Password security is the most basic and ubiquitous form of cybersecurity. Every single account created online has a password attached to it. They predate the internet by hundreds of years and to this day, they remain the most reliable form of user authentication. So why does everybody choose such terrible passwords?
What Makes a Password Easy to Guess?
An easy password means that an attacker will be able to hack into your accounts with equal ease. Passwords that are long, use a variety of numbers, letters, and symbols, and are obscure have a strong chance of remaining safe. But sadly, most people do not use these methods. In 2013, Google released a list that categorized the most common types of passwords people used. Among them were:
- Pet names
- Wedding anniversary
- A family member’s birthday
- The name of the user’s kid
- The name of a family member
- A popular holiday (Christmas, Halloween, etc.)
- Something relating to the user’s favorite sports team
- The name of a significant other
- The word Password
Of course, this was in 2013, and cybersecurity is much more present in the minds of the average person. But that does not mean our security methods have improved with time. In contrast, SplashData published a list of the most commonly used passwords in 2017. This list was complied from the data of over 5 million passwords. The top ten were:
Alone, this is a disaster. But humans have an unforgivable trend of reusing the same password for all of their accounts. In fact, in 2017, Keeper Security conducted a survey in which they found that more than 80% of people above the age of 18 reuse the same password for two or more accounts. This means that if one of their accounts get breached, multiple accounts can be breached. Thus, this does not bode well for security.
Factors That Affect Security
There are many different elements that affect how safe your accounts are. For example, certain systems have a limit, or “time out” on how many times you can guess the wrong code. This can effectively create a safety net, particularly if the password is not an easily guessable one.
Additionally, a stronger form of the same idea exists, in which too many incorrect password attempts can trigger an account being temporarily disabled. Once disabled, the user may be required to change the pass-code through two-factor authentication methods. Unfortunately, this can be used against a victim as attackers can spam accounts with incorrect guesses to trigger a denial of service attack.
Stored passwords yield mixed results. In some cases, the argument for storing them in an online key-chain enables people to have longer, more complicated passwords without running the risk of forgetting the code. On the other hand, if an outside attacker gains access to the internal storage page, all accounts on that page are immediately compromised. Of course, this risk can be mitigated by securing the passwords via encryption, so if someone were to gain access to the page, the text would be incomprehensible. However, the safest systems do not store your information at all.
Lastly, specific websites can enact policies that force users to come up with harder to guess passwords. For example, certain websites will not accept your submission without it meeting a certain criteria (eg. length, variety of symbols, numbers, etc.)
How to Keep Your System Safe(r)
Unfortunately, it is impossible to keep your accounts 100% safe. Attackers are constantly coming up with new methods of cracking codes, and certain methods that used to be airtight are now predictable. For example, using letter number substitutions like “E → 3” and “L → 1” or typing the password one row higher on your keyboard are no longer sufficient methods.
To truly keep your account safe consider these methods:
- Use two factor authentication. This practice is one of the safest methods for preventing a breach.
- Use a combination of words that are not related.
- Have the numbers be randomly dispersed throughout the text.
- Change your passwords every few months.
- Write down the combinations on paper and store them with other important documents to avoid having a digital trail.
The Death of the Password
Moving forward, many people within the cybersecurity field predict that pass-codes will be obsolete as we craft new, safer methods of identifying users. Already we have seen many phones adopt fingerprint authentication technology. Also, facial recognition technology, while currently very flawed, has the potential to grow. Additionally, alternative methods such as bio-metrics and single sign on are gaining traction.
However, currently passwords are the dominant form of identity authentication that is available currently. No other form of authentication technology has the combined efficiency, simplicity, low cost, and customization options. As long as passwords remain dominant, it is your responsibility to keep yours safe, secure, and hard to crack.