With the recent Equifax data breach and the many other corporations that have faced similar situations in the last couple of years, companies and users are putting more emphasis on their password security and asking the important question, “How strong is my password?”
Password strength is an important topic and with best practices that are constantly changing, it can be difficult to know whether your efforts are increasing your protection or not effective at all.
We’ve asked security expert John Killoran, CEO of Swoop, to help explain why your passwords might not be as secure as you think.
Here’s what we’ll cover:
- Password security is more important than ever.
- Common best practices to strengthen your password.
- Password security checkers can’t answer the question.
- The problem with passwords.
- The solution is to use password alternatives.
Password Security Is More Important Than Ever
According to a recent study, the average person has 27 online accounts, and the trend is headed up. It’s estimated that the number of logins per person will double every five years.
As we migrate more of our information online, we need to take the necessary steps to ensure that information doesn’t get into the wrong hands.
“Users aren’t the only ones that need to be concerned with password security,” says John Killoran. “For-profit businesses and nonprofit organizations need to look internally for ways to keep their users’ information safe.”
In 2016 the Yahoo data breach compromised 1 billion accounts, and more recently, the Equifax data breach put 143 million users at risk. Before the Equifax breach, it was discovered that the Argentine branch used the password “admin” to protect their customers’ sensitive information.
If more people continue to choose convenience over security, there will only be more large data breaches in the future.
Even when we’re not creating an account, our sensitive information are stored behind a password.
Imagine that you’re donating to a nonprofit, for instance. When you enter your payment information, your name and credit card number is stored in that nonprofit’s database. The data is protected using encryption, but hackers can use technology to crack the key to encrypted data or gain access through an employee’s login.
Common Best Practices to Strengthen Your Password
So you might be wondering what methods you can take to strengthen your passwords. With so many different rules and conflicting opinions on what users should do, it can be difficult for users to know which strategies are proven to work and which ones fall short.
John suggests that donors create passwords that are at least 8 characters long with a random mix of numbers, symbols, and uppercase and lowercase letters. Additionally, he recommends users avoid any dictionary words and personal elements.
John says, “Using personal information like your name or birthday can instantly weaken a password. Hackers can find these facts by doing a quick Google search. Users should also avoid all dictionary words because computer programs can scan through a billion words per second to crack your password.”
What else can you do to create more complex, harder-to-crack passwords?
A few more tips that password experts recommend are:
- Don’t change your password frequently. Contrary to popular belief, creating a new password every few months can lead to weaker accounts. The time and effort that it takes to create a unique password every few months, might cause users to settle for easier credentials.
- Do use a different password for every account. A shocking 54% of users only have 5 or fewer unique passwords across their accounts. By using a handful of passwords, you’re making the job easier for cybercriminals. If one of your accounts becomes compromised, there is a higher risk of your other accounts getting hacked as well.
- Don’t follow patterns or simple formulas. Let’s face it: we often follow the same formula to create a password. We pick a word that’s easy to remember, capitalize the first letter, add a few numbers at the end, and end it with an exclamation point. These formulas make our passwords more predictable and easy to hack.
- Do make your passwords as random as possible. The hardest passwords to crack are the ones that use a generous mix of characters compiled through a random process. Even with computer programs, these passwords could take years to crack, at which point the cybercriminal will look for easier targets.
Another tip that many experts suggest is to use a password manager. These tools help you organize and store your accounts in one location.
“Password managers can be useful when you’re juggling many accounts,” says John. “Tools like Lastpass can generate strong passwords for you and automatically enter fields on the login page so users don’t ever have to remember a password again. However, these tools do have their risks.”
The challenge with password managers is that users will have all their accounts under one master password. If your password management tool becomes compromised, a hacker will have access to every account you have stored.
Password Checkers Can’t Answer the Question, “How Strong Is My Password?”
How do users answer the question “How strong is my password?”
Well, after following many of the best practices, many users like to run their password through a strength meter that will rate their passwords usually on a scale of very weak to very strong. Even large companies have started embedding password checks during the account creation process.
We’ve all experienced not being able to move forward with our account because the password we created was too weak. But, how effective are these tools at evaluating the strength of our passwords?
Many experts say that password checkers can actually provide users with a false sense of security.
John explains how “many of these checkers aren’t created equal; each one uses a different set of criteria. Some follow standards that are outdated and only assess the strength of a password using very simplistic benchmarks.”
To illustrate this point we’ve tested a few examples on the most popular password checkers:
As you can see none of the passwords are particularly secure going by the best practices we mentioned above.
