We've discussed the importance of password security before. While passwords have some inherent issues, they are the most common form of authentication.
Unfortunately insecure passwords are still very common. A new study reveals 2016's worst passwords as well as some interesting information on how people think about security that we can learn from; let's take a look.
People's Views on Security
Digital Security company Gemalto recently surveyed 9,000 people about their thoughts on security. These folks expressed concern about mobile banking and security breaches, yet believe that 70% of the security burden falls on a company or website. This leaves just 30% of it as the consumer's responsibility, in the survey respondents' eyes.
The Worst Passwords of 2016
In 2016, around 10 million passwords were exposed through security breaches (Dropbox suffered one). Security experts analyze these passwords to find trends, and what they discovered this year isn't pretty.
The top five passwords of 2016 were these:
All of these passwords are, shall we say, not good. They provide next to no protection of an online account yet almost 17% of online accounts use the password 123456, and the top 25 most common (and therefore worst) passwords made up over half of the breached passwords last year. If your email password is 123456, somebody who found out your email address could try that popular password and get right in.
What Can My Business Do to Protect Itself?
Many website providers should do more to protect their users by enforcing a certain level of complexity. However, you can take matters into your own hands and make sure you don't use lousy passwords.
A password manager can keep track of passwords so you don't have to. Tools like LastPass help you generate ultra-complex passwords, securely saves your passwords, and automatically fills them into websites when you visit them. All you have to do is remember a single "master password" that grants access to your LastPass account, and it takes care of the rest.
Clients in our Houk Managed IT Services program benefit from our password standards that protect business assets.
Even if you don't want to use a password manager, you should audit your own passwords with this advice:
- Use a unique password for every site so that attackers can't get into multiple accounts if one is compromised. Especially your email account which is used to reset passwords for other accounts.
- Don't use something obvious like a pet's name, your anniversary or birthday, or common dictionary words.
- Using numbers and symbols in addition to uppercase and lowercase letters will greatly increase the complexity of your password.
- Longer passwords are better because they're harder to guess. Ten characters should be the minimum.
For an easy way to create strong passwords, consider using a password phrase. Instead of a complex jumble of letters and symbols, password phrases simply use several random words stuck together to create a long password that's hard to crack but not hard to remember. The web comic xkcd has illustrated this well:
As this method has become more popular, you should use at least three words or more to create your phrase. Avoid using popular phrases or quotations that are easy to guess, and consider throwing a few numbers or symbols at the end for maximum security. A nonsense password like "great yarn truck grass hammer water interesting insane park holding sadness driving" contains a whopping 72 characters!
If it helps you remember, create a little story in your pass phrase. Something like "Amazing people always try to impress the Czar of their own happy country" is just as strong as the random words above.
If you're not sure how secure your password is, check out How Secure is My Password? to see how long it would take a computer to crack anything you type in. Note that this doesn't account for human guesses, so a password like "thisisareallystrongpassword" is relatively poor even though it would take a computer a long time to brute-force it.
Two Factor Authentication
Even the most secure password doesn't particularly matter if the company that is storing that password for you is successfully hacked. Or maybe your password isn't as secure as it could be and someone was able to guess it.
Either way, we highly recommend enabling two factor authentication for every site that offers it. This combines something you know (your password) with something you have (usually your phone or a key fob). Both are needed to gain access to the account.
You Can Keep Yourself Safe!
Passwords are a necessary part of using technology, and so are strong passwords to protect you and your company. You don't have to spend an hour creating every new password, but we have to do better than "123456" in 2017. Maybe this year will be the beginning of better password security for everyone!
If you need help beefing up your password security with our best practices and standards, contact us or leave a comment below!