Every year on the first Thursday of May, we celebrate World Password Day – an important reminder to ensure that we are doing all we can to manage and take care of our online logins. Passwords are critical gatekeepers to our digital identities and it is scary to think that cybercriminals could get their hands on our sensitive information through it.
Passwords ensure that all the information we store online is protected, which is vital for our privacy and financial security. Not only that but in an age where almost everything can be carried out online, they also allow us to conveniently get access to our banks, shops, work and even socialise online.
So, how did it start? Whose idea was it to have a day dedicated to passwords?
It was suggested by a security researcher that goes by the name of Mark Burnett. He encouraged people to have a "password day" in his book Perfect Passwords, where they update important passwords. Intel Security was inspired by the idea and took initiative and declared the first World Password Day in May 2013 on the first Thursday of the month. Hence this became an important day to raise awareness for better password habits.
The Problem With Passwords
What makes World Password Day so important is that it reminds us how crucial passwords are in our digital life. People know that they should create a unique, strong and complex password every time for a new account; but many often ignore it and continue to use passwords that are too simple – that is the first issue.
This makes it easier for cybercriminals to hack into accounts and gain access to valuable applications or systems. To this day, ridiculously easy to guess passwords like '123456' are still as popular as ever. According to a NordPass survey, that password topped the ranking of the most common password in 2020. It is time to change this habit and start taking your passwords more seriously.
The second issue is people tend to reuse the same passwords across many places. With so many logins to remember, this may seem convenient and makes our life easier. However, it leaves us vulnerable because cybercriminals can just use the same password to gain access to multiple accounts, systems or applications – using popular hacking techniques such as credential stuffing, for example.
According to a report from Yubico, both Individuals and IT security practitioners have re-used passwords on an average of ten of their personal accounts. However, individual users (39%) are less likely to re-use passwords across workplace accounts than IT security practitioners (50%).
"Because we are pretty bad at using and remembering strong passwords, we often use weak ones or re-use them. In fact, 84% of remote workers admitted to re-using passwords in our survey. Added to this, passwords are still often the only verification method in use. Because of this, IT professionals consider passwords to be amongst the weakest links in their company's defences", said Jeffrey Kok, Vice President of Solution Engineer, Asia Pacific and Japan, CyberArk, when CSA reached out to him to comment on the issue.
The third issue is that there are too many passwords to remember, causing “password fatigue” among many users. With the number of accounts we create online, can we really remember all the long and unique passwords for our accounts? Very unlikely. We are even struggling to remember the simple and most memorable passwords we are using over and over again.
When It Comes to Passwords, Complexity Truly Matters
Jacqueline Jayne, Security Awareness Advocate, KnowBe4 APAC, agrees with this notion, saying that “The average person has anywhere between 70 and 100 passwords and it is simply not possible to remember them all. Especially when you consider that passwords need to be unique, complex, and depending on where you read it anywhere between 8 and 20 characters”.
She added that when it comes to password hygiene we still have a long way to go. Nevertheless, Jacqueline offered several tips that can help keep passwords secure, strong, and safe:
Keep your passwords private – never share a password with anyone else.
Never ever re-use a password (ever).
Invest in a Password Manager Tool (start here https://au.pcmag.com/password-managers/4524/the-best-password-managers).
Use Multi-Factor Authentication (MFA) when you can and where it makes sense.
Use passwords of at least eight (8) characters or more (longer is better).
Use a combination of uppercase letters, lower case letters, numbers, and special characters (for example: !, @, &, %, +) in all passwords.
On the web, if you think your password may have been compromised, change it at once and then check your other website accounts for misuse.
And if you’re looking to create a strong, complex password, she shared this method to develop a strong password that’s very hard to crack:
Think of a phrase or sentence with at least eight words. It should be something easy for you to remember but hard for someone who knows you to guess. It could be a line from a favourite poem, story, movie, song lyric, or quotation you like. Example: "I Want to Put a Dent in the Universe".
Remove all but the first letter of each word in your phrase: IWTPADITU.
Replace several of the upper-case letters with lowercase ones, at random: iWtpADitU.
Now substitute a number for at least one of the letters. (Here, we’ve changed the capital “I” to the numeral 1: iWtpAD1tU.
Finally, use special characters ( $, &, +, !, @) to replace a letter or two -- preferably a letter that is repeated in the phrase. You can also add an extra character to the mix. (Here, we’ve replaced the “t” with “+”, and added an exclamation point at the end) : iW+pAD1tU!.
Time to Start Taking Action and Protect Your Passwords
According to Rick McElroy, Principal Cybersecurity Strategist, VMware Security Business Unit, using a password is as antiquated as using a standard key on your front door -- it's locked but someone can copy the key or pick the lock and still get access. For this reason, it's important to prioritise Multi-Factor Authentication, in the form of behavioural and continual authentication, and move away from a central store of identities, which can easily be hacked.
"Moving forward, we'll begin to witness hand and fingerprint biomarkers, two-factor authentication with a mobile device and facial recognition replace traditional password authentication processes. At some point in the future, DNA will probably be used to verify identity in the medical field. Long-term, I could see a future where a combination of measurements like a heartbeat and brain waves could be used, making it more difficult than ever for cybercriminals to break the digital lock", explained Rick.
In terms of mitigating password fatigue, Topher Tebow, Acronis Cybersecurity Analyst, recommends using a password manager tool. Password managers remain one of the most convenient ways to thwart attempts by attackers to access our accounts, especially when combined with unique, complex passwords.
“My password manager contains over 450 distinct passwords, which means if one password finds its way into a leak, it doesn’t help an attacker access any other accounts through a credential stuffing attack. Add Multi-Factor Authentication (MFA) into the mix and the likelihood of an attacker being able to access your accounts is negligible”, explained Topher.
Candid Wuest, VP of Cyber Protection Research agrees with this approach and mentioned that passwords should not be easily guessable or so short that they could be brute-forced but more important is that your passwords are unique for each service.
He said that “If you use the same password on multiple services, then one leak at one of these services is enough to break all of them. As attackers will use the leaked credentials and try them with a huge list of other services. These so-called credential stuffing attacks are unfortunately still very successful. In addition to this, password managers can prevent you from copying the credentials to phishing websites as they detect that the website URL has changed. They can also offer Multi-Factor Authentication (MFA) integration, which increases the security of a static password combo once more. Even though there have been successful attacks against text message-based 2FA in the past, it still is better than no MFA at all”.
At the End of the Day…
When it comes to online safety, password hygiene has never been more relevant. According to Raj Samani, Chief Scientist and McAfee Fellow, McAfee, they’ve seen a massive surge in online activity over the past year alone, with the pandemic leaving many organisations reliant on conducting daily activities such as shopping and banking online.
“Passwords are of course a key part of our digital lives, enabling people to gain quick access to a variety of online platforms, accounts and devices. However, it can be easy to take them for granted and forget the basics of password hygiene during our busy lives, particularly now as we have so many accounts to keep on top in order to get on with our day-to-day activities”.
"World Password Day is an excellent time to highlight the importance of password safety to consumers. But it is just as important to ensure password hygiene remains on top of your mind at all times and not just for one day”, explained Raj.
Now more than ever, we must stay vigilant, we must stay aware, and above all, we must protect our security and our digital identities. Together, let's take part in this important day and grab the opportunity to update our password to stay cyber secure before it's too late. Happy World Password Day!