How can you and your business make the best password for each and every account? We gathered best practices information from cybersecurity experts.
World Password Day has come and gone, and yet enterprises continue to struggle with creating strong passwords that hackers can’t immediately crack or guess. While other authentication options and factors are starting to see more prominence, passwords remain the number one method by which accounts are accessed.
So you, and all of your employees, need to know how to make the best password. Here’s some advice (and even some arguments about why you should get rid of passwords entirely) from top cybersecurity experts on what to do.
How to Make the Best Password (According to Cybersecurity Experts)
Jenn Markey is Director of Identity at Entrust.
“Our collective hope as an industry is that one day World Password Day will be obsolete as encryption and advanced authentication replace the age-old practice of entering password credentials to access desired information. But until that day comes, organizations must continue ramping up their security tech and training to fill existing knowledge gaps and avoid detrimental breaches.
Requiring a password plus one or more added credentials, also known as multi-factor authentication (MFA), is a good way to prevent unauthorized account access, but going passwordless is so much better. Virtually every data breach can be traced back to compromised passwords, with phishing being one of the most common attacks. Working from home multiplies this risk with insecure workspaces and an increased propensity for bad habits like writing passwords down.
Instead of passwords, business leaders should work with their security and IT managers to implement and deploy high-assurance credential-based passwordless authentication that merges the power of digital certificates with smartphone biometrics to create an employee’s trusted workplace identity, wherever that workplace may be. By eliminating the password, you effectively protect your organization from phishing attacks which minimize the risk of a data breach.”
Dave Wagner is CEO of Zix.
“World Password Day is an excellent time for individuals and businesses to reflect on their current password practices and ensure they are building the safest habits to protect themselves and their company from cyber-criminals. Many are under the assumption that if they are taking the steps to create unique passwords for each platform and application, they are secure. But it’s not enough.
The number of headline-grabbing breaches that have taken place over the last year highlight the critical need for safeguards across the entire company network. While there are a few different ways to protect login credentials beyond a simple username and password, one of the most popular and effective options is two-factor authentication (2FA). Implementing 2FA provides an extra layer of security by making users confirm their identity, most often via a unique code sent to the user’s phone, email address, or through an authenticator app, after entering their username and password. It’s getting easier for cyber-criminals to breach even the most complex password, which is why implementing 2FA is critical.
Email is a common point of attack because it often contains sensitive and valuable communications. Organizations should also consider implementing an email security solution that conducts a security audit to analyze its admins, users, mailboxes, and rules for vulnerabilities such as outdated passwords so they can be resolved before a breach happens. Organizations should use World Password Day to evaluate their internal Password Policies and send reminders to employees and customers alike about the importance of good password hygiene.”
Russell P. Reeder
Russell P. Reeder is CEO of Infrascale.
1. Be Unpredictable
There are two common password attacks – Brute Force and Dictionary attacks. Both generally involve a bot, but can also be done manually, and involve trying a sequence of numbers and/or common words like 123456 – hence trying to crack a password using “brute force” or common “dictionary” words. To minimize this type of exposure, don’t make your passwords predictable.
2. Be Creative
Related to being unpredictable, consider creating a phrase and use the first or second letter of each word, or substitute a special character for letters and/or numbers. If you just don’t seem to have a creative bone in your body, you can always use a password generator. These are guaranteed to spit out some creative, and secure, password options.
3. Be Long
These days when you get asked to create a password, most have a minimum of 10-12 character length. The longer the password, the more possible combination and permutations of the password there are, and thereby the safer they generally are. However, don’t forget tips 1 and 2, because long common words and sequences of numbers are still easier to crack!
4. Be Smart
Believe it or not, one of the more common reasons passwords are compromised is because people share their credentials. Quite simply – never, ever share your password(s)! Also, be mindful of phishing – this is where you receive an email or text message asking for you to confirm your details or take some other action where you need to enter your personal credentials. These types of acts are becoming increasingly sophisticated and can look very legitimate, like an email from your bank. As a good rule of thumb, unless you make a request, don’t ever enter your credentials. Or, if you have any doubts, contact the organization requesting the information directly.
5. Be Fresh
Refresh your passwords regularly. While it may seem onerous, and even if you think you have finally come up with the most secure password ever, one of the best ways to protect your password is to change it up regularly. In addition, you should use different passwords for different logins – yes, a different password for every login. Having a unique password for all your accounts assures that if or when one is compromised the others remain protected. Pro tip: If you can’t remember all your passwords, consider using a secure password manager.
