With all the time we’ve spent at home and online recently, here’s a date you shouldn’t miss: May 7. That’s because the first Thursday in May is officially World Password Day.
Although it’s been around for years now, many people have yet to “celebrate” this day. But it’s important. World Password Day is intended to remind us it’s a good time to change an old password, or even to add two-factor authentication to important accounts.
The idea of designating a day to change passwords was proposed by security consultant, author and researcher Mark Burnett in his 2005 book, “Perfect Passwords.” Intel Security liked the idea and declared a World Password Day in 2013.
You may have accounts “you log into all the time, and you never think about changing passwords — like your Gmail account or your Facebook account,” Burnett told Allconnect. “And then, the next thing you know, years have gone by” and you’re still using the same password.
In fact, a study by security company Telesign found that 47% of people are using passwords that are at least five years old. A whopping 73% of passwords are reused across multiple sites, which can make “domino effect” hacking possible.
“So the concept is, take a day and just look at all your accounts and change your passwords all at once,” he said.
Change your password…but how often?
Burnett believes the concept of an annual change day is very reasonable. However, he cautioned it is possible that changing passwords too often — sometimes a demand of corporate IT departments — could cause users to give up and choose an insecure one.
“If you’re having people change their passwords every quarter, then you end up with passwords like ‘fall2020,’ you know, and that is a very common password pattern,” Burnett said.
Those kinds of simple phrases are easily breached by hackers. They’re not really much different than using the much-maligned (and, thankfully, Burnett said, less common these days) “123456” or “password1.”
Burnett’s number-one tip is to use a password manager. These are like a vault that stores your credentials in an encrypted form. That allows you to use a different password for each online account, but without having to remember them all (or write them on sticky notes). The password manager fills them in for you.
You access a password manager by a master password, or a PIN or even a fingerprint. Most have a free version, so you can try them before paying the roughly $50-a-year subscription fee.
Don’t choose easy passwords
Once you don’t have to remember passwords yourself, you can choose difficult ones to guess.
“The single rule for having strong passwords is: Make them longer,” Burnett said. “And I tell people, you’re better off having a long, kind of semi-random password. Take a phrase from a song and swap out one word, throw in some punctuation somewhere, [or intentionally] misspell a word. And then you’ve got a very strong password.” You might use, for example, “maryhadalittlelambwhosefleecewasblackascole?,” which, while long, is simple to remember.
If you’re using a browser to store your credentials, Burnett said that’s notoriously insecure.
“The problem is that people do use a browser for storing passwords. And anyone who sits at their computer has access to all their passwords. There are some things to make them more secure. But it’s not that hard to extract [passwords] — there’s tools out there to extract them from browsers.”
Still, he said, “many people are better off having strong passwords and using the browser, than having bad passwords and trying to remember them or using the same password everywhere.”
Some companies, especially banks, limit how long passwords can be or won’t allow the use of characters other than numbers or letters. This makes it tough to develop a good password, or won’t let users paste their password into the site, so they can’t use a password manager.
“And so, it’s important that we hold those companies responsible to allow us to start using more secure passwords,” he said.
Go beyond password protection
The gold standard in login credentials, at least currently, is two-factor authentication, sometimes known as “2FA.” The first factor is a password, and the second factor can be a hardware token, a smartphone (such as the system Gmail uses) or biometrics, like a fingerprint or facial recognition. “Microsoft recently released a study that said, of all the accounts that were hacked in the last nine years, less than 1% of them used two-factor authentication,” Burnett said.
Two-factor authentication is indeed another step for password-weary users to have to deal with to access their accounts, but the relative inconvenience of using it is a whole lot less than dealing with the aftermath of getting hacked.
“It’s much better, much much better,” Burnett said. “It’s a little bit of a pain, but if a site offers that, you should use it.”
Shop internet providers on your terms
Shop internet providers on your terms
Compare internet providers with fast speeds and flexible data at the price you need. Choose your plan and set up service on Allconnect, for free.Shop internet providers