Make password security a habit

Today is the first Thursday in May, which means it’s World Password Day. I can’t even pretend to be excited about this.  

Passwords annoy me.  They interrupt what I’m doing. They all have to be different and complex, hard to guess and even harder to remember. Passwords are a nuisance, and I am not the only one who feels that way. Over 42% of 'active' internet users are ‘opting out’ of password security because they don’t want to deal with it. They use the same password for multiple sites, and many times it’s a weak password that’s easy to crack. I share their pain, but the world is too dangerous for this kind of behavior.

Malicious bots and automated attacks

Password security becomes more important with each automated attack.  The most recent Barracuda research on internet traffic shows that at least 40% of it is from “bad bots.”  These are automated scripts used by threat actors to search for vulnerable web applications, firewalls, and other internet-accessible devices. Most of these bots focus on e-commerce applications and login portals, and many of them launch password attacks like brute force and credential stuffing.  A brute force attack takes a systematic ‘trial-and-error’ approach to test all possible passwords and passphrases. If you use one of the most common passwords, like ‘123456’ or ‘abc123,’ the brute force attack will get through that in less than one second. The credential stuffing attack is a bit different because the bot is rotating through sets of credentials stolen in other attacks. If you aren’t using a unique password for the site being attacked, the bot might have your valid login information from a previous data breach. If that’s the case, all it needs is a little time before it can log in as you.

Phishing for opportunities

Phishing is another attack that underscores the importance of password security.  Phishing emails, websites, and messages are among the top threats to businesses and individuals because they work so well. Phishing attacks try to trick you into giving up your credentials and other information, and they sometimes include malware designed to steal data from your system. These attacks are often the starting point for attacks on infrastructure, sensitive research, and state intelligence. Phishing defenses like inbox security and user awareness are the best defenses against these attacks, and Barracuda can help you with this if you do not have these in place.  Even so, phishing attacks are still effective and they’re getting better.  If you can’t stop the blast, you at least want to contain it.

Best practices

Sloppy password habits can lead to business email compromise, account takeover, ransomware, and other damaging cyberattacks. Most of the time, protecting your login information is directly within your control.  For example:

• Use a unique password for each separate account. (42% !!!)
• Use a password manager to help you keep track of your passwords. A password manager with a strong master password is a secure way to manage unique passwords for all your accounts. These applications make it easier to create complex passwords on the fly, which means you can change passwords quickly if you’ve been compromised. If you are concerned about something like the LastPass incident, you can look into an offline password manager like KeePass.  
• Monitor breaches for your information.  Some password managers will monitor this for you and alert you when a breach is found, though this may be a paid feature. You can also use the ‘have I been pwned’ website to check the breach database for your email or password.
• Do not use common passwords, like ‘qwerty or ‘password.’ These are among the most common passwords, and like those mentioned above, they take less than a second for a brute force attack to crack.  
• Avoid using personal information like your name, address, or birthday. Any information that can be associated with you is going to be easier for someone to guess. It’s better to use a complex password or a passphrase.
• Do not share your password with other people.  Sharing documents, calendars, email, etc., can be done securely, without sharing passwords and account access. Configure the proper collaboration workflow rather than allow someone to log in with your credentials. Most SaaS productivity applications feature collaboration tools.

I did not list multi-factor authentication because that option isn’t always available, but you should use that when possible.

Make password security a habit

We don’t have to celebrate World Password Day, but we should observe it with a renewed commitment to password security. Review your accounts and credentials for duplicates, breaches, and weak passwords. Remind your friends, family, and co-workers to do the same. Let’s see if we can do better than 42% by the next first Thursday in May.