Note: This blog is an overview of password history and best practices for individuals in honor of World Password Day, if you’d like to get started with implementing better security practices at your organization get our Exposed Credentials Solutions Guide here.
Hooray! It’s World Password Day, meaning we have another chance to get passwords right and stop being terrible with them. For most people, passwords probably come to mind only during cybersecurity awareness month or when your employer forces you to make a new one; otherwise, chances are people aren’t thinking about them every day. In honor of today’s fresh start, we’ll walk you through some things to consider when creating security-aware passwords.
81% of breaches result from bad passwords (2020 Verizon DBIR)
What Is the State of Password Security?
The reality is that password security wouldn’t be such a hot topic for security teams everywhere if passwords weren’t such a weak point in corporate infrastructure and everyone’s daily lives. Imagine, just one layer of security protecting everything important? That’s a big part of today’s reality. As we saw in our previous research on initial access brokers, passwords are very much a hot commodity on cybercriminal forums and dark web marketplaces, and there’s a market for every kind. Whether it’s for social media, email, or site administrator access, someone has the goods and there are plenty of paying customers.
There are lots of figures floating around on the internet, and they’re all pretty bad. A landmark 2019 Google study indicated 66% of Americans reuse passwords across multiple sites. Less than 50% change their passwords after a breach, even if personal information was compromised, and nearly 25% of Americans have used weak passwords commonly, such as “password123”, “qwerty”, or “123456”. The other danger here is that Verizon’s landmark annual research in 2020 noted that 81% of breaches result from bad passwords, and this is probably due in some part to people reusing passwords an average of 14 times or through similar bad practices.
This year, CyberNews published a study on leaked passwords that shows interesting trends in how people create passwords. Using a set of 15 BILLION (emphasis ours) leaked passwords, they identified roughly 2 billion unique passwords (meaning 13 BILLION passwords weren’t unique, emphasis again ours). The top passwords confirmed other findings, such as the common qwerty/password ones mentioned already; however, they also found common themes in the use of people’s names, sports teams, and cities. To do this article justice, and especially if you love big data, I recommend giving all the findings a look.
One last interesting point is that Google’s study also found pet names frequently made the list; which, once you factor in criminals selling various bits of personal information that can be correlated to anything publicly available on social media and the internet, knowing your cat’s name may add another way to guess your password. The key is being careful and unpredictable when choosing your password and avoid common pratfalls.
TLDR; Short, simple passwords such as “password123”, “qwerty”, or “123456”can be broken in less than a second
How Has Password Cracking Evolved?
The days of seven to ten character passwords are long over, mostly because they can be broken in less than a second. Also, today more sites support complex password use. Experts recommend making passwords complex through length and type of characters used, as well as to make them unique. Each additional character adds another step for a password tool and special characters increase complexity, increasing time and resources needed for an attack and making passwords a harder target.
With layered defenses in place, the longer an attacker spends on brute-forcing provides the greater chance the attack is blocked. Also, some companies are telling users when fraud is detected, usually if an account is accessed from somewhere new or from failed logins. This may be a sign that it’s time to change how you log in.
Multifactor authentication and password managers may save you.
What are 2021 Password Best Practices?
Let’s talk about the part that’s easily shared amongst your circle. We’ve assembled some best practices here for easy consumption:
1. Don’t reuse passwords. Your Gmail password shouldn’t be the same one for shopping, social media, or checking scores for your fantasy football team. This increases the chance that if one of these sites is breached and your password leaks, that means all of these accounts are potentially compromised. Some companies may warn you that your password was exposed, and ask you to change it, but not everyone does this. Password managers can help you here.
2. Use all the types of characters you can. This includes upper and lowercase letters, symbols, spaces, and numbers, depending on the site itself. The higher the maximum number of characters (12 or more seems to be a good spot currently), the better— though sites may restrict you on length.
3. Try not to use actual words, if possible. US-CERT recommends no dictionary words of any language; however, if you speak Aramaic or another rare or ancient language there’s a slight chance you are safe. Beware some password cracking programs out
there try combinations with special characters and alphanumerics, so a program attempting “admin”, may also guess “adm1n”, “adm!n”, and so on.
4. No default or easy-to-guess passwords. We wouldn’t be saying this if it still wasn’t a problem. For example, someone sets up a WordPress site, puts it into production, and forgets to change the password from “password”. To be helpful to consumers some hardware and software manufacturers publish default usernames and passwords online. Bad guys are still using these defaults and top 20 bad passwords because they work, and it’s easy for them to maintain a collection of greatest hits while adding new breached passwords every day.
5. Use a password manager. There are so many options, including ones within popular browsers such as Chrome or Firefox. There are also cloud and desktop applications. If you opt for the free versions, ensure that it works on multiple devices, including mobile and desktop, or if you are limited at the free tier by type or number of devices. Password managers can ensure unique logins for every site you visit.
6. Use multifactor authentication (MFA). The goal of MFA is to reduce the chance of an attacker using a breached password to gain access. Definitely consider it to protect important email accounts or social media or anything containing your sensitive information. Best case, use it for everything you can. MFA can at least slow attackers down or even stop them completely if they can’t access or guess your token. What’s cool? This option is literally in everyone’s hands because there are authentication apps for your phone. Some apps also offer telephonic, biometric, or SMS authentication. Security experts will argue about the danger of your phone or other computing device being SIMjacked, or otherwise physically compromised, but any of these are still a much better option than nothing at all.
The Bottom Line for Password Protection
So, why bother? For starters, a good password is the easiest and cheapest way to keep control of your data. Some of the most preventable issues security teams face stem from all of us being our own worst enemies when it comes to password security, whether it’s a question of using good practices or even caring about them. Several newsworthy breaches stemmed from a bad password or a link in a chain of bad password practices. It’s hard to believe that one single factor secures so much, coupled with the fact that we’re not always great with it, but here we are.
Also, everyone has been there, even security experts. We have all used passwords we cringe about now. Personally, I’ve received notifications about a couple of dumb passwords I chose years ago from the early days of the internet. Never even considered I’d get breached because I didn’t think I was important enough, but this was before cybersecurity allowed me to peek behind the curtain. I’ve changed them since, of course, but we’ve all felt the pain.
The best piece of advice I’ve heard regarding passwords and personal data is to assume you’re already breached and to focus on what you can do now to mitigate the damage. The question should be how much gets breached versus all of it being compromised. The easiest ways to do that are to not reuse passwords and to make them unique and difficult to guess. Password managers and MFA are great steps to manage that. Looking to keep an eye on your attack surface such as exposed credentials across the open, deep, and dark web? Get a clear view of your exposure with a 7-day free trial of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) .
Hopefully, someday we will move away from passwords to something better that puts information brokers out of business; but until then, we have to be better when it comes to passwords.