World Password Day – A Reminder to Improve Password Hygiene

The first Thursday of May is World Password Day, a day dedicated to raising awareness of the importance of password security and the promotion of password best practices. The idea of a Password Day came from the security researcher Mark Burnett, who suggested in 2005 in his Perfect Passwords book that everyone should have a password day where they took the time to update their passwords. In 2013, World Password Day became official and has taken place on the first Thursday of May ever since.

A Brief History of Passwords

The concept of passwords to restrict access dates back centuries. One of the most commonly known examples of passwords comes from Antoine Galland’s 18th-century French language collection of stories – One Thousand and One Nights, which includes the tale of Ali Baba and the Forty Thieves. Ali Baba learned that in order to access a cave with hidden treasure, the phrase ‘Open Sesame’ was required. Only allowing access to individuals who knew a secret code word goes back much further. The Romans required a codeword to be provided to pass through city gates after dark. If the word was not known, access was not possible.

Passwords have been used to restrict access to computer systems since the 1960s. The first computer password system was proposed by MIT computer scientist, Fernando Corbató, in 1961 as a way of creating private access to the Compatible Time-Sharing System (CTSS), the first general-purpose time-sharing operating system. Passwords were used to allow private access to the system, allowing researchers to keep their own files private when other people used the same system.

While passwords for computer systems were only used in academic circles, as computer use grew, so did the need for security and the use of passwords became much more widespread. For decades passwords and an accompanying username have been used to secure accounts and while passwords have served humanity well, they no longer provide the same degree of security.

Password Best Practices

In theory, a password can stop anyone from accessing an account provided the password remains private and cannot be easily guessed. Given sufficient time, any password can be guessed. The trick is to make it so complex that even with the most powerful computers it would take many years to fit the right combination.

Password Complexity

While they can be effective, there is a fundamental flaw with passwords. A password needs to be simple enough to remember, while also being sufficiently complex to ensure it cannot easily be guessed. Given sufficient time, any password can be guessed, so the security best practice for passwords is to make them complex.

In 2023, a manager at the National Institute of Standards and Technology (NIST) proposed a new system for adding complexity to passwords, and that was to create passwords using a combination of upper- and lower-case letters, numbers, and special characters to increase the possible combinations.

A password only consisting of digits has 10 possible choices for each character. A password of 6 characters, therefore, has 1,000,000 possible combinations (10 x 10 x 10 x 10 x 10 x10) or 106. If lowercase letters are only allowed that is 308,915,776 possible passwords or 266.  Combine upper and lowercase letters and digits and the possible combinations increase to 626 – 56,800,235,584. Add in the 32 special characters and the number of possible combinations increases to 946 – That’s 689,869,781,056 possible combinations.

Password length is also important. Passwords of 6 characters, regardless of their constituent parts are no longer sufficiently complex, even with such a high number of combinations. The current best practice is to ensure that passwords contain at least 14 characters.

Don’t Enforce Password Changes

For many years, a best practice for passwords was to change them regularly, hence why Burnett suggested a password audit on an annual password day. Today, the advice has changed as while updating passwords is a good idea in theory, in practice it weakens security. If everyone had just one password to remember, changing it every 3 months makes sense. However, the explosion of online services and the extent to which computer systems are now used means an average person has dozens of accounts, each of which needs to be secured with a password. NordPass suggests that an average person now has around one hundred accounts that require a password to secure.

Let’s assume that NordPass is correct, and a typical person has 100 accounts to secure, each requiring a password. Changing 100 passwords frequently will naturally result in password shortcuts being taken as it’s not possible to think of 100 new passwords every 3 months. Passwords will be recycled – old passwords reused; passwords are reused across multiple platforms; passwords will be changed by a minimum amount – password becomes password1 for instance.

Frequent changes weaken security. It is far better to force users to create long passwords and enforce complexity requirements rather than force users to regularly update their passwords.

