Since 2013, the first Thursday in May recognizes World Password Day. It is a day meant to promote good password habits and help keep our online lives secure. In today’s world where the average online user has more than 90 online accounts, keeping our accounts secure is more important than ever. In fact, there are 921 password attacks every second.
As technology and best practices have evolved over the years since the first World Password day, the focus has changed. Online users are encouraged to level-up their account security by enabling multi-factor authentication, passkeys, and more. Organizations are implementing password policies as part of their cybersecurity practices.
Password Best Practices
A survey conducted last year by Bitwarden, a password management solution provider, revealed some password habits of Americans and qualified the need for password best practices. The survey found that 85% of Americans reuse passwords on multiple websites and 49% rely on their memory for managing passwords which suggests that the passwords may not be particularly strong.
Here are a few recommended best practices for strong passwords:
- Ensure a strong, unique password is set for all accounts
- Use a combination of upper -and lower-case letters, numbers and symbols
- Use easy to remember passphrases rather than passwords. The minimum length of a password should be a minimum of eight characters, but for more sensitive content, the NIST recommends passwords reaching up to 64 characters. Using passphrases will enable the user to come up with a long password that one can remember.
- Don’t use information in passwords that can be found in social media profiles such as your date of birth, spouse, or pet name
- Ensure that 2-factor authentication is set up, especially for accounts containing sensitive data
- Change critical passwords every three months and less critical passwords every six months
Don’t Write Your Passwords on Sticky Notes
This is especially the case when in an office work environment where this information can be stolen.
Don’t Save Your Passwords to Your Browser
Web browsers can be easily compromised and a wide range of malware, browser extensions and software can extract sensitive data from them.
Don’t Iterate Your password
Hackers can crack iterated passwords in the blink of an eye. An example would be using PowerUser1 for one password and then PowerUser2 for another account.
Don’t Use the Same Password Across Multiple Accounts
This gives cybercriminals the opportunity to exploit all of your accounts.
Don’t capitalize the First Letter of Your Password
Often passwords require “one-capitalized letter”. Capitalizing the first letter may make it easier for hackers to guess the capitalized letter’s position.
Don’t Use “!”
Most passwords require the use of a symbol. If you must use the “!” symbol, do not put it an the end of a password. Placing it anywhere else in the sequence makes your password more secure.
Don’t Use Commonly-Used Passwords
Passwords like 12345 or password are no-no’s when it comes to creating a unique password. Visit GitHub or HaveIBeenPwned.com to find lists of frequently used passwords and passwords that have been exposed to data breaches.
Don’t Use Password Hints
The NIST recommends scraping this practice since a lot of this information can be pulled from social sites. If sites ask for these hints like what is your mother’s maiden name, first pet, etc., it is recommended to use fictious answers that only you will know.
Although passwordless authentication is becoming more popular with the use of biometric identifiers and Single Sign-On, passwords are still likely to remain the most widely used way of authenticating users and preventing unauthorized account access. Organizations should look into implementing password policies and cyber training for their teams especially since passwords are the root cause of 80% of data breaches today.