Elena Elkina (she/her) is a Partner at Aleada.
“As the LinkedIn breach continues to showcase, many still use PASSWORD as a password. Single-word credentials are no longer safe. Instead, if you must remember your credentials, use passphrases. The danger with this method is that there is still a potential for re-use. The true recommendation is to use an auto-generated password from a password manager. And of course, any set of credentials should be placed behind MFA. We are still some time away from true passwordless authentication, however many players in the authentication space are taking this challenge on full force.”
Saryu Nayyar (she/her) is CEO of Gurucul.
“Passwords are the bane of the security team’s existence. Users use weak passwords, reuse the same passwords, refuse to change passwords, or simply forget them and need help resetting passwords. I thought self-service password reset options would have alleviated the help desk from resetting user passwords. However, it still turns out 20% to 50% of all IT help desk tickets are still for password resets (according to The Gartner Group).
“We actually have the technology to eliminate passwords altogether, but that would require companies to indulge in passwordless authentication. MFA helps, but users really need to use better passwords. To be effective, passwords must be complex and over 16 characters in length. That’s why passwords fail because people can’t remember 17-character passwords – that are unique for every system. Instead, users should use passphrases they can remember and then append or prepend numbers and characters to make these passphrases complex. “Every good boy does fine +123” works. Pick your favorite song lyric and year. Associate your passphrase with the target system to make it easier to remember. Whatever you do, don’t share your passwords and don’t reuse them. Once a cyber-criminal gains access to one of your target systems by cracking your password, all your other systems are at risk.”
Mathew Newfield is Chief Infrastructure and Security Officer at Unisys.
“Tip # 1: Create your private passphrase rather than using a single word. This is a short statement that has meaning to you but is no longer than three or four words. An example of this would be: Puppies are cute. This will be your private passphrase and should not be shared with anyone.
Tip # 2: Create a password key. This is your decoder! This key can be printed out and stored in your wallet or purse or even kept on your desk in plain sight. Without your private passphrase, it is useless.
Here’s an example password key:
- Use the first and last letter of each word in your passphrase (mix upper/lowercase).
- The letter “A” is substituted with “@” symbol.
- The letter “E” is substituted with the number 3.
- Add a two-letter (uppercase) designation for what you are authenticating to.
- Add a two-letter (lowercase) designation for the current season of the year.
- Add last two digits for the current year.
With your password key you will be able to transform your passphrase – e.g., Puppies are cute – into a complex password as demonstrated below.
Step 1: Use first / last letters of each word in your passphrase. PSAECE
Step 2: Substitute A = @ PS@ECE
Step 3: Substitute E = 3 PS@3C3
Step 4: Add 2 Uppercase letters for authentication type (e.g., NW = network, etc) PS@3C3NW
Step 5: Add 2 Lowercase letters for season (e.g., wr = Winter, sg = Spring, etc.). PS@3C3NWsg
Step 6: Add last 2-digits of current year. PS@3C3NWsg21
Bonus Tip: Periodic password changes are recommended; using this method one can simply change the season and year to maintain password complexity.”
Tom “TJ” Jermoluk
Tom “TJ” Jermoluk is CEO of Beyond Identity.
“When World Password Day was established in 2013, the world recognized that passwords were a necessary evil, despite being a flawed and insecure method of authentication. But the root of the problem goes back to the foundation of the ‘commercial internet’ in the mid-1990s, when Netscape and others enabled widespread access and consumer accounts, prompting a massive need and meteoric rise in password use, and beginning an era of consumer insecurity and exposure.
Fast forward to today and the problem has ballooned. Verizon’s 2020 Data Breach Investigations Report (DBIR) revealed that 80 percent of breaches use stolen credentials, collected either through database leaks or phishing attacks. And even if you follow recommendations for password hygiene, criminals can still get their hands on your password through a range of means – from fraudulent ‘phishing’ sites to insecure password databases and even commandeering your phone to intercept password reset messages.
The industry has responded by putting an even greater burden – not to mention blame – on consumers, to compensate for what can only be described as a complete systemic failure and an unwillingness to upset the market apple cart by refusing to fix the foundational issue. Complexity and user frustration are ever-increasing with forced password resets, cumbersome password creation requirements, and extra steps for multi-factor authentication (MFA). In summary, consumers must expect and demand better of their internet security and end the ‘stupid user’ blame game. The industry itself is headed in this direction with corporations and groups advocating for the eradication of passwords – but the industry is not moving fast enough, and the technology exists to make change now.”
