What’s happening
Today is World Password Day. The event was created by Intel in 2013 to encourage people to better secure their online accounts.
Why it matters
Weak passwords put personal information at risk. Even worse, people use the same bad passwords for multiple accounts, which means if one get compromised others could also fall.
What’s next
Check out CNET’s tips for how to create better passwords and lock down your logins.
If you think your passwords are uncrackable, think again.
Despite years of warnings, experts say most people are still using weak passwords to protect even their most sensitive information. Many people are reusing those insecure passwords to protect multiple accounts, putting more of their data at risk should any of the accounts be compromised.
“It’s the total account takeover scenario,” said John Buzzard, lead fraud and security analyst at Javelin Strategy & Research, referring to a cybercriminal cracking one password and then using it to access other accounts. “Consumers lose control over their entire digital lives.”
World Password Day, which takes place on Thursday, is a good time to review your digital security. Sure, it’s a totally made-up celebration that Intel created in 2013. But it’s still a good reminder to take a close look at your logins and make sure they check the required security boxes.
Passwords have been widely used for as long as computers have been on desktops, and they’ve been a source of aggravation for just as long. Efforts to replace them with other kinds of authentication technology have been in the works for years. While they’ve come a long way, they’ve so far been unable to completely eliminate the need for passwords.
But companies keep trying. On Thursday, Apple, Google and Microsoft announced plans to boost their support for the passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. That standard allows users to sign in with a biometric indicator, like a facial scan or fingerprint, or a device PIN.
Read More:
- Best Password Manager to Use for 2022
- What Makes a Good Password? 9 Rules to Protect You From Cyberattacks
- Strong Passwords Aren’t as Easy as Adding 123. Here’s What Experts Say Really Helps
Those methods of authentication promise to be significantly more secure than passwords, which are often laughably easy to guess.
The top 10 passwords used in attacks against small and medium businesses last year included some as simple as “123,” “password123” and “a123456,” according to Specops Software’s 2022 Weak Password Report. Pop culture references also showed up frequently. For example, the Cincinnati Reds were the most-mentioned baseball team within the pool of hundreds of thousands of compromised passwords the researchers analyzed.
Setting long, complicated and unique passwords for all of your accounts may seem daunting, acknowledges Lotem Finkelsteen, head of threat intelligence and research at Check Point Software Technologies. But he says it’s a must.
“The best password is the one you forget,” Finkelsteen says, noting there’s always a recovery process you can go through to reset your logins.
Password managers can help by remembering long strings of characters for you, while keeping them safe. Here are some tips from Check Point and others for creating good ones.
Tips for good passwords
Longer is better. At least 16 characters is best. At that point, you don’t have to worry so much about password-cracking software. Random sequences of characters are best, but passphrases, such as a combination of three unrelated words, will be OK in most circumstances. Throwing in a special character, such as symbols or punctuation marks, in the middle won’t hurt.
Remember: If you use a passphrase, make sure the words only have meaning to you and don’t signify anything important. “Red Sox Rule” might be a great way to show your loyalty to the team, but it isn’t a terribly secure passphrase. Don’t use your birthday or another significant personal date because cybercriminals can find them easily. Song titles and famous quotations are also bad ideas. Avoid cliche substitutions, such as using @ for “at” or “a,” and $ for the “s.”
Resist the temptation to recycle. Even the best passwords can be stolen and compromised. So limit the fallout by making sure you set unique passwords for all of your accounts. Sure, that could be a lot to handle since we’re recommending 16-character or longer pass phrases.
If you need help, sign up for a password manager. Both free and paid options are available. Many internet browsers can also help you out with this task, though they don’t always work across your various devices.
Change can be good. Experts are split on whether you need to change your passwords on a regular basis. They all agree, however, that you should change them right away at any hint of compromise.
Keep your details off social media. The more personal details you post, the more cybercriminals know about you. Those little, seemingly unimportant, bits of data could be used to crack your passwords.
While you’re at it, stay away from quizzes you see posted on Facebook that ask a series of seemingly harmless questions in order to tell you what city you should live in or what your ideal vacation spot would be. Sure, they’re fun, but they might be collecting personal information that could be used to crack your passwords down the road.
Always, always use 2FA. If your password does get compromised, a second layer of protection will go a long way toward protecting you. Two-factor authentication, also called multifactor authentication, is being used by a growing number of sites and requires someone trying to access your account to also enter a second form of ID.
It could be a code generated by an app, a biometric like a fingerprint or facial scan, or a physical security key that you insert into your device. Yes, that will slow you down as you access the account. But it’s worth it to keep your account safe. If 2FA is available, use it.
One word of warning: If you can, avoid 2FA systems that text a code to your smartphone. SIM swapping, a scam in which a cybercriminal takes over your phone number, is on the rise. If a criminal takes over your phone number, they’ll get your 2FA text message, too.