Since 2013, the first Thursday in May – this year falling on 5 May – is marked as World Password Day, aiming to promote better cybersecurity hygiene by upgrading easy-to-guess passwords or refreshing older passwords that may have been compromised.
By Doros Hadjizenonos, regional director: southern Africa at Fortinet
Insecure or inadequate passwords are an easy target for cyber criminals, and offer easier access to critical information than trying to break in through edge security protocols. Attackers can uncover or bypass weak passwords using brute force attacks, inject compromised credentials to gain access to user accounts using credential stuffing attacks or use a host of other strategies to hijack user accounts to steal personal or corporate data.
Being diligent about creating strong passwords and updating them regularly has been seen for years as the first line of defense in securing both your personal and corporate information. Unfortunately, most people are not diligent about creating strong passwords and keeping them safe.
Tom’s Guide cites various rankings to round up the world’s worst passwords of 2022. These include: 123456; 123456789; qwerty; qwerty123; and password. According to the UK’s National Cyber Security Centre, the password ‘123456’ has been found over 23 million times in the breaches tracked by web security consultant and researcher Troy Hunt of Have I Been Pwned.
Improving your passwords
Security experts recommend not using passwords related to your name, family member names or pet names; not using consecutive numbers or letters as a password; and creating passwords at least 10 – 15 characters long that randomly mix letters, numbers and symbols.
Common best practice advice includes: don’t reuse passwords across multiple sites and accounts, and change them regularly. Don’t choose passwords that could be easy to guess – such as your favorite food, sports team, activity or music. Don’t assume simple obfuscation techniques will work: “P@$$w0rd” is only slightly more difficult for hackers to guess than “Password”.
But while generating a hard-to-guess password is a relatively easy matter, remembering multiple obscure letter, number and symbol configurations is more challenging. The Cyclonis Password Security Report found that half of the respondents forget their passwords four or more times a year. 27.95% of people forget their passwords 10 or more times a year, and 6.96% forget their passwords 16 times or more each year and have to reset it each time.
Saving all your passwords on a digital document or writing them down on a piece of paper is not the best way to remember them, since these documents are also at risk of being seen or stolen, which could give people access to your accounts and information and could also allow them to impersonate you in email and social media-based phishing attacks targeting your contacts.
Moving to better security
As it becomes harder to generate and remember strong passwords, password managers have emerged as a good way to better secure your accounts. Choose a reputable one which is encrypted and in the cloud. While some password managers are free, I recommend using a paid service to be sure of support if necessary, and I suggest looking for one with thousands of good reviews. Good password managers will generate a strong random password up to 24 characters long, and remember them for each site and application. Users then need to remember only one password – to their password manager vault.
Tokens and multi-factor authentication are also excellent systems for securing access to accounts and applications. Adopting a Zero Trust approach is a better way to overcome password weaknesses. In contrast with the old ‘castle and moat’ security model, where a password serves as a key to everything in the castle, Zero Trust prevents attackers from wreaking havoc once they are inside the castle. In Zero Trust, no one is trusted and both users and devices are carefully authenticated before allowing them access to only the systems and applications they are permitted to access.