Tim Bandos is CISO at Digital Guardian.
“While a lot of the coverage about passwords focuses on business users, it’s really important not to overlook children and teens in this discussion. They will typically make some of the same types of common mistakes as adults when creating and using online passwords, but there are several that stand out the most for this age group.
One of the worst is sharing credentials with friends, boyfriends/girlfriends, etc. At that age, relationships tend to be shorter in duration and some kids end up using the shared access against each other such as posting inappropriate messages on social media accounts or conducting surveillance over account activity. This type of password-sharing behavior may even stem from early childhood when parents would share their credentials with their kids for accessing devices or online sites. This should be avoided at all costs.
Secondly, kids and teens are exposed to devices everywhere they go from the library, to school, to over a friend’s house, etc. It’s important to avoid entering your credentials on untrusted devices that you do not own, control, or completely trust. Devices in public places should only be used for anonymous web browsing and not for logging into any of your online accounts since passwords can be easily stolen from these types of computers.
Finally, it’s important to avoid using personal information when creating any of your passwords. Young kids, and even adults for that matter, want to generate a password that is easy enough to remember. So they’ll use their name, birthdate, address, phone number, etc. These are all details that can be either easily guessed or end up further exposing you if a website is ever compromised.”
Dr. Mohamed Lazzouni
Dr. Mohamed Lazzouni is CTO of Aware.
“2020 saw a huge spike in cyber-crime following the COVID-19 pandemic, and as 2021 progresses the vulnerabilities continue to surge across all sectors. World Password Day was born to popularize some of the best practices in password protection, mainly the need to change passwords, use different ones for different applications, and choose complex compositions using letters, symbols, and numbers.
However, the benefits of varied, long, and complex passwords add to the burden and the anxiety of the user. Luckily, many technologies have progressed significantly to lower the friction without compromising on security. As an example, biometric authentication gained considerable adoption amongst users to simply use face or voice biometrics to unlock devices or sign in into accounts.
If users must continue to use passwords, they should ensure they are following password hygiene in order to remain resilient to attacks on their personal information – many of which are not difficult to implement.
- First, choose challenging passwords using a combination of letters, symbols, and numbers.
- Second, make them long enough and, where applicable, follow the guideline of the site providing password strength feedback.
- Do not use the same password across multiple accounts. This way, if a password associated with a lower-risk account is breached you prevent the attacker from carrying out additional breaches on higher-risk accounts that hold information such as financial records safeguarded by an often-used password.
- Be cautious of anyone reaching out to “verify” contact information. Knowing definitively who you are providing your information to is critical.
- Look for security options that include biometrics (face, voice, fingerprint) during verification processes.
- Avoid sharing sensitive information over e-mail or other non-encrypted methods.”
- Beware of phishing attacks where password reset requests are disguised through websites and phone calls impersonating legitimate businesses or government agencies.
- And if you suspect you have been a victim to identity theft immediately notify the concerned parties and authorities to report the incident.”
Tim Sadler is CEO and Co-Founder of Tessian.
“World Password Day is a great reminder to take inventory of our passwords, including where they are stored, whether you reuse them for multiple accounts, and their complexity. Tessian’s recent report found that 77 percent of people reuse passwords, and 21 percent use predictable cues like their favorite football team, their pet’s name, or birthdays when crafting passwords. The problem? These personal details are likely to be found on people’s social media channels, making it easy for hackers to scan publicly available information to try to crack passwords or even answer the security questions.
To prevent account takeover and business email compromise, CISOs and their teams should help educate employees about their social media footprint, cybersecurity best practices, and how to spot impersonation attacks. They should also reinforce the need for strong passwords that don’t include names or names of pets, birth dates, location, or other information that’s easy to find online. Even better, use a password manager like 1Password to randomly generate impossible-to-hack passwords. And while it can be tempting to reuse passwords that are easy to remember, never reuse or duplicate any passwords for personal or professional accounts. A bad actor could guess just one password and gain access to multiple accounts.”
Corey Nachreiner is CTO of WatchGuard Technologies.
