicious websites, which they have control over is known as Phishing. Hackers can even use sniffing to infiltrate insecure, unencrypted wireless or wired networks.

They can even install a computer’s keylogger, which can be software or hardware, to compromise the system. These methods offer cybercriminals easy ways to steal credentials from users by luring them into entering their passwords or reading traffic on insecure networks. Phishing is one of the most common vectors that cybercriminals leverage to steal passwords and other valuable information.

Malicious actors send emails containing malicious links to multiple users. This malicious link redirects users to an illegitimate, bogus, or spoofed site, which lures them to provide the passwords themselves. Once cybercriminals access one password, they can compromise the system and move laterally in the business network.

Phishing is an effective vector that cybercriminals can leverage to infiltrate as many business and personal accounts as possible. Once they get access to the account, malicious actors will steal all the sensitive information, or the user will lose access to that account.

Brute Force or Cracking Credentials

Another easy way for attackers to access the user’s credentials is by brute forcing or cracking passwords. Cybercriminals that take this approach, leverage software or other automated tools that generate billions of password combinations and try each one of them to access sensitive data and accounts. These brute force attacks will try the password combinations until they discover the right password.

An organization will be a victim of a brute force attack when the attackers try all letters, numbers, and symbols according to the password management policies until they find the one that works. Most of the time, brute force attacks are not successful because of password lockout rules.

However, CISOs must know that these brute force attacks can go undetected if the cybercriminal has a system’s password file copy or hashed passwords copied from a database. Once the attacker has a copy of one or more hashed passwords, determining the actual password can be very easy.

Reuse of Personal Passwords

Users usually use the same passwords across multiple networks and systems. This reuse of personal passwords makes the credentials more vulnerable to hacking. There is a surge in cyberattacks; attackers are more likely to get user passwords through other websites. Moreover, user credentials are even available on the underground forums for sale, which can be a gold mine for hackers.

Password Recovery Systems

Applications with password reset Systems enable users and hackers to recover their credentials. CISOs need to understand that the forgotten password mechanism is another user authentication way that needs to be secure. Malicious actors can mimic users and try to access users’ accounts by recovering the password.

Online applications that depend on “security questions” like date of birth are vulnerable to more cyber threats. CISOs should layer up their security posture by adding tools to strengthen their password recovery process.

Also Read: Security Considerations and Challenges of DBaaS

Store clear Text Passwords in Software’s Code and Configuration Files

Storing clear text passwords imposes a severe threat to password security as they expose credentials to enable unverified individuals to imitate legitimate users and get access to their accounts or systems. Clear passwords stay visible while typing or if they are saved in clear text on configuration files or codes with no encryption. Hence, it poses a significant threat to the business as cybercriminals can easily access it.

Secure Sockets Layer (SSL) and Hypertext Transfer Protocol Secure (HTTPS) are security strategies that offer certificate management to prevent foreign devices from connecting to business accounts. They offer strong ciphers because they prevent the dismantling of intercepted packets.

Businesses need effective strategies to ensure the devices get access through public Wi-Fi because public Wi-Fi can expose businesses to various threats even when the tech stack has SSL. Malicious actors can access the Wi-Fi transmissions without the user knowing it. This offers easy access to cyber criminals to access the user’s device and then infiltrate the business accounts. Organizations usually lack a strong computer or laptop, which malicious actors can use as a compromised system to get access to sensitive information.

SecOps teams and CISOs must have effective password management strategies to stay secure from brute force attacks and other cybersecurity threats. Every organization should pledge on world password day 2023 to review their password management policies and make necessary changes to strengthen the security posture.

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.