Ensure All Passwords are Unique

If you reuse a password for multiple accounts, if your password is compromised – obtained or guessed – then all accounts that share that password will be at risk. It is therefore important to set a unique password for each account. If one password is compromised, all other accounts will still be protected. Remembering all of those passwords is unlikely to be possible, especially if they are complex. Writing the passwords down is a poor choice, as if anyone has your password list all of your accounts can be accessed. The easiest and most secure option is to use a password manager.

Use a Password Manager

A password manager is a secure vault where users store their entire collection of passwords. The password manager has a secure password generator that will suggest a unique string of characters for each password, allowing a long, complex, and unique password to be created for each account. Password managers, such as Bitwarden, mean you will never have to commit your passwords to memory, as password managers will autofill the password when it is required.

All that is required is a password to access the password vault, and that should be a long, unique passphrase. Given the processing power of modern graphics processing units, guessing passwords through brute force attempts is a rapid process. A password of 8 characters – regardless of its makeup – can be guessed in less than 5 minutes, or instantly if cloud computers are used, according to a 2023 analysis by Hive Systems. All you need to do is set a strong master password for your password manager, which should be a passphrase of at least 14 characters that is known only to you.

Password managers also need not cost you anything. Bitwarden offers a free version of its password manager that includes most of the features of the paid version, so there really is no excuse. The full version has all the bells and whistles to make life much easier and only requires a small investment –one that is well worth every penny.

Set up Multifactor Authentication

In an ideal world, a password should be sufficient for securing an account, but this is not an ideal world. Malicious actors will try to obtain your passwords, and phishing is the most common method for doing this. Social engineering techniques are used to trick people into disclosing their passwords. An email or text message is sent that impersonates a trusted entity and asks the user to visit a website where they need to log in. The password is captured and used to access the user’s account.

Companies are often hacked and user passwords are stolen. If a password has been reused on multiple accounts, all of those accounts will be at risk. Hackers use password lists compiled from data breaches and attempt to use them to access accounts on unrelated platforms – a process called credential stuffing.

The solution to the problem is to add an extra level of authentication – 2-factor or multi-factor authentication. That means that a password alone is not sufficient to grant access to an account. A second authentication factor must be provided in addition to a password before account access is allowed. Multi-factor authentication provides protection from phishing and ensures that if a password is compromised, an account cannot be accessed without further authentication. Any form of multifactor authentication is better than none, but phishing-resistant multifactor authentication is best. This uses biometric identifiers or hardware for the second factor, rather than an authentication code that can be intercepted.

Conduct an Annual Password Audit

This is easier if you use a password manager, as most have the functionality to audit passwords and will let you know if passwords are weak, have been used in multiple places, and for some password managers, will even tell you if your password has been compromised and listed on the Internet or dark net. World Password Day is an ideal time to conduct an audit and make sure your passwords are fit for purpose. If you do not use a password manager, this process will be time-consuming but it should still be conducted.

Things to Do on World Password Day 2023

World Password Day 2023 is the ideal day to take action to ensure that your passwords are fit for purpose and will actually protect your accounts from unauthorized access. Everyone should use World Password Day 2023 to take time to ensure their accounts are protected. Consider the following this World Password Day:

  1. Check the latest password advice and ensure your passwords are sufficiently complex – Currently at least 14 characters.
  2. Sign up to use a password manager – There are free versions if you don’t want to pay.
  3. Perform a password analysis using your password manager and update any weak or reused passwords. Use the secure password generator to create unique, complex passwords for all accounts.
  4. Ensure multifactor authentication is set up for all accounts, prioritizing the most sensitive accounts (financial accounts, government accounts, and any account that has your Social Security number or financial information).
  5. Check the HaveIBeenPwned service to see if your passwords have been compromised in a data breach and update the passwords for any accounts that have.
  6. Check with friends and family members that they are following password best practices. Use your password security knowledge to help others better protect their privacy.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news