Password Security Guide: Keeping Sensitive Information Safe

Importance of Password Security

Understand why users should be concerned about password security.

From emails to banking to social media to shopping and donating, the average person spends almost half of their day online. The reality is: many of these sites hold information that’s kept secure with a user-generated password.

A string of 5 to 16 characters is all that keeps hackers from accessing your information. That’s why it’s so crucial that online users implement password security best practices and create strong passwords for every account they use.

We’ve compiled a list of key statistics to help you understand the current state of password security.

Password Security Statistics

73% of online accounts are protected by duplicate passwords

54% of people use 5 or fewer passwords across their online accounts

90% of user-generated passwords are vulnerable to hacking

98% of accounts can be accessed from 10,000 of the most common passwords

Password Security Best Practices

Use At Least 8 Characters

Longer passwords take more time to crack. Experts suggest users create passwords that contain at least 8 characters. However, the ideal password should be closer to 16 characters long, including a mix of lowercase and uppercase letters, numbers, and symbols.

Avoid Names and Dictionary Words

While stringing together a few words might seem like a strong password, it’s in fact very easy to crack. With password cracking software, hackers can run through common dictionary words within a matter of hours. Users should create passwords with random characters that have no meaning.

Don't make your password personal

Often users create passwords using their name, birthday, and other personal characteristics because they’re easy to remember. The problem with these passwords is that information like names and birthday’s can easily be found by doing a quick Google search.

Stay away from patterns and predictable formulas

Generally, when users create a password, they follow a common formula: pick a word, capitalize the first letter, add a number, and add a common symbol at the end. These types of patterns are obvious to guess and should be avoided when creating passwords.

Store accounts in a password manager

Password managers like LastPass, KeePass, and Keeper allow users to store and organize their passwords. These applications often come with tools to help you generate more secure passwords, auto-fill forms, and much more. Using these tools only requires an individual to remember one password: the one for his or her manager account.

Create unique passwords for all accounts

One of the biggest mistakes that users make is replicating the same or very similar passwords on multiple accounts. As a result, cracking one password will lead to a domino effect that allows hackers entry into multiple accounts with little effort. All of your accounts should use different passwords that follow the best practices mentioned.

Common Challenges Associated With Password Security

The challenge with password security is that long, complex credentials are hard to remember.

Passwords are difficult to remember

Let’s face it: even if you followed all the rules and created a strong password, you still have to be able to remember your password for it to be efficient. The average user has around 27 accounts, and it can be difficult creating a unique password for each, much less trying to keep track of which password goes to with what account.

Of course, you can always use a password manager, but even these tools are risky. If someone cracks your universal password, they’ll have access to all the accounts stored on your manager. 

Password security checkers are often judging strength using outdated guidelines.

Password security checkers don’t work

It’s often recommended that people use a password checker to test the strength of their passwords. These tools can also be found on many websites during the account-making process. While password checkers have good intentions, the results are usually inconsistent and misleading.

For example, the password “Jessica1234567” passes many of the most common password checkers, however, it breaks many of the rules. Using personal information like a name and a string of guessable numbers makes this password easy to crack.

Password security is mostly the responsibility of the user creating the account.

All the hard work is placed on the user

When users create an account, they’re tasked with coming up with a secure password. Creating a complex password takes time and even then your information isn’t completely protected. If the company’s data is compromised, hackers can easily gain access to your account information.

Instead of using passwords as the sole means of protecting information, organizations need to implement tighter security measures to ensure the safety of their users so all the hard work doesn’t rest on user’s shoulders.

Password security is becoming obsolete because technology is getting faster at cracking credentials.

Technology makes cracking passwords easier

The unfortunate truth is that there are so many ways cybercriminals can obtain your password. Passwords can be cracked just by guessing, posing as companies, or scamming customer support teams to reset credentials.

Moreover, new developments in technology have made cracking passwords even easier. These tools are able to run word and character combinations until they get a match, and the process can be completed in as little as a few days depending on the password’s strength.

How Hackers Crack High-Security Passwords

Brute-Force Attack

A brute-force attack is a technique used by cybercriminals to crack encrypted files with account information. The hacker will use a computer program to automatically check all possible passwords. The program systematically checks all one-digit passwords and then moves on to two-digit combinations and so forth.

Brute-force attacks don’t work for web services like email accounts because the service will restrict access and ban IP addresses that attempt too many logins.

Dictionary Attack

A dictionary attack is a technique used to crack a password-protected computer or server by entering words from the dictionary as passwords. What makes this method different than a brute-force attack is that the system only tries word combinations that are most likely to succeed.

This method is often successful because many users create passwords with common words. However, this method is less effective on passwords that have multi-word phrases or random character combinations.

Database Hacking

Database hacking is the method that most of us are familiar with. This is when a hacker gains access to a company’s user database containing all of your login information. In recent years, we’ve seen larger companies like eBay, Yahoo, and Statefarm fall victim to database hacking.

Cybercriminals can gain access to databases by obtaining the login information of an employee and implementing other techniques to gain access from there. As a result, it won’t matter how secure your password is.