“World Password Day has served as an annual reminder that we all need to practice better password security for nearly a decade. And yet, 80 percent of breaches began with brute force attacks or lost or stolen credentials last year. Attackers add millions of new usernames and passwords every day to the billions already available on the dark web. This has been the trend for years now, so at a certain point we have to ask if daily headlines on the latest security breaches and hacks aren’t enough of a cue to practice good password hygiene, is there much value in World Password Day?
Yes, it’s a helpful prompt to use best practices like changing passwords for your accounts regularly, choosing strong passwords or passphrases with at least 16 characters, using a unique password for every account, and leveraging password managers to keep track of them all. But these password security policies should be basic table stakes at every organization by now and should be required and reinforced all year long.
I believe that a ‘World MFA Day’ would be a more powerful and effective observance when it comes to strengthening corporate and individual security. Authentication is the cornerstone of good security, and multi-factor authentication means users must provide at least one additional token on top of their password to log into an account. These authentication tokens are typically something you are (biometric fingerprint or facial scans), something you have (like a hardware key or mobile phone) and something you know (like a password). MFA allows you to ensure that even if an attacker gains access to one of these tokens, like a user password, they’ll be unable to log in without the second (and sometimes third) authentication token. It’s an absolute no-brainer when it comes to addressing the widespread and persistent issues around poor password security and should be a primary focus for both businesses and individual users. So let’s make World MFA Day a reality in 2021!”
Ian Pitt is CIO of LogMeIn.
“This year’s World Password Day serves as another reminder that passwords play a pivotal role in protecting business information and enhancing overall security efforts. While organizations and individuals understand the importance of strong passwords, many continue to neglect password best practices leaving their organizations vulnerable to cyber-attacks. In fact, a large majority of people understand the risks associated with reusing the same password across multiple accounts, yet they still do it. As we approach a post-pandemic world and enterprises allow long-term remote work, cyber-criminals will continue to target those with poor security behaviors. Given this, companies need to encourage employees to improve password behaviors to increase the organization’s overall security. Below are some password best practices to ensure data is effectively protected.
- Give your passwords a safe home: Selecting the right password manager offers a safe, secure digital vault to store usernames and passwords.
- Generate unique passwords: Be sure to create strong and unique passwords for personal and business accounts, to decrease the chances of hackers compromising information.
- Implement multi-factor authentication: Turn on MFA when possible, to decrease hackers’ chances of accessing important information such as email and bank accounts.
- Update Software: Be sure to keep all home devices such as computers, mobile devices, or routers updated with the latest software, so others cannot tap into your network.”
Tyler Reese is Manager of PAM Strategy at One Identity.
“World Password Day this year is a reminder for organizations to acknowledge the gaps created by passwords and consider alternatives and the concept of a passwordless future. The most notorious breaches of the last year have all involved weak or compromised credentials, showcasing that passwords are still the easiest way for cyber-criminals to access a network. Stolen passwords are now more difficult than ever for IT teams to flag as a threat and can allow an unauthorized user to access a system undetected for a long period of time. Best practices such as enforcing the principle of least privilege, implementing multi-factor authentication, and educating employees on strong password hygiene will strengthen enterprises’ cybersecurity posture.
However, as long as the concept of requiring a person to remember multiple passwords is a major part of an organization’s security strategy, the risk still remains. Instead of solely relying on passwords, enterprises should implement multi-factor authentication to protect accounts from password compromises.
Organizations should also investigate behavioral biometrics technologies for identity access and authentication purposes. Using machine learning to identify a baseline of user behavior, systems can flag when users deviate from their typical behavior and take immediate action, shortening the time it takes to detect and remediate an incident. Combining consistent messaging to employees, access and authentication practices, auditing and behavioral biometrics creates a strong cybersecurity defense for enterprises, and will be fundamental to the industry’s step towards a passwordless future.”
Aaron Cockerill is Chief Strategy Officer at Lookout.
“Passwords need to go. We should not be celebrating World Password Day, we should celebrate the day no one ever needs to remember a password ever again. And That day is coming. But in the meantime, there is a lot of support to help us with systems that still require them. Password managers and even browsers now notify you when passwords are repeated or stolen, and they suggest longer and stronger passwords that they remember rather than you having to. And increasingly your password can be strengthened by things like second factors and biometrics. Increasingly, identity will be established using intelligent devices like your smartphone, leveraging both encryption and biometric sensors, and passwords will become a thing of the past. The challenge then is to know that your smartphone is safe.”
Chris Morales is Chief Information Security Officer at Netenrich.
