Yesterday was World Password Day. While it may be news to everyone that there’s a World Password Day, the importance of using complex passwords isn’t news to anyone. And the stakes are high – just last week, the so-called Blockchain Bandit was in the news for stealing over $50 million in Ethereum from 732 online accounts. The theft was carried out by guessing weak passwords, due to poor user choice or a potential error in autogenerated keys.
The National Cyber Security Centre (NCSC) recently released a list of the most popular passwords found in data breaches. Working with Have I Been Pwned? – a website which allows people to check if accounts associated with their email address have been compromised – the most popular password was found to be 123456, which was used 23.2 million times. Other popular passwords included old familiars such as password (3.6 million), qwerty (3.8 million), popular names such as ashley (432,200) and bands including blink182 (285,000).
Is it all too much?
Ideally, you should never reuse passwords, but it’s unrealistic to believe that people don’t. A recent survey showed just 55% of respondents used a separate password for their main email account – and it is a risk. With hackers becoming increasingly sophisticated in their approach, and regular bad news stories about password breaches, passwords requirements are ever more complex. And we all have to remember hundreds of them. No reusing. No dictionary words. Eight characters plus. No 123456s. In an effort to protect consumers, organisations are demanding these complex requirements, with regular time requirements to update them – prompting users to rely on patterns or easily guessable passwords.
But maybe the password burden has become too much? Password managers can be a good alternative, generating new, random logins for every site and storing them with a single master password. They can be used to promote good password management, but also have the potential to be a single point of failure, and you should take steps to mitigate that risk by using two factor authentication and creating a suitably complex master password.
What are the alternatives?
Currently the norm is to use a password, backed up by two factor authentication, which can use a range of different inputs. These may vary from personal questions, to sending a code to your mobile, to voice recognition. But organisations are gradually moving away from passwords altogether, partly driven by the accessibility of new technology.
Biometric options such as fingerprint scans, facial or vocal recognition are the most popular alternative, but they can be changed by physical injuries, colds or similar factors. Physical keys are a viable - if expensive - alternative, which can be plugged into the computer as part of a login process. While this brings up the usual issues of lost keys etc, it is pretty secure as a sign in method and Google have had significant success using the keys to reduce successful phishing attempts within the organisation.
What’s at stake?
The NCSC UK Cyber Survey found that 70% of respondents expect to fall victim to cyber-crime in the next two years – the majority felt this would have a big personal impact on them. The theft of money which was not reimbursed carried the biggest potential threat, with 91% of those surveyed believing it would have a big impact. To minimise these risks, you should use every tool available to protect your online identity - starting with complex passwords, and embracing new alternatives as they become available.