What We Learned After World Password Day

What We Learned After World Password Day



After the recent strike of the Heartbleed bug that hit openSSL and further shook the world’s trust in the security of the web, the importance of educating people on how to create and use passwords online became even more striking. Discussions about cyber space security have always been an integral part of the development of the web and this is still an ongoing issue.

Security breaches and identity thefts are on a constant rise ever since the Internet emerged as a global information source and communication tool. Unfortunately, security issues often arise from bad password practices, which is why we need to keep discussing the best ways to use them.

World Password Day and the idea behind it

Since majority of web users, especially non-technical ones, keep using (and re-using) weak passwords for their online accounts, a great deal of personal profiles is under a constant threat. To promote safe web browsing and increase the awareness of the importance of using strong passwords, leading tech organisations celebrated World Password Day on May 7th.

World Password Day | Crucial

World Password Day is a public service announcement initiated by Intel Security and supported by Microsoft and other major organisations such as Toshiba, Dell, Acer and Samsung. Their primary goal is to reach the web community and outline the common password creation problems.

90% of all online accounts vulnerable

An alarming fact highlighted by the organizers of the World Password Day is that 90% of all passwords are vulnerable to hacking. Using the information about passwords stolen from websites such as Facebook, Google and Yahoo!, the team behind the World Password Day drew our attention to common problems weak passwords can lead to. To support their cause, we’ll name just a few security breaches that affected millions of users in the past couple of years.

Facebook openly admitted that millions of accounts are hacked every day, many of which are done through self-XSS (self cross-site scripting) attacks. This type of scam recently hit India and is still around.

Linkedin also suffered a major attack in 2012 when nearly 6.5 million passwords were stolen, preventing users to access their accounts. The second largest email service Yahoo! had reported a password breach in January this year, and only few weeks ago, AOL also suffered a security incident. The list, unfortunately, goes on…

World Password Day | Crucial

All these breaches prove that most of the passwords currently circulating the web are weak and unsafe.  The first step towards enhancing general cyber space security is to outline the ways problems may appear in the first place. Having said that, let’s have a look at some reports related to common password (mis)behavior and consider problems associated with it.

Worst passwords of 2013

Back in January 2014, SplashData announced its annual list of the worst 25 passwords used on the Internet. The list is based on files that contain millions of leaked passwords posted on the web and the first place went to “123456” that pushed the 2012 winner “password” to the second place.

Other dummy passwords found in the top ten included “111111,” “abc123” and “iloveyou.” Suffice to say that if you use any of the passwords listed above, you should change them as soon as possible and forget about using them again.

By using some of these passwords or constantly coming up with similar ones (involves all combinations of ordered numbers 1-8, for example) you make your online account highly vulnerable to attacks. Now, since the hacking activities increase proportionally to the growth of the web, this is a problem that requires your immediate attention for obvious reasons.

Don’t wait until another major breach puts your personal information, financial data or important documents at risk.

More than half of the web reuses the same passwords

Besides choosing obvious passwords, internet users often access multiple accounts with a single one. As reported by Ofcom, 55% of the UK adults are found to take this security risk, which is the case with other countries as well.

When it comes to setting passwords, many people choose simplicity over security, i.e., they’d rather use a single password for everything online than having to memorize different ones. However, with a variety of password managers currently available for free, not even this should be such a big deal.

World Password Day | Crucial

If you intend to reset some passwords (and it’s advisable that you do) check out some solutions such as LastPass, SplashID Safe or KeePass.

Common letter-number substitutions are not a good idea either

Since one of the best pieces of advice concerning creating good passwords is to use mixed numeric and alphabetic characters, many people are reasonably tempted to make simple letter-number substitutions. If you are among the people who regularly substitute an ‘a’ with a ‘4’ or ‘e’ with a ‘3’ believing this is a good practice, you should stop.

The letter-number substitutions like these have long ago become a common practice on the web and hackers can easily read them. So, if you thought it might be a good idea to use ‘myn4m3’ instead of simply ‘myname,’ think again.

The best passwords do contain mixed characters but not in such a logical manner. In addition, the more you play with capital letters and special characters, the stronger your password is likely to be. Still, using something like “%&&&$^&” is not necessarily a good idea either, since such a password is quite difficult to memorize.

The general recommendation then is to use something relatively simple, yet not quite logical. Consider “My%Name%992!, ” for example, it should be both easily memorable and strong enough to fight hackers.

Other password security precautions

Clearly, there are other ways you can make your password easily obtainable by hackers. This involves sending it via email or other public service, ignoring two-factor authentication or storing it on a relatively easily accessible place. On the Intel’s page specifically designed for the world password day, you can find a handy guide on password creation that we advise you to take a look at.

Conclusion

As cyber security is a matter that affects us all, we at Crucial believe that the discussions like this can never be redundant. Regardless of the number of your online accounts and the time you spend on the Internet, you should bear in mind that just by typing anything into the password field, you don’t necessarily make yourself safer.

In fact, the less attention you pay to your passwords, the more exposed you are to internet threats. Just think about all the breaches even the major web services had gone through and you’ll realize that your safety in the cyber space mostly depends on you.

As pointed by the World Password Day organisations, resetting your passwords takes a couple of minutes of your time, while a single breach can affect you permanently.