According to an article in the HIPAA Journal, May 2nd was “National Password Day.” You didn’t know there was such a day? National Password Day was declared in 2013 to bring awareness of both the importance of passwords in keeping personal and company data safe, but also about password risks and best practices to mitigate those risks. Read on to learn about the state of thinking about passwords, and how to better manage login credentials.
A Brief History of Passwords
Even with biometric methods of identification, and single sign-on technology, passwords are still relevant as the most common way to secure personal and business accounts. Passwords were first developed in the 1960s at the Massachusetts Institute of Technology (MIT) to guard accounts against unauthorized access. Incidentally, the first password breach occurred there, too. More recently, a survey of 2400 respondents in the U.S. and other countries revealed some sobering statistics about password practices.
Common Password Practices
Using the same password for multiple accounts was a common practice, with 84% of respondents admitting to using the same password for multiple accounts. If a hacker can steal the password to just one account, they can easily gain access to others.
54% of respondents relied on memory for passwords, and because of this the passwords can be too short and weak.
36% incorporated personal information (family names or birthdays, for example) in passwords to make remembering easier.
33% used only a password, rather than two- or multi-factor authentication, to access their accounts.
Moreover, even when changing passwords, users didn’t change them sufficiently. Instead, they only changed a few characters, with the idea of keeping them easy to remember. All of these practices can facilitate the theft of passwords by social engineering (email “phishing” or text-message “SMiShing”) attacks, or even brute force attacks. How can thinking on passwords be changed?
Best Practices for Password Management
First, the article suggests thinking not in terms of passwords but passphrases, multi-character combinations of upper- and lower-case letters, numbers and symbols, that are more difficult to guess. Also, the article suggests using password management systems where the list of passphrases is itself protected by a passphrase of at least fourteen characters. Companies can develop clear, enforceable policies for password management, which might then influence how workers handle passwords outside of work, too.
Passwords are still necessary to secure business and personal accounts, and thus need to be unique and strong. For help developing your company’s password policy, contact your trusted technology advisor today.