
Did you know that the first Thursday in May is World Password Day? We all know how to celebrate Independence Day, Valentine’s Day, April Fools, and Halloween, but how do we celebrate World Password Day? Do we go around and wish people ‘happy password day’ or wear password-themed costume?
It turns out that we have had been creating some terrible, predictable passwords and the tech community wants to do something about it. As a result, they created World Password Day to try raise awareness about how we should create passwords. Creating passwords from your name or date of birth just because it’s easier to remember is a bad idea. Anybody with access to that information can guess your password in minutes and gain access to your personal information.
The idea behind World Password Day is to encourage people to come up with strong passwords that are impossible to guess and difficult to break.
The evolution of passwords
Despite several claims that passwords would be dead in a few years, passwords don’t seem to be going anywhere. In fact, they’re becoming an integral part of our digital lifestyle. Whether you’re at work or home, we’re entering more passwords than we used to a few years ago. According to a study, the average internet user has 100 passwords.
However, companies offering online services want to cut your reliance on mere passwords. They are building additional layers of security on top of their typical username password authentication system to mitigate the risks associated with weaker passwords. For example, Gmail asks you to enter a one-time password (OTP) whenever you access your inbox from a new device or browser, and Dropbox wants you to provide your phone number as an extra layer of security. Passwords should be part of the authentication process, not the process itself.
Moreover, many online services such as Yahoo Mail and Microsoft Outlook are ditching passwords altogether in favor of an OTP. This trend is common with mobile apps such as Viber, WhatsApp, Zomato, Uber, Postmates, etc.
Dos and don’ts to keep your data safe
It goes without saying that you should keep a strong password for the online services you’re using. Moreover, using the same password for your banking account and Instagram is a bad idea. If your Instagram account gets hacked, your bank account shouldn’t follow. Organizations putting their password dumps in spreadsheets should think otherwise. Let’s take a look at the dos and don’ts that you should follow in order to keep your data safe:
Use strong passwords
A strong password is a random string of distinct sets of characters that is near-impossible to break with conventional methods of password breaking such as brute-force and dictionary attack. Security analysts suggest a strong password shouldn’t be shorter than 16 characters and must contain a combination of lowercase, uppercase, number, and special characters (_, -, @, $, etc.).
In addition, they must not contain any common phrases, slang, names, and words or instinctive patterns such as 12345, abcde, qwerty, etc. When it comes to number-only passwords, avoid putting anniversaries or the date of birth of your loved ones.
Whilst password1234 is a terrible password, P@$$w0rD3412 isn’t because the latter has all the traits of a strong password.
Don’t use the same password for every service
Data breaches happen regardless of how strong or weak your passwords are. It’s the harsh reality of our time and has become a common thing.
If your Yahoo account gets hacked because your password appeared in a data breach, you won’t have a hard time retrieving your account provided you can verify your identity to Yahoo Support. However, if that was your password for every service you use online including your work email, Twitter, and banking account, the hacker could do irreversible damage to your finances, career, and reputation. The idea is to use strong but different passwords for each of the services you use online.
Don’t ignore security notifications
The service you’re relying on with your data may not be so vigilant to external and internal threats and may end up giving up your data to a cunning hacker who may sell it on the dark web or dump it in public forums.
If you store your password on a modern browser or password manager, you will get a notification if your password was in a known data breach. In addition, if you use an inbuilt password manager in an Apple, Windows, or Google device, you will get a notification prompting you to change your password at the earliest stage.
Rare Crew recommends using a third-party password manager such as Bitwarden or Dashlane to stay notified of data breaches and whether your password was compromised.
Ignore suspicious links
If you received a link in your inbox warning that you must change your bank password immediately, don’t click it before confirming it with your bank. It may look like it came from your bank, but it could be a targeted phishing attack that’s come from a broke hacker living in a garage. Don’t click the link if you’re ever in doubt.
The future of passwords
Passwords ask a fundamental question about ownership. If somebody gains access to your password, who is the owner of the account and the underlying data? You or the other person. Instincts would say that you are the owner. However, in the eyes of the service provider, anybody who has the password is the owner. If the other person changes the password, how would you prove that you’re the owner?
Tech companies understand that your passwords are gatekeepers to your private information and don’t establish ownership over an account. Thus, the industry is moving forward towards a digital world where passwords are losing relevance to securer ways of safeguarding your personal data:
Two factor authentication
Relying entirely on a predictable password(s) to secure your data online is a bad idea. Most web applications and mobile apps allow you to add another layer of security (in addition to password) to authenticate into their services. With 2FA, you will be prompted to enter an OTP as soon as you authenticate with your valid username and password. Depending upon how you proceeded to set up 2FA with the application, you may receive the OTP on your phone number or have to generate it from an authenticator app such as Authy.
The idea behind 2FA is based upon ‘what you can show’ in addition to ‘what you have’. For instance, you have your password with you all the time, but it is the OTP that you must show in order to authenticate into the service.
Passphrases
Several digital and crypto wallets accept passphrases rather than passwords when logging in. Passphrases are longer than passwords yet easier to remember. A passphrase is a list of common words that you must insert in the right sequence to gain access to the service. A passphrase can be as long as 128 characters and may look something like this: derive eagle property trend physical unable only strike fold pretty soft.
Passphrases have a higher chance of averting a dictionary or brute-force attack than a typical password system. This is because password cracking tools break down at around 10-16 characters, however passphrases aren’t immune. Therefore, people are moving to hardware-based security keys and wallets.
Hardware keys
Hardware keys such as those based on FIDO and FiDO2 standards are gaining popularity as the ultimate method to secure access to your online accounts. FIDO keys, if supported, work on top of a password-based system as an option to 2FA. Rather than entering an OTP to access your account, you have to insert the key into the computing device you’re accessing the account from to authorize a secure session. Hardware keys are preferred by top influencers and HNI customers.
Single sign-on
At enterprise level, single sign-on (SSO) is the go-to authentication method to log into apps and websites. This method enables employees to authenticate multiple applications and websites by using just one set of credentials provided by the employer. SSO is the preferred method when you don’t want your employees managing too many passwords.
A big downside of SSO is if an external person somehow gains access to the SSO credential, they can access the organization’s private network.
Password less
Many firms are ditching passwords altogether from their authentication systems and moving to a password less world. The current state of password less systems expect users to download the authentication app by the service provider and authorize once with the authentication server.
Whenever the user tries to access the service, they receive a notification on the app to authorize or deauthorize the session.
Companies such as Microsoft, Google, Adobe, and Verizon already offer A password less option to login into their services.
Password manager
A normal person cannot remember 50 or so passwords unless they are reusing them, or they are too easy to remember. This is where password managers come. They store your passwords and autofill them whenever you try to login. Leading password managers put 256-bit encryption on your passwords so that they are indecipherable in the event of a break-in and are only visible as series of incomprehensible hashes. Since the private encryption key is associated with your passphrase, neither the vendor nor the intruder can decrypt those hashes to reveal your stored passwords.
The downside is that the support person cannot help you unlock your stored passwords if you forget the passphrase.
World Password Day raises awareness about how we should generate passwords. It encourages us to ditch our old weak passwords and replace them with strong passwords. It also promotes the use of different passwords for different online services and relying on 2FA.
