World Password Day 2023 – Password Tips and Best Practices
Thursday, May 4, 2023, is World Password Day. Established in 2013, the event is observed on the first Thursday of May with the goal of improving awareness of the importance of creating complex and unique passwords and adopting password best practices to keep sensitive information private and confidential.
Passwords were first used to protect accounts against unauthorized access in computing environments in the 1960s. In 1961, researchers at the Massachusetts Institute of Technology (MIT) started using the Compatible Time-Sharing System (CTSS). The system ran on an IBM 709 and users could access the system through a dumb terminal, with passwords used to prevent unauthorized access to users’ personal files.
The system is widely believed to be the first to use passwords and was also one of the first to experience a password breach. In the mid-1960s, MIT Ph.D. researcher Allan Scherr needed more than his allotted 4-hour CTSS time to run performance simulations he had designed for the computer system. He discovered a way to print out all passwords stored in the system and used the passwords to gain extra time.
Passwords are now the most common way to secure accounts and while passwordless authentication, such as biometric identifiers and single sign-on, are becoming more popular, in the short to medium term passwords are likely to remain the most widely used way of authenticating users and preventing unauthorized account access.
Get the FREE
HIPAA Compliance Checklist
Delivered via email so please ensure you enter your email address correctly.
Your Privacy Respected
HIPAA Journal Privacy Policy
The Importance of Creating Strong Passwords
The use of passwords carries security risks, which World Password Day aims to address. One of the most common ways for hackers to gain access to accounts is to use stolen passwords. Phishing is used to target employees and trick them into disclosing their passwords, either via email, phone (vishing), or text message (SMiShing). Adopting 2-factor authentication will help to stop these attacks from succeeding. According to Microsoft, 2-factor authentication blocks more than 99% of automated attacks on accounts.
Hackers also use brute force tactics to guess weak passwords and take advantage of default credentials that have not been changed. If rate limiting is not implemented to lock accounts after a set number of failed login attempts, weak passwords can be guessed in a fraction of a second. Even strong passwords can be guessed in seconds or minutes if they are not sufficiently long.
In 2020, Hive Systems started publishing charts showing the time it takes for a hacker to brute force a password using a powerful, commercially available computer, and each year the table is updated to account for advances in computing technology. The chart clearly demonstrates the importance of creating strong passwords that include a combination of numbers, symbols, and upper- and lower-case letters, and ensuring passwords contain enough characters. We recommend a minimum password length of 14 characters.
How Long Does it Take a Hacker to Brute Force a Password in 2023. Source: Hive Systems.
Password Management Shortcuts Weaken Security
Creating and remembering long, complex passwords is difficult for most people, and it is made even harder due to the need to create passwords to protect multiple accounts – A study by NordPass suggests the average person has around 100 passwords. Many people struggle to create and remember more than one strong and unique password, so with so many accounts to secure it is unsurprising that people take shortcuts, but those password management shortcuts significantly weaken password security.
It is common for users to avoid creating unique passwords and they end up reusing the same password for multiple accounts. The problem with this is that if the password is compromised on one platform, either through brute force tactics, a phishing scam, or another method, all other accounts that use that password are at risk. Hackers take advantage of this common bad practice using a technique called credential stuffing. If they obtain a list of usernames and passwords from a data breach, they will attempt to access accounts on other unrelated platforms using those username and password combinations. This method only succeeds if there has been password reuse.
Changing passwords slightly by adding a number or substituting characters when creating new accounts isn’t much more secure, and will leave accounts susceptible to brute force attacks. If a hacker obtains a username and password combination, various permutations of that password will be attempted with that username. Writing down passwords is also a very bad idea.
Many businesses have implemented minimum complexity requirements for passwords, stipulating a minimum password length and composition requirements, yet it is common for employees to take shortcuts to make passwords easier to remember. It is possible to create a password that meets minimum complexity requirements yet is still incredibly weak. ‘Password’ is still one of the most commonly used passwords and it is usually the first one that is attempted when trying to hack an account. ‘P4ssw0rd!’ would meet the password complexity requirements imposed on many platforms, but it is still incredibly weak and offers next to no protection.
Global Password Management Survey Reveals Poor Password Management Practices
The 2023 Global Password Management Survey conducted by password management solution provider Bitwarden ahead of World Password Day confirms that extremely risky password practices are still incredibly common. The survey was conducted on more than 2,000 Internet users in the United States, United Kingdom, Australia, Germany, France, and Japan and asked questions about personal passwords, password habits at work, and the strategies that are adopted for managing passwords.
Despite the risks, 90% of respondents admitted to reusing passwords for multiple accounts, up from 85% in 2022. In 2023, 19% of respondents said they reuse passwords on 1-5 sites, 36% reuse passwords on 5-10 sites, 24% reuse passwords on 10-15 sites, and 11% use the same password to secure more than 15 sites. 22% of respondents said they have been reusing the same password for more than a decade!
While password manager use is increasing – 84% of respondents said they use a password manager at work – 54% of respondents said they store passwords in a document on their computer, and 29% write their passwords down. 54% of respondents said they rely on memory for managing passwords, up from 49% last year, which explains why 58% of respondents admitted to resetting their passwords regularly because they forget them. 12% of respondents said they reset passwords on a daily basis for this reason. Last year, 54% of respondents said their organization had experienced a cyberattack, with the percentage increasing to 60% this year, and 26% of respondents said they had been affected by a data breach in the past 18 months.
Account security can be greatly improved with 2-factor authentication, and while there are strong feelings that the additional authentication makes accessing accounts cumbersome, 2-factor authentication is now being widely adopted. 92% of respondents said they use 2-factor authentication in the workplace, up from 88% last year. When asked why 2-factor authentication is not used for business or personal use, 48% said it was not used due to unawareness of the benefits, 47% said because passwords were believed to be strong enough, and 41% said because they did not think that accounts would be hacked. The same percentage said 2-factor authentication was not used because it slows down workflow.
2-factor or multi-factor authentication is vital for protecting accounts. In the event of a phishing attack where an employee discloses their password, 2-FA/MFA can prevent that password from granting access to the account, thus preventing a costly data breach. However, while any form of 2-FA/MFA is better than single-factor authentication, phishing-resistant MFA provides the best protection. Threat actors are now using phishing kits that are capable of stealing session cookies and MFA codes, thus bypassing MFA. Phishing-resistant MFA removes the phishable human element and provides far greater protection. Further information on implementing phishing-resistant MFA has been published by CISA.
Password Security and Management Tips
World Password Day 2023 is the perfect time to assess password security and take steps to ensure that all accounts are properly secured with strong and unique passwords, and start following password best practices:
- Ensure a strong, unique password is set for all accounts
- Use a combination of upper- and lower-case letters, numbers, and symbols in passwords
- Use easy-to-remember passphrases rather than passwords, that have a minimum of 14 characters
- Never reuse passwords on multiple accounts
- Don’t use information in passwords that can be found in social media profiles (DOB, spouse or pet name, etc.) or is known to others
- Ensure 2-factor authentication is set up, especially for accounts containing sensitive data
- Use a secure password generator to generate random strings of characters
- Avoid using dictionary words and commonly used passwords
- Use a password manager for creating strong passwords and secure storage, and set a long and complex passphrase for your password vault.
