Change your password day needs a counterpart
February 1 is change your password day; while not official, many tech sites advertise the day to their readers. Users are asked to change passwords on that day to improve security.
While there are certainly times where changing passwords makes sense, e.g. after a breach of an online service, a successful virus attack, accidental sharing, or to increase the strength of a password, generally stating that one should change all passwords on that day never made a lot of sense.
I'd prefer the day to be renamed to "check your passwords day" instead. Users could test their passwords against the Have I Been Pwned database (locally), and change passwords that were leaked to the Internet.
Users could also check the strength of passwords and change passwords that are considered weak by the strength checking algorithms, or start using a password manager if permitted in the environment.
Two-factor authentication and other advanced security options, if available, are also worth considering.
Check your server security day
I propose a counterpart to change your password day: check your server security day (loosely based on JÃ¼rgen Schmidt's article on Heise), my own On Password Security article from 2012, and password security: what users know and what they do. While it is certainly the case that brute force attacks or targeted attacks may steal user credentials, one of the biggest threats comes from company servers that get hacked.
Whether the hack is successful because of social engineering, improperly configured servers, unpatched security vulnerabilities, out of date libraries or components, or 0-day vulnerabilities is irrelevant from a user's perspective.
Billions of password sets are available freely on the Internet. These sets, Have I Been Pwned lists 6.4 billion pwned accounts alone from 340 sites, are just the tip of the iceberg. They come from successful breaches and are either published right away on the Net, offered for sale, or used without them ever being leaked publicly.
A companies reputation suffers if they are attacked successfully but it appears that most go back to "business as usual" pretty quickly after breaches.
Companies should use the "check your server security day" to improve security. It is probably not enough to do this once a year but the day could be used to run thorough tests and to improve security, e.g. by implementing new forms of security or improve existing ones.
Even if you, as a user of a service, select the strongest password imaginable, you may still find it fall in the hands of criminals that dump password databases.
All I'm trying to say is that companies need to take responsibility. It is not enough to reset account passwords after a breach and be done with the whole situation; companies need to improve security proactively and check server security regularly to block certain attack vectors outright.
Now You: Should companies better secure their servers?Advertisement