All signs point to the average password being hopelessly insecure. Let’s drop the poor passwords and protect our data and organisations in other ways, writes Anna Collard, senior vice-president: content strategy and evangelist at KnowBe4 Africa.

Today (2 May) is World Password Day, a day that was created by IT security researcher Mark Burnett back in 2005 as a reminder to encourage people to change their passwords at least once a year. Today it has become a bit commercialised, but the original idea of focusing on your password hygiene is still very good.

There are, despite annual password days, still serious problems with the average password. We know that most cyberattacks are the result of several contributing factors and that the combination of weak passwords and social engineering rank as some of the highest among them.

Yet we still see people using the same poor passwords both at home and at work, and sharing their passwords with others or storing them in places that are easily accessible. This means that if their social media account is compromised, there is a high probability that some of their work accounts are also open to compromise.

Because many people reuse the same passwords across multiple sites, it has given rise to a popular attack called “credential stuffing”, where passwords from a breached site are used to get into other accounts.

The average password doesn’t hold up any more, especially in 2024. As humans, we struggle to create strong passwords. Although we’ve developed techniques to remember more complex passwords, relying solely on these methods is no longer sufficient, especially if the initial passwords are weak to begin with.

What can we do about it? Fortunately, there are stronger authentication methods available to protect our accounts. These include multi-factor authentication (MFA) and biometrics. This combines something we have, something we are, and something we know, like a password.

By using multiple factors, it becomes much harder for attackers to phish, guess, or predict, making our accounts more secure. There are different versions of MFA, and not all are the same in terms of quality. Look for phishing-resistant ones if you have a choice.

Practical advice

One of the most repeated pieces of advice is to create longer passwords. We agree you should drop the password and replace it with a passphrase. It is not innovative thinking. Many people take the “word” in “password” too literally and think of a single word or combination that is either too simple, and thus easy to break, or super complicated, so it’s difficult to remember. How many of us haven’t had a password comprising a combination of our date of birth?

Top tip: Opt for a sentence or a song that you can easily remember as your password. Keep in mind that the longer it is, the stronger it will be.

One of the most important pieces of advice is to avoid using the same password across different platforms, especially at home and work. As an employee, you become a prime target for cybercriminals who want to breach your organisation’s cybersecurity defences.

Using the same password for Office 365 and your personal accounts undermines the efforts of your IT department to safeguard the organisation. It is about cultivating good habits and a healthy security culture in the workplace and at home to protect both your colleagues and your family.

Use a password manager

Because it is humanly impossible to remember hundreds of long, complex passwords, a password manager is the best solution for most people. With a password manager, you can generate unique, lengthy, and intricate passwords for each login you have. The only thing you need to remember is a strong master password or passphrase, along with MFA, to access your password manager.

If you have concerns about the security of password managers, you can add an extra layer of protection to your critical passwords by “salting” them. This means adding a little secret that only you know after the password manager populates the field.

Added benefits: Password managers often provide a secure vault feature, enabling you to securely share confidential information with trusted individuals. However, remember the golden rule: never share your passwords with anyone who requests them, whether it’s through email, text messages, or phone calls.

This World Password Day I encourage you to drop the bad passwords and protect yourself and your organisation with passphrases, MFA and password managers instead.