There has been lots of discussion about the potential of a passwordless future, however, the reality is that the traditional username and password will remain the primary authentication method for businesses and individuals for the foreseeable future.
Research shows that poor password practices remain prevalent. A report by Keeper Security in June 2023 found that just 25% of users used solid and unique passwords, while 34% admitted to using repeat variations of passwords and 30% still relied on simple and easily guessable passwords.
It is crucial that online users understand best password practices, which is why the annual World Password Day campaign is more relevant than ever.
Poor practices translate into damaging cybersecurity incidents. In October 2023, cybercriminals accessed nearly 7 million customers’ data from DNA testing firm 23andMe after a credential stuffing campaign that used compromised credentials stolen in other data breaches.
23andMe subsequently blamed users for the incident, which exposed sensitive genomics data, for “negligently” recycling and failing to update their passwords.
Here are five key steps users should follow to significantly reduce the chances of their passwords being compromised by malicious actors.
Five Ways to Reduce the Risk of Password Compromise
Use Autogenerated Passwords
Many operating systems offer an easy way to generate, store and use secure and unique passwords across different online accounts – critical to preventing credential stuffing attacks seen in the 23andMe incident.
One example is Apple’s Keychain Access feature. This can generate complex passwords and securely store and enter them for you when accessing online accounts on Apple devices.
This approach enables users to utilize a multitude of complex passwords without the difficulty of remembering them.
There are also other online services available that allow users to generate strong random passwords automatically, which are virtually hackerproof in nature.
Ensure MFA is in Place Across All Online Accounts
The 23andMe case highlighted that many online services still do not mandate, or sometimes not even offer multi-factor authentication (MFA) options.
In the ransomware attack on the British Library, it was revealed that there was no MFA in place to prevent the attackers gaining access to a key server.
While MFA is not infallible, research shows it will prevent the vast majority of attacks after the initial username and password are compromised.
As users, there is a responsibility to recognize the importance of an additional layer of authentication on top of passwords, and demand that websites mandate this is set up for online accounts.
If MFA is not provided, users should strongly consider not using that service.
However, not all MFA methods are created equal and cybercriminals have developed sophisticated techniques to bypass some of them.
Therefore, for particularly sensitive accounts, it is advised to utilize phishing-resistant MFA techniques, such as biometrics.
Use a Password Manager
Password managers provide a means of storing and managing passwords across the ever-increasing number of online accounts users have.
Password manager services enable all passwords to be saved and stored securely, as well as autofilling credentials across online accounts used on a browser. This enables users to create unique and strong passwords for all accounts without the burden of remembering them or storing them in unsecure places.
The only password that needs to be remembered is the master password, which provides access to the user’s account.
The security of password managers have come under scrutiny following the high-profile breach of LastPass in 2022. However, experts Infosecurity spoke to in relation to the incident emphasized that the security benefits of these services significantly outweigh the risks.
It is important to emphasize that password managers store passwords in an encrypted form, meaning they are not revealed even if the platform suffers a major breach. As long as the master password is not compromised, users’ credentials will remain safe.
Regularly Check for Password Compromise
Modern password security guidance is moving away from the idea that users should regularly change all of their passwords, recognizing that this approach is impractical, and often unnecessary.
Instead, users should utilize a range of available services to check if any of their accounts have been involved in any known data breaches. If any have been, the passwords for these accounts should be updated immediately.
Users can subscribe to the Have I Been Pwned online service, allowing them to search across multiple data breaches to see if their email address or phone number has been compromised.
In addition, devices such as iPhones can also securely monitor users’ passwords that are stored on these devices, and alert them if they appear in known data leaks.
These devices also notify the user if any of their passwords are easily guessed or have been used multiple times, allowing users to proactively secure update their credentials.
Limit the Number of Online Accounts You Have
A very easy way of reducing the risk of password compromise to limit the number of online accounts to services that are regularly used.
For e-commerce providers used on an ad hoc basis, a guest checkout should be used wherever possible so a new password and username is not created, as well as preventing potentially sensitive information being stored in that account.
Additionally, users should think twice before to creating online accounts on websites that do not offer additional protections like MFA. This could help to create a commercial need for enhanced cybersecurity measures.
Conclusion
Passwords continue to be a major source of cybersecurity issues, with poor practices and behaviors remaining prevalent. It is important to send the message to users that there are a range of relatively simple steps that can be taken to dramatically reduce the risk of credential compromise occurring.
This is why cybersecurity awareness events such as World Password Day, which takes place on the first Thursday of May, is so vital for helping spread such messages to the public.