logo NTT APPSEC
Vulnerabilities

Are You Using Secure Passwords?

May 5th, 2022 is World Password Day and this year, more than years past, it’s a really important day. It’s been sixty years since the first “password” was created (at MIT), for the purposes of a few computer system users to be able to login and share information safely. And oh, how times have changed. Just look at the heightened sense of anxiety and defensiveness among online users lately. Hackers, scammers, phishers, breaches, warnings in the news, grandma’s concerns, it just goes on and on.

Are we really being safe with the passwords we use; the ones we create and recreate, try to memorize or write down and lock in a safe somewhere? Some of us are and some of us are not. Here are some password best practices for 2022 that will improve your odds.

#1 – The Definition of a “Strong” Password

Did you know that the two most popular reasons people create weak passwords is that they’re easy to remember and they think they have nothing online to conceal? It’s this thinking that exposes hundreds of millions of online users every day to unnecessary risk. It would be nice to believe that everyone out there has enough common sense to consider good password practices but considering the 5th most popular password in 2019 was “password”, there is still a lot of work to be done.

You’ve probably seen or heard it before, but it’s always good to refresh the memory. Password best practices suggest using eight to twelve characters for your password, consisting of upper and lowercase letters, numbers, and special characters or symbols. Avoid using any personal information within the password, such as your name, your pet’s name, or words you’d see right in the dictionary. It’s kind of laborious but, if you can memorize it, don’t make it your password.

#2 – Complicate Without Personalizing

It’s easier to guess a password from someone’s personal information than to try and “crack a code”. We leave trails upon trails of personal information all over the internet, and hacking technology, AI and machine learning have become extremely efficient at crawling for little tidbits of information about you. These tidbits of information are just enough to fill in the blanks if you’re using personal information to create your passwords.

You can certainly complicate a password manually, but if you haven’t used one before,  you can elicit the help of password generators and password managers. A password generator is an online tool to help generate random and complicated passwords for you to use, with the help of cryptographically secure random number and character generators, which is a super fancy way to say a machine is randomly assigning a string of characters. Mathematically advantageous, whatever the generator spits out, you can use or even modify for your own unique password. You can find several free password generator sites through online search, or possibly through the browser you’re using, to easily get started in creating random passwords.

Password managers are programs that can house, create, and control your passwords. They are second brains for organizing, storing and retrieving all of those randomly generated and complicated passwords so you don’t have to. Additionally, when creating a new password on a new account or new website login, the manager will usually ask to create a new password for you, along with autofill options for your other stored personal information, such as name and email address.

There are plenty of options for password managers available online, so do your due diligence and grab the best one for your needs.  Most web browsers have password managers built in, however there is a risk associated with that move. Browsers and anything exposed to any type of website or application can be breached. That’s why some people use third-party password manager software that claims to be more secure, like 1Password, LastPass, or Keeper.

#3 – Get by with a Little Help from Your Two-Factor Authentication

For that extra layer of safety and assurance, consider using two factors of authentication – your password and a second level of security. That could be a 2F app like Duo Mobile or Microsoft Authenticator, or something hardware-based like a U2F security key, or even your own biometric data. In this scenario your password gets you an address to the party, the two-factor authentication program gets you in the party.

The public still needs a bit of encouragement adopting two-factor, considering just over half of us use 2F when shopping online, for instance. So, don’t feel bad if you don’t use one now but be aware that someone can try to steal your password from a breach or a program housing your information, however that’s just the first layer. The second layer of authentication helps to keep your information and accounts secure by double-checking who the logger is and asking for additional randomly generated login codes in real time.

#4 – Bet You Can’t Use Just One

So now you’ve got your random password generated and stored with the help of your friendly neighborhood password manager. That covers one login or account. Now what about the other 100 passwords the average person uses online? No, you shouldn’t use the same password for every login. That kind of defeats the purpose of being secure and cyber-elusive.

Again, go back to your password manager best practices and create a new, unique password for as many logins as possible. Don’t worry about the manual work, the manager will do it for you. Just be that ironclad online user whose so proactive no hacker or breach may sway your spirit.

Keeping these points in mind will help us all celebrate World Password Day with confidence and optimism into a more secure future, where unawareness is less likely the excuse for cyber risks and vulnerabilities.

For more readings from NTT Application Security on how to stay cyber vigilant, click here.

Stay safe, stay vigilant, and happy World Password Day!