Thursday is "Change Your Password Day," a national observance of password security and best practices. Passwords are often the first line of defense protecting users from criminals with the malicious intent of invading systems and stealing data, a threat which emphasizes the importance for people to use strong and diverse passwords. Unfortunately, many Americans continue to use weak, insecure and easy-to-crack passwords. After compiling more than 5 million leaked passwords from 2017, password management application provider SplashData released its 100 Worst Passwords of 2017. According to the report, “123456” and “password” held the top two spots as the most-used and cracked passwords for the fourth consecutive year. Americans’ seeming disregard of password security best practices is even more alarming when we consider that the number of U.S. data breaches in 2017 topped the all-time record set the year prior. Data Breach Cybersecurity reported in July that more than 6 billion records were exposed in the first half of 2017 alone, up from 1.5 billion in 2016. While the Data Breach Cybersecurity report found that the business sector accounted for more than half (56.5 percent) of the total breaches, University of Phoenix's annual cybersecurity survey found that 43 percent of U.S. adults have experienced a personal data breach in the past three years. However, when it comes to password security, the majority are doing very little to keep themselves secure.
The survey found that only 42 percent of Americans diversify their passwords across websites, 35 percent update their passwords on a regular basis, and less than a quarter (24 percent) change or update their passwords before traveling. The survey also found that workplace cybersecurity is also at risk: only 29 percent consider password protecting part of their company's cybersecurity policy.
Most Americans are aware that they should avoid using anniversaries, pet’s names, or their favorite sports team as their passwords, but more should be done to keep information safe. Read below for three tips to strengthen passwords.
1. Use long phrases or sentences
Hackers have become more sophisticated and inventive in their ability to crack passwords. Some will scour dictionaries and phonetic patterns, while others will attempt thousands of different passwords, often based on information known about the victims like significant dates and interests. To protect yourself, aim to create long passwords that contain sentences or phrases; these are harder to decipher. According to SplashData’s Worst Passwords of 2017 list, nearly all of the top 100 used passwords from last year were seven characters or less. A good rule of thumb is to use passwords that are at least eight characters and even up to 12. “Football” was the ninth most popular password in 2017. Alone, “football” is a weak password, but adding it to a phrase, like “footballismyfavoritesport” makes it stronger. Phrases can also be made more secure by adding numbers and symbols (for example: “f0otb@llisMYfaVOrit3spOrt”).
2. Adopt a password manager
Another rule for creating smart passwords is to diversify them across multiple sites. Once a criminal is able to crack one password, he/she is likely to try that same password on other accounts. If your passwords are the same, it is much easier for criminals to access your information. Understandably, it can be difficult to memorize a unique password for each of your devices and accounts. While some people may write them down or store all of their passwords in their smartphone, there is a more secure way to protect and store them. Password security tools like 1Password or LastPass will securely store and encrypt passwords for all accounts under a single master password. Since the master password is the only line of security between hackers and all of your passwords, make it nearly impossible to crack. You will only have to memorize one password; opt to make it long and appear random. For this password, consider using a sequence of random numbers, letters, capitalization and symbols. The sequence can be made into a phonetic phrase to aid memorization, as long as it is not too simple.
3. Install multi-factor authentication
Long passwords that include phrases and password security managers are great solutions for advanced password protection, but it is best if people take it one step further. Many accounts and programs will offer multi-factor authentication options. Through this method, users are only granted access to an account after providing two factors of authentication or evidence that they are the correct user. Authentication can include a security question, fingerprint I.D., or additional confirmation from a mobile device. Some programs may provide users the option to reset a forgotten password through the email address linked to the account. Without multi-factor authentication enabled, sometimes all it takes is opening an emailed link. Email addresses are often easy for hackers to acquire, making strong passwords moot if additional security is not added. The majority of accounts and devices offer multi-factor authentication, but many do not provide it by default. To enable it, visit the security settings and turn on the option. While providing additional information to log in can be tedious, multi-factor authentication adds another layer of security to keep your data protected.
About the Author: Dennis Bonilla is the Executive Dean at the College of Information Systems and Technology and School of Business, University of Phoenix. You can connect with him on Twitter here: @DennisBonillaIT. Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.