World Password Day: Password Security Tips From a Cybersecurity Expert
by Rackspace Technology Staff
Would you rather have your password hacked in three seconds or 3,000 years? According to a recent Hive Systems study, the difference relies on several factors. The 3,000-year hackability factor includes a 12-character password with a mix of numbers, uppercase and lowercase letters, and symbols.
Although passwords may seem old-fashioned in an age with more modern forms of authentication, like biometrics, passwords are still the leading way to secure access to applications, networks and devices.
“Even though they are a comically archaic way to authenticate, passwords are here to stay given their simplicity and easy implementation,” said Nicolas Christin, co-leader of a Carnegie Mellon password research team. For example, “When your facial recognition app fails, what do you fall back on? A PIN, which is a form of a password.”
World Password Day, held on the first Thursday of May, is a day for organizations and individuals to remember that we should all be practicing better password hygiene. Companies need stronger passwords to help keep their networks, applications and files out of the hands of malicious hackers.
Likewise, individuals need stronger passwords to ensure their private information is secure while using internet-based banking services, e-commerce sites and social media.
What’s more, password attacks are on the rise, according to research by Specops Software. Its 2022 Weak Password Report reported these insights:
- 54% of organizations do not have a tool to manage passwords.
- 48% of organizations do not have a user verification process for calls to an IT service desk.
- 41% of passwords used in attacks are 12 characters or longer but are not strong enough.
Our Cognitive Limitations
While creating stronger passwords is the goal, it’s easier said than done considering the number of passwords each person has to remember — a figure that has expanded exponentially since the advent of the internet. A study conducted by Microsoft in 2007 found that typical users had 6.5 passwords used for about 25 accounts. Flash forward to 2022, where each user has an average of 70 to 80 passwords to remember.
Our inability to remember so many passwords adds to the password management challenge. Another study found that we are not suﬃciently equipped on a cognitive level to deal with 25 diﬀerent passwords, let alone over 70. The study found that a typical internet user can cope with at most four or ﬁve passwords eﬀectively. This cognitive capacity constraint is the leading reason most people reuse passwords across diﬀerent sites, with little or no modiﬁcation.
“Reusing passwords on more than one site is a leading cause of hacking,” says John Moran, Security Solutions Architect at Rackspace Technology®. So, in honor of World Password Day, Moran shared password best practices to keep ourselves safer at work and home.
Aim for complexity. The Hive Systems study found that the more complex the password, the harder it is for hackers to crack. Yet, most passwords aren’t complicated enough.
“To combat hackers’ tactics, such as brute force attacks, passwords must be complex,” said Moran. “This means long, with at least nine to 12 characters or more. And they need to be a mix of capitalized and non-capitalized letters, numbers and symbols.
Think “passphrase” instead of a password. Moran recommends creating passphrases instead of passwords to ratchet up the complexity factor but make passwords easy to remember. For example, choose a phrase such as “I love to cook at home on Fridays” and turn it into a passphrase. In this case, IL2c@h0F, for example.
Don’t duplicate passwords. Too often, users create one password and use it in multiple places, primarily because it’s easier to remember one than many. But this is terrible password hygiene. Instead, it’s important to use a unique password per location.
“This habit will provide damage control by containing any damage a hacker can do if they happen to gain access to one location,” explained Moran. “They won’t be able to simply use the same password to break into other locations. So, the damage they can do is much more limited.”
Update passwords on a schedule. Some companies require their employees to update passwords regularly, such as every 90 or 120 days.
However, Moran said, “The risk here is that people will create easy passwords because they must remember a new password every few months. So put more emphasis on creating strong and complex passwords.”
Deploy multi-factor authentication. This is like a backup support system for password protection. When users must pass a second step, such as supplying a code, to gain access to a network, application or file, they will be much harder to hack.
“When you add the two layers of protection together, it makes it harder for an adversary to break through,” noted Moran.
Strengthen your password storage. Storing passwords is a crucial factor in password security. The ideal approach is to have a password database with its own super-strong password — “one key to unlock them all.”
Disable old accounts. Too often, companies fail to remove accounts of employees who’ve left their jobs. But this too often provides a relatively easy way for hackers to exploit a system.
“Some companies leave decommissioned accounts active for years,” noted Moran. “However, disabling the accounts of employees who leave their jobs should be a permanent part of proper password management.”
Employ least privilege rules. This involves giving workers the minimum degree of access necessary to do their jobs. “This practice helps limit the damage if there is a breach, including an internal breach,” noted Moran.
Passwords are more critical than ever today — including the fact that many organizations are now working in remote and hybrid operations. Strengthening password protection will help lock down networks and applications and ensure that only the people who should have access have access.
We all need a reminder, like #WorldPasswordDay, to inspire us to level up our password habits — and maintain a more substantial barrier between our critical information and today’s increasingly savvy hackers.
Rackspace Technology’s Elastic Engineering for Security helps businesses worldwide better defend against a world of increasing threats. Find out how we can help your organization fill your security gaps by deploying the perfect defense against the perfect cybersecurity storm.
Listen to our CloudTalk Live podcast about Combating Security Threats With a Multi-Layered Defense.
Take our cybersecurity risk self-assessment so we can help you assess, implement, engineer and manage your security and compliance challenges.
Rackspace University Enables Execution through Education
January 23rd, 2024
Our Journey through AWS re:Invent 2023 Highlights — Recap and Wrap-up
December 7th, 2023