These days virtually every device, app or website requires a password. It is estimated that by 2020, the number of passwords used by humans and machines worldwide will grow to 300 billion. With that many passwords flying around, it’s important to consider some common mistakes and password best practices.
9 common mistakes when creating passwords
The 2019 Verizon Data Breach Investigations Report found that 80% of hacking-related breaches involved weak password credentials. In their 2017 report this data point was 81%, so the lack of change shows how much of an issue weak passwords continue to be. Varonis has found that 65% of companies with 500+ users, never prompt users to change their passwords. It is also estimated that 28% of adults in the US use the same password for all of their online accounts.
Troy Hunt identified some of the worst passwords in version 2 of his Pwnd Passwords. Included in the list were 123456, 123456789, qwerty, password, 111111, 12345678, abc123, password1, 1234567, and 12345. The National Cyber Security Centre in the United Kingdom found in a breach analysis that 23.2 million victim accounts worldwide used 123456 as the password.
CNBC outlines 9 of biggest password mistakes:
- Changing passwords too often
- Making them too complex
- Not screening them against lists of compromised passwords
- Recycling the same passwords
- Being too familiar (using pet names, birthdates, etc.)
- “Remembering” password on a device
- Using common, easily hacked characters (123456, qwerty, etc.)
- Not password protecting mobile devices
- Storing a password list on computer
Password Best Practices
Now we know what not to do! Let’s review recommended best practices for setting and storing passwords.
- Create a strong password – There are lots of opinions about what makes a strong password. In general, a strong password has a combination of upper and lower case letters, numbers, and characters. Opinions on password length range between from 8 to over 20 characters. Ensure you create a strong password for each account/website/device.
- Stay away from the obvious – Avoid common passwords like noted above and easily identifiable information.
- Leverage two–factor authentication – With two-factor authentication just having your password isn’t enough. This precaution requires a PIN that is sent to you via email, SMS or app, to be entered with the password.
- Test your password – Make sure your password is up to security standards by running it through an online testing tool. Microsoft’s Safety & Security Center offers a password testing tool that helps individuals and organizations create passwords that are less likely to be hacked.
- Use a password manager – While people are good at remembering a great many things, relying on the human memory to store important passwords is risky. A password manager stores the unique passwords you have created for every website and will even help come up with passwords. It generally installs as a browser plug-in to handle the capture and replay of passwords. Recently, PCMag reviewed popular password managers for 2019, including Dashlane, Keeper Password Manager & Digital Vault, and LastPass Premium.
- Change your passwords – It is tempting to keep using the same password, but changing your password periodically is a good idea. The Better Business Bureau suggests changing passwords every 30 days. However, many security professionals believe changing passwords frequently makes things worse as people have too many passwords to remember and use simpler passwords. Definitely change your passwords when there has been a security incident or cyber attack, unauthorized access, or you have logged into an account on a public computer.
Protect you and your information
Take the following steps to protect yourself and your data:
- Regularly backup all of your important data at both the organizational and individual level. For instance, implement an easy to use endpoint backup and protection solution like Data Deposit Box. Try it for free here.
- Ensure versioning is in place for files, sync and backups. This means saving versions of documents to protect against accidental deletion and for audit purposes
- Ensure you and your employees are regularly trained on cybersecurity, proper data handling and storage, and password protection practices.
Remember, it only takes 1 weak password to compromise your systems, network and data. Don’t be a victim, proactively protect your systems, network and invaluable data by implementing these 9 tips of what not to do, and 6 tips on what to do.