Don’t Treat Passwords Lightly

May 2022

Image: Getty Images

Most of us don’t treat our passwords like we do Social Security numbers or credit card numbers. But we should. Just because we can change passwords at will—or sometimes by policy—doesn’t mean these secret codes aren’t valuable on the dark web.

On the contrary, pairing a username and password is a powerful tool in a malicious hacker’s toolkit. Use a stolen credit card number or someone’s unique numeric identifier, and transactions are likely to shut down once the user is aware of fraudulent use. And there are means to be made whole again—from having illegal purchases reversed to restoring credit scores.

But if someone is clever enough to figure out your username and password without you knowing about it, they can do a lot of damage before getting caught—if ever. After all, they are impersonating you, a legitimate user, to gain unauthorized access to data and digital assets. Their successful phishing could spell trouble for everyone in an organization.

The demand for more complex combinations

Humans have never been good at remembering passwords, which is why companies have moved from merely demanding complex, eight- to 12-character combinations with numbers, letters and symbols to offering multi-factor authentication. This is when you must add a layer of security to logging in—either a verification code, biometric or token. It reduces the chance of impersonation.

This Thursday is World Password Day, which is a great time to reevaluate the long list of passwords you use to access apps, sites and devices. How long have you had a password in place? Are there accounts you don’t use yet never deleted? Have you checked Have I Been Pwned lately?

Best practices for password management

If that password list is not long, then you might have a bigger problem. Unless you don’t conduct transactions online (i.e., live off the grid), you should have a lot of passwords to manage. This is just a fact of modern life. It’s how you handle those passwords that is telling. Research from a security company called Bitwarden shows that despite almost everyone knowing password security best practices, 85% still reuse passwords. Bad actors know you don’t want (and, quite frankly, can’t) to memorize a bunch of secret codes and therefore recycle two to five passwords for all your login credentials. If they can figure out the password for one app, they likely can do it for others.

Password managers like Apple’s Keychain and LastPass help, especially if they work across devices. However, their randomly generated codes can leave you in a lurch if you need to access a site or app from another device that isn’t paired or properly protected. This may account for the 24% in the study that admitted to resetting passwords every day or multiple times a week. Password resets are getting more difficult too, requiring that multi-factor authentication already discussed and rejection of previously used passwords.

A little inconvenience to stay safer

This is all good news, even if it adds a little more inconvenience. What is more inconvenient is losing a client because they suffered a breach using your stolen password.

Other common-sense suggestions from cybersecurity experts:

  • Never use actual words. Instead, mix them up with numbers and symbols as a mnemonic device.
  • Never use sequential numbers that are easy to guess.
  • Never use the name of a pet, place or parent that someone could track down.
  • Never share your passwords.
  • Never write a password down in plain sight.
  • Encrypt files holding passwords on mobile devices and desktops (which, yes, requires you to remember yet another passcode).

So, this Thursday raise your cybersecurity game as you raise a margarita to celebrate Cinco de Mayo. Especially if you’re gonna pay for that drink with an app on your smartphone.

Thank you for reading this,