Let’s take a closer look at the password “Qwerty1234!” that scored high on two password checkers. While the password follows many of the best practices—more than 8 characters, no dictionary words, and a mix of letters, numbers, and symbols—this password would still be easy for hackers to crack. Because it follows a common formula and combines elements of two of the most used passwords (“123456” and “qwerty”), which lack any complexity.
The Problem With Passwords
“No matter how many best practices users implement or how strong their passwords rank, the real problem isn’t with our passwords’ strength but the idea of password security itself,” says John.
That challenge with passwords is that security and convenience are constantly at war with each other. Think about it this way: the more complex and random our passwords become the harder it is to remember our logins, making it difficult and time-consuming to access our accounts.
Of course, we can use password managers to help ease some of the hassles, but these tools come with their own set of risks as we mentioned earlier. Users have to put their trust in a master password, and with no definitive way to determine the strength of a password, users can only hope that their information is protected.
As a result, users settle for a password that’s less secure because it’s more convenient. In fact, the most commonly used passwords are very weak by most standards:
The real problem occurs when these poor practices are used internally at companies because that’s when the most people are at risk.
If hackers gain access to a corporation’s database, it doesn’t matter how secure your individual account is as they’ll have access to all your sensitive information.
The Solution Is To Use Password Alternatives
As more and more experts predict the end of passwords, users and companies need to be more aware of the other options available.
“Accessing accounts using password alternatives is a growing trend, and you’ve likely experienced a few passwordless login systems yourself,” says John. “iPhone users can now confirm an online payment with their fingerprint and people can sign up for a service using their Facebook or Gmail accounts.”
Instead of asking, “How strong is my password?,” users need to start seeking these other alternatives.
While a password still might be involved in some of these situations, it’s a step in the right direction, as the additional authentication process makes it much more difficult for hackers to gain access.
Best of all, these authentication methods can be used for virtually every online scenario—from online payments to donations to e-commerce to account login.
Let’s look at two types of passwordless login systems:
A universal type of passwordless login is email authentication because anyone with an email account can use it. The process only takes three steps:
- The user clicks on the “Sign In” button, which will trigger a mailto link to a pre-written email using the user’s default domain.
- The email will be addressed to a unique email that identifies the type of action, which in this case would be logging in to an account. But the process can be used to make online payments or donations as well.
- Once the user hits send, it only takes a few seconds for the individual to gain entry into the account. To ensure that the email is coming from the user, the system uses verification methods to confirm the email domain and the sender.
The entire process only takes a minute to complete, and the user never needs to fill out a field to log in. The system will flag any login attempts from a different account or IP address and ask the user to confirm or decline the request using another method like a text message.
As a result, even if your email account becomes compromised, hackers can’t gain access to the other accounts connected to your email address.
Additionally, since there is no password reset for accounts with email authentication, hackers won’t be able to change your credentials and block your access to an account.
Biometrics is the process of scanning a fingerprint, face, iris, or another biological component to gain access. Since biology is unique to every user, biometrics has been classified by many experts as the most secure password alternative.
Fingerprint scanning is the most common type of biometric, and the process is simple: users press their thumb on their device’s fingerprint scanner to enter their accounts or authorize payments.
However, their security may not be entirely accurate. Studies have shown that fingerprints can be replicated using a master fingerprint that is digitally composed with common features and photographs can be used to trick face scanners.
John explains how this alternative has flaws because “When hackers are able to trick the system, it will be difficult for users to secure their accounts as their biological ‘password’ can’t be changed like a traditional password.”
Another drawback of biometrics is that the system can be difficult to implement. Not only is the technology more expensive, but the process will also be limited to those who have a device with scanning capabilities.
Experts suggest that users and companies should be cautious of using passwords—and with good reason! Nowadays, passwords require more complexity and their potential to secure your information is uncertain.
As a result, companies need to implement other levels of security and use other verification methods to ensure our information is safe.
If you’d like to learn more about password security and passwordless authentication, check out these additional resources:
- Questions About Passwordless Login Systems: Have a few concerns about passwordless login? This article answers some the most common questions to help you determine if password alternatives are right for you.
- Benefits of Passwordless Authentication: We could only touch on a few of the benefits of password alternatives. Check out our complete guide to learn why you should explore passwordless authentication.
- Ways to Create a Modern Password and Username Login: If your organization is looking for ways to improve your login process, check out this article. You’ll get several ways to encourage users to create better passwords and ways to use passwordless login.