Passwords aren't going away any time soon

Sibahle Malinga
By Sibahle Malinga, ITWeb senior news journalist.
Johannesburg, 05 May 2022

As the world observes World Password Day today, cyber security experts warn that most South African citizens and firms still don’t take password management as seriously as they should, despite the rising number of security breaches.

Observed annually on the first Thursday of May, World Password Day aims to promote better password habits. As the world becomes increasingly digital, secure passwords are critical for our data-driven online lives and serve as the gatekeepers to our digital identities, according to security experts.

While various, more convenient passwordless authentication methods are increasingly replacing passwords, experts say passwords aren't going away any time soon – especially when used as a first line of defence against unauthorised access to a device and personal information.

History has proven that even large enterprises have fallen prey to hackers through lack of basic password hygiene.

As cyber attacks increasingly bombard local organisations, World Password Day serves as a reminder for organisations and digital citizens to take passwords seriously.

“Controlling who has access to restricted data, systems or areas is one of the most fundamental elements of security. Weak passwords, password re-use and lack of multifactor authentication are still some of the most serious concerns for cyber security,” says cyber security expert and GoldPhish CEO Dan Thornton.

This year, World Password Day comes as a number of South African organisations have recently fallen victim to damaging cyber attacks, including credit bureau TransUnion, big-four bank Standard Bank and SA’s port and railway company Transnet.

According to proprietary password manager NordPass, the top five most common passwords used in 2021 were: 123456, 123456789, 12345,qwerty and password – with allpasswords taking less than one second to crack.

The TransUnion hackers previously told ITWeb that it was effortless to break into the credit bureau’s IT systems because it had used the word “password” as its password.

“Companies are unaware of the daily threat they face via malware and ransomware, with cyber criminals becoming smarter in their approach,” says David Lees, co-founder of IronTree, a managed service provider.

“Most need intelligent password management, with frequent editing, but that's the basic.

“Businesses have a legal obligation to protect consumer data under the new Protection of Personal Information Act (POPIA), so they should take their cyber security, backup, disaster recovery for emergencies, private hosting and POPIA compliance seriously.”

Meanwhile, Kaspersky warns of an online scam that never gets old: password reset notification.

Most online services have a built-in security system that alerts an employee when it detects “unusual” activity on their account. For example, this service sends notifications about attempts to reset the phone number and e-mail address linked to the account, or the password.

However, cyber criminals always try to imitate this mechanism to attack corporate users, says Kaspersky.

“As cyber attacks rely on the human factor more often, and as the cyber security technologies progress, such tricks are becoming more and more common, and were registered in multiple mail-outs around the world,” says Maria Garnaeva, cyber security expert at Kaspersky.

“Spam and phishing attacks are probably the most under-appreciated type of cyber threats. Even the most responsible employees can be tricked into clicking on them; everyone tends to lose their focus in the hustle of a working day.”