“Good password security is not relying on a password for security. It is concerning that the cybersecurity industry still gives a false sense of hope as an excuse to continue to force a poor user experience on everyone. Passwords are stolen in large files and databases from poorly configured apps by the millions, or auth tokens are compromised for account takeover. For that reason, all passwords are useless regardless of strength.
It is insane “what you know” is still the primary means of validating identity for online systems which then provide complete access to a broad set of resources with no further validation. That would be like giving my house keys to a random man on the street who claims to be my mom and can prove it by telling me the name of my dog when I was a kid. Even worse if my mom is standing right next to me but doesn’t remember that dog’s name so I trust the stranger but not her. Password complexity is the equivalent of expecting the stranger to give me a whole list of random facts as proof. Does not matter how much he knows. Still not my mom.
Sounds ridiculous right? The cybersecurity industry has built an authentication system that can only be considered inhumane and with a singular value of infuriating everyone. People are the victims, not the cause of breaches.
User access should be adaptive based on level of need and risk. A person should be allowed the appropriate level of access to the appropriate resources at the appropriate time. Most importantly, access should be fluid and not require an incomprehensible amount of user input or predetermined knowledge.
For authentication, the number of variables is more important than the level of complexity of those variables. No reason a password is anything more than a 4-to-6-digit pin. Authentication can be based on who you are (biometrics) what you know (pin) what you have (device/token) and where you are authenticating from (geolocation). Even then, authentication is not trust. Trust is situational awareness. What do you need, why do you need it, when do you need it, and what is your current operating environment? The operating environment is a measure of the risk of providing that access even when the need is justified and the identity asking is authenticated.
There is a combination of local authentication methods combined with remote risk analytics here. Totally doable and the outcome is less intrusive on the end-user so we can stop blaming people for human error as to why a breach occurred. To err is human.”
Mike Puglia is Chief Strategy Officer at Kaseya.
“The average adult has more than 20 passwords they use, so it’s not surprising that 39 percent of people say most of their passwords across both their work and home applications are identical. There are billions of passwords available on the dark web, and password reuse makes it even easier for hackers to use stolen credentials to conduct phishing attacks and spread ransomware. In addition to reusing passwords, individuals often pick words or number combinations that are easy to remember. When we did a scan of nearly three million passwords found on the dark web in 2020, we saw that 92 of the top 250 most common passwords were first names or variations of first names.
Every year since the 1990’s, there is some proclamation that passwords are going away – they aren’t. We’ve made great strides in areas like thumbprints, tokens, facial recognition, but don’t expect passwords to disappear in the next few years.
According to the Verizon Breach Report, the number one malware variant isn’t ransomware—it’s password dumpers. Password dumpers are favored by cybercriminals because passwords get attackers so much more – it makes it easier to propagate ransomware, steal data, and gain entry for long term access. It’s also become so much easier for attackers to use those passwords. Adversaries no longer have to target millions of individual organizations one by one – they can simply attempt logins against the major cloud and SaaS sites, especially since almost every company has some employee accounts on Google, Microsoft or Amazon. The access to targets supporting 95% of the world’s organizations are a click away from any location.
The bar is now ridiculously low for attackers. It requires minimal technical ability, and the financial cost to carry attacks out is negligible. Simply buying credential lists and attack kits yields 0.2%-0.5% success rates, and the attacks can be run by anyone. Additionally, today’s targets are centralized into a small number of environments that everyone uses. As long as the success rates remain high and the cost and effort remains low, these attacks will continue to increase.
In 2001, I recall walking around with an RSA MFA token on my belt. Though 20 years later MFA is still not ubiquitous, the next few years will bring significant changes. The next five years will bring password plus MFA for all logins, with password only being the exception. It’s already happening with consumer accounts – banks, phones, even gaming systems- and now we are seeing it roll out across all business applications. Though MFA cannot stop 100% of attacks, it raises the effort and costs required for adversaries to be successful. It is the only way we start to lower the number of breaches.”
Thanks to these cybersecurity professionals for their advice on how to make the best password. For more information on stronger, more secure passwords and other identity management best practices, check out the Identity Management Buyer’s Guide or the Solutions Suggestion Engine.
- Identity Management Lessons from the UC San Diego Health Attack - July 28, 2021
- The Biggest IAM News Items During the First Half of 2021 - July 27, 2021
- When is it Time to Replace Your Homegrown Identity Management? - July 26, 2021