We’ve heard it all before. Don’t reuse passwords. Don’t use easy-to-guess passwords. Don’t give away your passwords. Sound familiar? These tips are crucial to protecting user data and information, but it still seems like app and website users are not “getting it.”
In honor of World Password Day, we thought it was time to revisit the idea of making passwords a priority. Consumers are way more connected than ever before, which means our information is out there in email, applications, television streaming services, websites, and more. This also means there are tons of passwords to keep track of, which can be difficult for the average consumer. How do we even get started?
McAfee, an antivirus and Internet security company, conducted a survey among 3,000 people globally to find out just what consumers are doing to organize their passwords. A total of 37% of respondents say they keep track the old-fashioned way, with pen and paper, and then they place it somewhere they deem safe.
Thirty-four percent of respondents in the U.S. admitted to reusing passwords across multiple accounts; using a password manager came in as the third most common storage method, with 20% claiming they do in fact use management software for their passwords.
In the end, easy access is still more important than protection, according to the company’s findings. Users want to access their information quickly, whether that’s logging into Gmail or hopping onto Twitter, and as a result, their last concern is security. McAfee confirmed this when less than half of their respondents (46%) claimed their main concern is their security strength. The rest said that they just want to remember their passwords, and some even said they were fine with sharing their passwords to certain services (nod your head in agreement if you’ve shared your Netflix or Hulu password in the last year).
It’s clear that password security needs to become a top priority for consumers (myself included). That’s where our security experts can help. They’ve shared some World Password Day tips with us so you can be sure your private information doesn’t get into the wrong hands:
- Use a password manager as your ally: According to Avast, keep cyber criminals at bay by using a password manager. Password managers can store and remember passwords for multiple accounts, and there are some password managers that are free to use. Avast also studied how people feel about their online security, and discovered nearly 62% of individuals surveyed took action after a public data breach, changing their password to the affected site. Avast said that a password manager can simplify this process, and update multiple sites’ passwords.
- Avoid dictionary terms: Avoid common passwords like 123456, password, qwerty, 123321, and other easy-to-guess passwords. Darren Guccione, CEO and cofounder of Keeper Security, said dictionary cracks guess passwords using lists of common passwords, and then it moves on to the whole dictionary. This is typically much faster than a brute force attack because there are far fewer options, he said.
- Utilize multi-factor authentication (MFA): According to Gary Davis, chief consumer security evangelist at McAfee, having multiple factors to authenticate your accounts has many benefits. This includes using your fingerprint, face, or trusted device as a MFA. The more factors you combine, the safer your accounts will be, said Davis.
Saying ‘no’ to passwords on Password Day
One organization has an interesting take on passwords. The thought is, how about no passwords? PreVeil, a new application for end-to-end encrypted email, file sharing and storage, does not use passwords, and instead, opts for private keys. According to president and CEO of PreVeil Randy Battat, there are a number of reasons why passwords are making systems less secure, not more so.
Users that create passwords often will think of passwords that make sense to them, said Battat, but hackers can still easily crack them. Another issue is that more and more apps or websites require passwords, and many of them require frequent updates. There’s irony in this, said Battat, because the more we are forced to create these passwords, the easier it becomes to crack your passwords.
“Systems store user passwords on a central server. The result is that a successful attack on this server can compromise information for all of the users whose passwords are stored there,” said Battat. “And because most users’ passwords (and other personal questions) are based on variations of a common theme, an attacker who cracks one site will have a good chance of figuring out how to crack other sites.”
All of this information — birthdays, phone numbers, security questions, email addresses — can be used by attackers to crack user accounts on other websites.
“Password proliferation is not only making life frustrating for users, it’s actually weakening security,” said Battat.
Because of all these password problems, PreVeil’s objective is to make security easy to use, which is why there are no passwords in the PreVeils system. Instead, it uses cryptographic keys that are automatically created on a user’s computer or phone. Note: This private key isn’t something like “password123;” it’s a very long number (about 77 digits) that’s impossible to guess, said Battat.
“Passwords are authenticated comparing what the user provides with a copy stored on the server,” said Battat. “Private keys authenticate on the device – the phone or computer uses the private key to decrypt the user’s information. The server never sees the private key, so an adversary cannot attack a server to steal private keys.”
But, since it is World Password Day, Battat did leave a few tips with SD Times for users that must use passwords. He suggests making passwords that are complicated, long, hard to guess, and frequently changed. How can a user even begin to remember such long passwords?
“Think of a sentence that is memorable and then use the first letter of each word, and a number if possible, to create the password,” said Battat. “For example, the sentence ‘I hate eating brussels sprouts on cold rainy Saturday afternoons’ could be turned into the following password: Ih8ebsocrSa. That would be a hard one to guess!”