Yes, we know what you’re thinking… you’re already juggling more online logins than you ever thought imaginable and you’d rather not spend any more time thinking about them. That’s fair. But the truth is, the passwords you choose and how you manage them have implications on a global scale: more than 80% of data breaches resulting from stolen and/or weak passwords.
At SpyCloud, we spend a lot of time thinking about passwords because their misuse has proven to be one of the most persistent contributing factors to the increase in cybercrime. We also know that passwords aren’t going away anytime soon. What better occasion than World Password Day to share our top 5 tips for stronger passwords and – stronger account protection overall.
1. Choose a Complex, 16+ Character Password or Passphrase
By now, you would think all the advice about the importance of strong passwords would sink in. And yet, among the passwords SpyCloud recaptured from breaches last year alone, “123456” was found over 9.8 million times, “password” was found over 1.2 million times, and “qwerty” was found 719,178 times. If we use passwords that are easy for us to remember, they are easy for criminals to guess. This makes us vulnerable to password spraying, a brute force attack where a cybercriminal uses a list of usernames and common passwords to try to gain access to a particular site. Once they get a match, the criminal will test that same username and password combination against as many accounts as possible.
In addition, our testing revealed that passwords with 16+ random letters, numbers and characters, regardless of hashing algorithm used, would require centuries to crack. It’s a good reminder that while the way a company protects passwords is out of users’ control, we can take responsibility for our own account security by creating more complex passwords.
2. Make Passwords Unique Across Accounts
Given the explosion of digital services in recent years and the global shift to remote work in 2020, most people are juggling more online logins than ever. Criminals rely on stolen credentials to perpetrate fraud and they act on the assumption that if you use a password for one account, you probably use the same password for another. But despite widespread education on this topic, for the last two years, SpyCloud observed a 60% password reuse rate in our recaptured breach data — so it appears the problem isn’t getting better. The introduction of automated credential stuffing tools has made it easy for criminals to test credential pairs against a number of websites to see which additional accounts they can take over; hence why password reuse is so dangerous.
Make it easy on yourself: use a password manager to generate and store unique passwords for your hundreds of online logins.
3. Don’t Mix Business Logins with Personal Accounts
Over 76% of Fortune 1000 employees are reusing passwords across work and personal accounts. While this problem seems similar to the one above, the nuance here is that carelessness at home puts employers at risk. If your streaming or gaming account is compromised and you’re guilty of reusing passwords (even variations of those passwords), it’s possible for cybercriminals to access more of your personal and professional accounts.
4. Use Multi-Factor Authentication
When first introduced, multi-factor authentication (MFA) was sold as a “magic bullet” designed to plug the gaps in password security. Requiring users to provide something they know (a password) plus something they are (biometrics) or something they have (smartphone token) is an important layer of protection and will deter some cyber attacks. Like all deterrents, criminals have found ways to bypass it, but that doesn’t mean you shouldn’t use it.
5. Lean Into NIST Guidelines
The National Institute for Standards and Technology (NIST) develops rules by which federal agencies must comply, but those guidelines are helpful for private sector organizations as well. One of the most critical aspects of NIST guidance when it comes to password security is to restrict the use of passwords contained in previous breach corpuses. This means that any password that has been exposed in a data breach – no matter how complex – should be banned.
While enterprises can enforce many NIST guidelines through the built-in settings provided by most directory services (including Microsoft Active Directory), comparing passwords to an ever-evolving list of exposed passwords is not out-of-the-box functionality, and comparing passwords to a static list will not satisfy NIST’s guidance. New breaches happen all the time, continually adding to your organization’s risk exposure, so consider third-party services to enhance Active Directory’s capabilities in this regard.
As a user, you can also sign up for proactive monitoring from SpyCloud for free. Once you click the “Get Access” button and sign up, you’ll get an alert whenever we find your email address + password in a data breach. It’s a warning to change your password for that service (and any other services where you use the same or a similar password) to something new, complex, and unique.
With online services getting breached on a regular basis, leaked/stolen passwords pose a severe threat if we continue reusing passwords. Password managers are important and so is continuous monitoring for exposed credentials, but for organizations, educating users on the risks of poor password hygiene is also critical. If there is one variable cybersecurity measures can’t address, it’s human behavior. However, these practices and tips should be first steps toward building a strong password framework for yourself and your organization.