passwords Archives - Cyber Secure Forum | Forum Events Ltd
Posts Tagged :

passwords

62% of consumers still choosing to use repeat passwords

 960 640 Stuart O'Brien
By:
0
0

Regardless of generational differences across Boomers, Millennials and Gen Z, new research shows a false sense of password security given current behaviours across the board.

In addition, the LastPass fifth annual Psychology of Password findings found that while 65% of all respondents have some form of cybersecurity education – through school, work, social media, books or courses – the reality is that 62% almost always or mostly use the same or variation of a password. 

The goal of the LastPass Psychology of Passwords research is to showcase how password management education and use can secure users’ online lives, transforming unpredictable behaviour into real and secure password competence. The survey, which explored the password security behaviours of 3,750 professionals across seven countries, asked about respondents’ mindset and behaviours surrounding their online security.

The findings highlighted a clear disconnect between high confidence when it comes to their password management and their unsafe actions. While the majority of professionals surveyed claimed to be confident in their current password management, this doesn’t translate to safer online behaviour and can create a detrimental false sense of safety. 

Key findings from the research include: 

  • Gen Z is confident when it comes to their password management, while also being the biggest offenders of poor password hygiene. As the generation who has lived most of their lives online, Gen Z (1997 – 2012) believes their password methods to be “very safe”. They are the most likely to create stronger passwords for social media and entertainment accounts, compared to other generations. However, Gen Z is also more likely to recognise that using the same or similar password for multiple logins is a risk, but they use a variation of a single password 69% of the time, alongside Millennials (1981 –1996) who do this 66% of the time. On the other hand, Gen Z is the generation most likely to use memorisation to keep track of their passwords ( 51%), with Boomers (1946 – 1964) the least likely to memorise their passwords at 38%. 
  • Cybersecurity education doesn’t necessarily translate to action. With 65% of those surveyed claiming to have some type of cybersecurity education, the majority (79%) found their education to be effective, whether formal or informal. But of those who received cybersecurity education, only 31% stopped reusing passwords. And only 25% started using a password manager. 
  • Confidence creates a false sense of password security. While 89% of respondents acknowledged that using the same password or variation is a risk, only 12% use different passwords for different accounts, and 62% always or mostly use the same password or a variation. To add to that, compared to last year, people are now increasingly using variations of the same password, with 41% in 2022 vs. 36% in 2021. 

“Our latest research showcases that even in the face of a pandemic, where we spent more time online amid rising cyberattacks, there continues to be a disconnect for people when it comes to protecting their digital lives,” said Christofer Hoff, Chief Secure Technology Officer for LastPass. “The reality is that even though nearly two-thirds of respondents have some form of cybersecurity education, it is not being put into practice for varying reasons. For both consumers and businesses, a password manager is a simple step to keep your accounts safe and secure.” 

For more information and to download the full Psychology of Passwords research findings, please click here. 

Why your organisation needs the password police

 960 640 Stuart O'Brien
By:
0
0

By Steven Hope, CEO of Authlogics

We live in a world full of policy, etiquette, regulation, and law, that provides a written and sometimes unwritten framework for codes of conduct that are deemed acceptable or unacceptable in our society.

However, having rules in place does not guarantee compliance. It is for this reason that we have police forces, armies, industry watchdogs, regulators, peer pressure, and more to help ensure the rules are followed, and in the main, as a society, we are very good at obeying orders. Consider how most of us adhered to strict lockdown rules during the pandemic, and despite queues stretching for many miles, people took their place in line and waited to pay their respects to Her Majesty Queen Elizabeth during her lying-in-state.

However, there are instances where we may be more willing to bend the rules, especially if we perceive a victimless crime.  Passwords are a good example. A lot of organisations have a password policy, but many employees do not adhere to the rules, with passwords not being changed as frequently as required, the necessary format not being followed, the same passwords being used for multiple accounts, and the sharing of login credentials.

Yet, for those who diligently do the right thing, there can still be a problem if the policy itself is not fit for purpose. Earlier in the Summer, it was reported that Shopify required a password to be of at least five characters. However, research of breached passwords revealed that 99.7% of the passwords met Shopify’s requirements.

This case is far from surprising, given that many password policies in use today can be as much as 25 years old, despite guidance from bodies such as NIST. The world has moved on and the threat landscape has changed.  Phishing attacks were not around when many of these policies were created, but today they pose one of the single largest cybersecurity risks.

Part of the problem is what has long been a ‘strong’ and ‘secure’ password is no longer the case.  A combination of upper and lowercase and special characters only makes passwords harder to remember and not stronger. No matter how complex a password is, if a bad guy has the password, they have access. With this in mind, the foundation of any password policy must be to ensure that breached passwords are not in use with an organisation. The use of multi-factor authentication (a username, password, and another credential such as a pattern, PIN, or biometric for example) also has an important role to play, however, the first step is to have a password management solution in place that automatically detects breached passwords and ensures that it is immediately changed with a new password that conforms to the latest NIST recommendations.

