In an era where frequent online hacks compromise sensitive personal data, security experts recommend password management systems to stay safe in cyberspace on World Password Day and beyond.
Whether out of convenience, laziness or plain-old forgetfulness, most internet users aren’t great about picking unique and secure passwords. That “abc123” password from 1999 is a hacker’s dream when trying to crack into everything from bank accounts to online healthcare records.
“The biggest mistake people make online is reusing passwords,” said Bruce Snell, Technical Director at Intel Security. “The second big mistake is using a password that’s easy to guess or crack, like password123 or a pet’s name.”
Security researchers rate the worst passwords of the internet every year, and passwords that have been compromised or leaked online show a disturbing trend: While massive pop culture events have caused a few tremors in the worst passwords of 2015 (“starwars,” “solo” and “princess” debuted in the top 25 for the first time), in a sample set of more than 2 million passwords, the top three slots still feature the usual suspects: “123456,” “password” and “qwerty.”
It should come as no surprise then, that researchers estimate 90 percent of user-generated passwords are vulnerable to hacking. Even “secure” passwords provide minimal protection in a world where massive password leaks are commonplace.
Snell said the problem is that many companies do not encrypt the passwords they store online, leaving them vulnerable to hacks. Target, Sony and Anthem are a few recent examples that garnered a lot of attention, but many other companies have experienced similar breaches.
Encryption can make a big difference. Snell said that even a relatively simple encryption algorithm would take years for hackers to unencrypt using a basic computer.
While users can’t force companies to encrypt their data, they can do a better job of securing their accounts. In honor of the fourth annual World Password Day on May 5, Intel Security encourages users to use multi-factor authentication (MFA) to add another protective layer to their passwords.
Even President Obama recently encouraged Americans to “empower” and “protect themselves online” by moving beyond passwords and turning on MFA in a Wall Street Journal op-ed. Snell agrees.
“It’s really important because it adds another component to the authorization process,” he said. “Even if you use an easily guessed or compromised password, there’s a randomized element that a hacker won’t be able to guess.”
MFA supplements the user’s login with additional identification factors, such as a fingerprint, face recognition or a one-time code delivered via text message. If a cybercriminal gets ahold of a user’s login information but has to go the extra step of entering a pin number, Snell explained, the hacker won’t be able to guess the pin and gain access to the account.
Anyone can use MFA, as this powerful security feature is available for free on most major websites. Snell suggests using a password management system—True Key by Intel Security or another open-source option—with MFA features that will generate and store secure passwords.
“A lot of security experts and I recommend password management systems because it takes the stress out of trying to manage a unique password for every online account,” he said, noting that the best one is the easiest to use. “More people use an app or mobile device because those things are attached to everyone’s hip at all times. If the password management system is connected to a phone, people are more likely to use it.”
To get users thinking about improving their personal information on Password Day, Intel Security is spearheading a consumer educational campaign to show consumers why a password is not enough.
Want to get involved? Here’s how you can participate in World Password Day 2016:
- Visit @IntelSec_Home and share your #PasswordConfession for a chance to win a $250 Amazon gift card. Contest ends on May 4th.
- Join the #PasswordDay Twitter Chat about multi-factor authentication on May 5th at 3pm EDT/12pm PDT. Use #ChatSTC to join the conversation.
- Visit PasswordDay.org to watch our Password Pep Talks and learn how to secure your digital life.