World Password Day: Hype, hoax, or helpful?

Happy WPD (seriously)

The thing about World Somethingorother Days is that there are so many to choose from.

And the first Thursday in May, in a tradition going all the way back to the previous decade, is World Password Day, sometimes referred to as WPD for short.

For all that experts keep telling us that passwords are on the way out, and that they’ll soon be replaced by more secure, harder-to-hack alternatives such as passkeys and biometrics, it looks as though we’ll be using old-style passwords on at least some of our accounts for many years yet.

And there are plenty of problems with passwords, as we know from years of seeing the same sort of advice every time World Password Day rolls round.

Obvious issues we should all keep in mind include:

• Passwords that are easy to remember are generally easy for criminals to guess or figure out. Names of pets, children’s birthdays, favorite songs, common words you like the sound of – all of these are popular but insecure choices. Simply put, unlikely (ideally totally random) combinations are better.
• Passwords that are short and easy to type in are also easy to guess. Put together four letters and there are fewer than half-a-million combinations to choose from even if you pick randomly and are as likely to pick EBJM as WORD. With 12 letters-or-digits, you expand the range to well over a million million million combinations. Simply put, longer passwords are better.
• Passwords that you use over and over are easier to get right, but greatly increase your risk. Crooks aren’t going to guess a super-long and random password like SPKL$­63QI@J­GO5NJ, but if you use it on all your accounts because it’s “strong,” then a compromise of any one account will automatically cost you all your other accounts too. Simply, put, every account needs a unique password.
• Passwords chosen in a hurry that you aim to “improve later” often don’t get fixed. Websites and online services that force you to create an account at the last minute, for example when you reach the digital checkout or when you get to the end of a series of signup screens, don’t help. Simply put, if you’re likely to choose CHANGEME (which you probably never will), you should consider a password management app.
• Passwords are surprisingly easy to leak or have stolen. You could get a phishing email, click through to a look-alike login page, and give away your password via a scammer’s website. You could paste your password into the wrong field in an input form. You could send it out it in an email for convenience. Simply put, if in doubt, don’t give it out.

Don’t panic

Don’t get too worried by the numerous “World’s Worst Password Lists” that marketing departments love to publish on WPD.

You’ll recognize those lists because they almost always include three or more of the following unlikely passwords somewhere in their Top Ten or Top Twenty, and have been doing so for years:

123456
1234567890
password
changeme
12345678

Firstly, we’re not going to insult your cybersecurity skills by implying that you would ever think of choosing one of these.

Secondly, and this is the detail that has always made us scratch our heads, how on earth could the creators of those lists possibly know which passwords really are chosen most frequently, given that only a subset of all passwords in use actually get exposed?

Sure, they may have data about what users who were surveyed SAID their passwords were, and may even have handed out gifts to encourage participation in the survey. But who would tell the truth in such a situation? Part of the fun is to say 123456 and claim the free prize! Or they may have data from users whose passwords were successfully guessed by attackers, but that would tell us which passwords are most commonly guessed, not necessarily the most common ones chosen.

Nevertheless, for as long as we need to come up with and use passwords as part of our online security, remember these simple tips:

1. Longer is better. If you struggle to remember long passwords, consider a password manager that can remember a 20-character text string as easily as you can remember your cat’s name.
2. Weirder and more random is better. Those rules that say you must include a capital, a digit, and a wacky character are annoying (and don’t really help with randomness, because you don’t get randomness by following patterns and rules). But many sites use these rules so you may need to comply. A password manager can help, because it will remember Nv0+Q7­zVdLwN­3cdFJ as easily as you can remember ANTI­DISESTAB­LISHMENT.
3. One account, one password is a must. Never, ever re-use passwords. Don’t let one breached account compromise all your other accounts at the same time. Again, a password manager can help, because it will pick a fresh, random, different password every time.
4. Change a password if you think someone may have got hold of it. Changing passwords every month (or every so many days) as part of a ritual is unnecessary. Just make sure you know how to change passwords quickly when you actually need to. A password manager can help, because it makes picking a new and strong password easy.

And some bonus tips:

5. Turn on multi-factor authentication (MFA) whenever you can. Those one-time codes that supplement passwords aren’t perfect, because they can be phished via fake websites as easily as the password they go with. But MFA does make things harder for attackers, simply because it means your password alone isn’t enough to get them in.
6. Logout from online accounts whenever you have finished using them. That “remember me” option in your browser that many sites offer, from webmail to social media accounts, is terribly convenient. But it means that an attacker who can steal your browser cookies can extract the magic authentication token and masquerade as you without ever needing your password or MFA code, so resist the temptation to “remember me” as much as you can.

Don’t forget

All of these tips add a little bit of extra hassle to your online life.

But here’s One Cybersecurity Tip To Rule Them All:

A little bit of inconvenience goes an awfully long way.

Logging in fresh every morning, for example, is a small price to pay for making your browser’s cookie database a less valuable target for attackers.

Stay safe out there, and Happy Password Day!

Learn more about our mobile security solution that goes beyond traditional MDM (mobile device management) software, and offers active on-device protection that’s more like the EDR (endpoint detection and response) tools you are used to on laptops, desktops and servers:

More About Duck

Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!