Building stronger defenses with smarter password management

By Ramprakash Ramamoorthy
THE PHILIPPINE government is taking action to strengthen its cybersecurity measures, such as enforcing appropriate regulations on digitalization. In recent news, the Philippine Computer Emergency Response Team has urged big organizations to establish an incident response team that can act quickly to mitigate damage in the event of a successful data breach.
One of the most common cybersecurity threats is weak, unchanged passwords. Why do we choose bad passwords? Are we faithful to our old passwords, keeping the same ones for years and years? Are we partial to certain accounts and their passwords?
People tend to prioritize financial accounts over retail, social media, and entertainment accounts because a breach of a mobile payment, online banking, or trading account could result in severe financial damage. It is crucial, however, to protect our personal information, no matter the type of account.
Why do people find it difficult to remember passwords, though?
First, we don’t use passwords daily. This is especially true after we save passwords on our mobile phones or PCs. Nonetheless, saving passwords on devices is not advisable as just about anyone could access the data without our permission.
Second, we have too many accounts and passwords. Now, it is nearly impossible not to have an account (and a corresponding password) for every service and app. There are accounts we access daily, while others we use weekly or every few months, and recalling all of these passwords off the top of our head is indeed a tall order unless we have an exceptional memory. Thus, many people use one common password for all their accounts, which makes things easy not just for them but unfortunately also for hackers.
Third, there are rules to follow when creating a password for an account. These include the password needing to have at least one special character and a length of at least eight characters. These strict password policies, recommended by the National Institute of Standards and Technology (NIST), are designed to reduce cybersecurity risks and protect data and networks. They play an important role, even though they can sometimes be a pain in the neck.
Fourth, we know we can change our passwords when needed. If the option to reset passwords did not exist, however, there would be chaos for both users and organizations.
Fifth, we do not save them in the right place. The practice of listing our passwords in a spreadsheet and storing it on our desktop is most assuredly not the best way to store our passwords!
If people are not doing so already, they must now begin to take their privacy more seriously. Based on the guidelines provided by NIST, we need to make certain that all of our online passwords meet these criteria: lengthy, unique, devoid of personal meaning, and updated whenever a breach is suspected.
The preferred length is 12 or more characters because it takes hackers 62 trillion times longer to crack a 12-character password than a six-character one. Meanwhile, unique passwords mean that if one is broken, other accounts are not compromised. As for not having personal meaning, this is so that social media profiles do not provide any clues as to what a person’s password might be. Following these criteria ensures the strength of our passwords, thus helping us secure our privacy and reduce the risk of a cyberattack.
At the organization level, it is essential and worth it to invest in an enterprise-grade password manager tool. This helps businesses and authorities control access to administrative passwords. It is vital to the Philippines’ cyber resilience that individuals not only make efforts to effectively protect their passwords but also that organizations lead the way in cybersecurity.
Ramprakash Ramamoorthy is the director of AI research, ManageEngine.