Understanding Passwordless Authentication

Start using password security alternatives.

As you can see, even following the best password security guidelines can still leave your information vulnerable. So, what can you do to help protect your personal data?

Start using password alternatives! Passwordless systems allow users to log into accounts using a secure authentication method like email or biometrics. 

In fact, many users are already familiar with these systems. For instance, when websites allow you to log in with your Gmail or Facebook account, you’re using a form of passwordless authentication.

These methods remove the need to create a password (that may or may not be secure), speed up the login process, and add an extra layer of security.

Types of Password Security Alternatives

Password security alternatives like email authentication only take 3 steps.

Password Security Alternative #1: Email Authentication

Email authentication is one of the most popular password alternatives because anyone with an email account can use it.

This method uses two-factor authentication as an extra layer of security. Instead of accessing an account with a password, users click a “sign in” button that directs them to a pre-written email. Once they hit send, they’ll have access to their accounts.

A special DKIM signature attached to each email helps confirm that the person is who they say they are.

Our Top Pick For Email Authentication

Swoop’s e-commerce and donation platform offers top-notch email authentication features. Plus, their tool can be used across many platforms and is easy to set up. Learn more about Swoop’s secure email authentication options!

Biometrics is a password security alternative that uses the user's biology to grant access.

Password Security Alternative #2: Biometrics

From face and fingerprint recognition to DNA matching, biometrics is a type of authentication method that uses biological factors to identify users. Since everyone’s biology is unique, this password alternative is one of the most secure options available. 

However, the challenge is that these systems are difficult and expensive to implement. Users need a specific device in order to access this authentication method.

Additionally, duplicating fingerprints is possible and if someone does access your account using biometrics, users can’t change them like they would a traditional password.

The password security alternative known as token authorization requires users to enter a unique code every time they log in.

Password Security Alternative #3: Social Media Sign-In

Offering users the ability to login to your site using their existing credentials for their social media accounts can be a smart move in many situations.

Essentially, this option builds on the security features of the social media platform’s login system. Like email accounts, social media login credentials tend to be secure and reliable. Even if your site can’t offer the same level of tight credential security, take advantage of the security of the social media giants.

While some users might feel uncomfortable or distrustful of social media sign-in options, a large percentage of the population is willing to use it. After all, it reduces the need to create more and more passwords and it makes it much easier for new visitors to use your site.

Social media sign-in is particularly useful when offered as an additional choice alongside email authentication methods. Both email and social media are practically universal accounts; all your users and customers will have one, the other, or both.

Benefits of Passwordless Authentication

Passwordless login systems are more secure

First, passwordless login systems remove the burden of securing information away from the user. Users don’t have to worry about creating a secure password as these systems verify users through other methods.  Passwordless authentication uses unique keys to verify that you are who you say you are, making it much more difficult for hackers to access your accounts.

Passwordless Authentication improves user experience

Password alternatives don’t require any memorization like traditional passwords. As a result, this can not only speed up the login process but also make creating an account less time-consuming. Faster account creation means you’ll be able to acquire more users as there will be fewer obstacles stopping them from signing up.

Alternatives eliminate the need for a password manager

While using a password manager has many benefits, it can be risky having all your accounts stored under one master password. Using passwordless login allows donors to access accounts through email, tokens, or biometrics, so there’s no need to store information in a password manager.

Password alternatives are simple to implement

Of course, the level of simplicity will depend on the type of authentication you decide to use. For example, using a biometrics authentication system will take more time to implement than an email authentication system. Best of all, many users are already familiar with some variation of these methods, so there’s less of a learning curve.

Organizations That Can Use Passwordless Login

Businesses and Corporations

Businesses can use passwordless login systems as a way for customers to access their online billing or retail accounts. Virtually any account can be replaced with a secure password alternative so customers don’t have to spend time creating a password that may or may not be effective.

Additionally, businesses can use these methods for internal accounts. Since a common way cybercriminals gain access to company databases is through employee accounts, passwordless login systems will make sensitive data more difficult to access for unintended users.

Nonprofits and Religious Organizations

Whether you’re a local animal shelter, an environmental organization, or a church, you can make use of passwordless login systems to keep your donor database secure. Every time a donor gives to your organization, that individual is trusting that their payment information won’t get into the wrong hands.

By requiring team members to use passwordless authentication and offering the feature to donors when they give, you can strengthen your security measures and provide donors with a much more convenient giving option. 

Additional Password Security Resources

Questions About Passwordless Login

Interested in learning more about  passwordless login systems? This article answers some of the most common questions to help you determine if these tools are right for your company or nonprofit. Get the answers to some of your most pressing questions.

Top PayPal Alternatives

If you’re looking to create an e-commerce site or accept donations online, you might be considering PayPal. Before you finalize your decision, check out our list of recommended alternatives. These tools offer features that can provide customers and donors with a better user experience.

Mobile Giving Guide

Organizations that want more ways to implement passwordless login into their giving methods should check out this awesome guide on mobile giving. With an in-depth look at several mobile giving methods, you can see how easy it is to give with password alternatives.

Join Swoop's beta program.