Think of it as password policing rather than policy, a method for both prevention and enforcement. Passwords are far from the ideal authentication solution and the policies that have long governed them have done little to improve the situation. Organisations are beginning their journeys towards passwordless alternatives, but it will take time for this to be the norm. Until then it is vital that we create an environment in which they can be used with the highest level of assurance.

‘Massive’ rise in DDoS and password attacks during pandemic

 615 410 Stuart O'Brien
By:
0
0

New analysis from F5 Labs has discovered a massive rise in DDoS and password login attacks during the pandemic.

In January, the number of all reported SIRT incidents was half the average reported in previous years. However, as lockdowns were put in place from March onwards, there was a sharp rise in incidents.

The attacks can be categorised into two buckets from January to August this year: Distributed Denial of Service (DDoS) attacks (45%) and password login attacks (43%) which comprised of brute force and credential stuffing attempts.

Other findings include:

  • DDoS attacks surge 3x in March: DDoS made up only a tenth of reported incidents in January, but grew to three times that of all incidents in March.
  • No ‘spring slump’ for DDoS: Typically, DDoS attacks see a ‘spring slump’, but these rose in April 2020. In fact, DDoS attacks targeting web apps increased six-fold from 4% in 2019 to 26% in 2020.
  • Attacks are diversifying: The number of DDoS attacks reported to the SIRT and identified as DNS amplification attacks nearly doubled (31%) this year along with DNS Query Flood which is also on the rise.
  • DDoS most popular in APAC with 83% of attacks: Meanwhile, EMEA saw the next highest with 54%.
  • 67% of all SIRT-reported attacks on retailers in 2020 were passwords attacks: A rise of 27% on last year. This was to be expected as the pandemic has caused a huge shift from in-store sales to online

Full details can be found here: https://www.f5.com/labs/articles/threat-intelligence/how-cyber-attacks-changed-during-the-pandemic.

Biometrics and behaviour-based authentication on the rise

 960 640 Stuart O'Brien
By:
0
0

A new survey suggests our relationship with passwords to identify ourselves online is shifting.

For some of us, it’s shocking to consider single-factor authentication is even in use today, given that poor password habits and stronger computing power has led to an increase in hacking-related breaches involving either stolen or weak passwords.

But a Callsign survey has revealed that a knowledge-based approach, such as passwords, for accessing online accounts is now favoured by less than half of UK and US respondents (45% on both sides of the Atlantic).

Over the last few years, increased availability of biometric tools on laptops, tablets and smartphones has given consumers a taste for biometric identification, and in the survey 30% noted a preference for sharing and storing biometric information (32% in the UK and 27% in the US) for identification when accessing an online account or making a purchase.

Bit it’s clear there’s still a long way to go in shifting consumer attitudes away from solely relying on passwords. Callsign says biometric information as well as behavioural biometric data – such as the way a user swipes their screen or their unique keystroke pattern when entering their password – need to become the norm, so companies can more intelligently identify anomalies and apply additional layers of security.

With employees frequently cited as the weakest link in corporate cybersecurity enforcement, it is no surprise that traditional passwords are preferred at work, where people’s reluctance to embrace more innovative methods of identification over a presumed ease of access is commonplace.

Knowledge-based identification was the most favoured by 56% of workers (58% in the UK and 51% in the US), while biometric methods were preferred by a mere 15% of workers.

Other insights from this survey include:

  • Despite the high preference for knowledge-based identifiers at work (58% in the UK and 51% in the US), they are less favourable for personal use, where 46% noted they were preferred when logging in to check an account balance and 44% chose it for making a purchase or a balance transfer
  • The UK tends to be more receptive to biometrics compared to the US, with 32% to 27%, respectively, noting they’d prefer it overall
  • In the US, age is a significant factor as Baby Boomers (55+) are more receptive to passwords (46%) and biometric identifiers (31%) than younger respondents (aged 18-24), with 39% preferring passwords and 26% preferring biometric identifiers. Younger respondents (those 18 to 24) were more receptive to behavioural identifiers (12%) compared to those aged 55+ (4%)

“The study suggests we’re at a tipping point where our reliance on simple passwords is on a steady downward turn,” said Callsign CEO Zia Hayat. “Although two-factor and multi-factor authentication, along with biometrics, are an improvement, they are still flawed. Ultimately, we understand the privacy of users is paramount. Companies need to offer choice and control when it comes to the data that is collected and the identification methods used – another reason multi-factor identification is so limited.”

“However, there is a new realm of behavioural identification that is truly revolutionising and streamlining identification and improving customer experiences, all whilst minimising fraud. Here at Callsign, we’re creating a much more positive experience with greater protection and better privacy for the consumer or worker.”

Callsign commissioned YouGov Plc to conduct the survey. Total sample size was 2,131 adults in the UK and 1,160 adults in the US. Fieldwork was undertaken in August 2018.