May 03, 2018
A recent survey showed that the #1 reason people change their passwords is because they have forgotten a password. That’s not what information security experts want to hear.
Passwords are often the first line of defense for online accounts and devices – and there should be a careful password construction strategy, especially in the workplace.
What’s interesting is that most employees in a 2016 Psychology of Passwords survey conducted by LastPass said they know they should improve their password habits but still implement poor choices and tactics in creating and managing passwords online.
According to the Verizon 2018 Data Breach Investigations Report, 81% of hacking-related breaches involved either stolen or weak passwords.
Unfortunately, complex rules (change passwords frequently or use a required number of numbers or special characters) can backfire. People may end up selecting weak passwords (123456) because they are easy-to-remember, or ‘clever’ passwords that are easy to figure out (pa$$word) by information thieves.
Recent research showed that 47% of respondents use initials or names of friends or family, 26% use pet names, 42% uses significant dates and numbers, and 21% use birth dates.
Information thieves often figure out passwords by researching people on social media like Facebook. A survey of participants at a 2017 U.S. security conference showed bad password security practices when using social media – 50% of respondents had not changed their social network passwords in more than a year.
To recognize World Password Day, designated the first Thursday of May, here are password security guidelines:
Use a unique password for every account. If it gets compromised in an online attack, the compromised password can’t be used to access other accounts.
Use a reminder sentence to create a strong password. Choose a favorite song title or saying, and use the first letter of each word to create the password. Switch some letters with numbers or symbols.
Choose freely from all printable ASCII characters as well as spaces and emojis.
Increase password length to at least 8 characters
Check your passwords against Worst Password lists. SplashData’s list of the top 100 worst passwords includes old (weak) standbys like ‘123456’, ‘password’, and ‘qwerty’ as well as names, pets names, expressions, expletives, number strings, and birth dates, and surprising choices like ‘Letmein’, ‘Iloveyou’, ‘Whatever’, ‘Cheese’, ‘Starwars’, and ‘Thunder’.
Don’t worry about changing passwords regularly. But always change them when there is a risk of compromise.
Password manager software can help you remember all your passwords (you just remember one), and many will generate passwords too.
Turn on multi-factor authentication so there is a second factor in the login process such as a factor delivered through SMS or mobile app. Or, it may involve scanning a fingerprint on your phone. A USB security token is a physical device used to gain access to a restricted resource.
Do not share your passwords with anyone and never write them on a sticky note and stick it up in your office. Securely shred passwords on paper and hard drives when no longer needed. Partner with a document destruction company that provides these services.