We all know passwords are a thing of the past – only, they’re not there yet. Yes, we’re moving on to MFA (and beyond): biometrics, passwordless, and Modern Authentication. It’s coming. However, in the meantime – don’t share passwords. Don’t store them where others can see. Act as if someone is always out to steal your identity, and you’ll probably be right. The bottom line is that while technology looks ahead, most people are still far behind – stuck somewhere in password land, using “123456” and sticking their credentials on a sticky note. Yikes. Hopefully we can convince you why that’s such a bad idea – and give you some tips to stay safer (if you must use passwords only).
The current password situation
Let’s face it, we’re all guilty. Don’t try to hide it – statistics agree. Here’s a list of some password bad habits:1
● There are nearly 10 million variations of “2010” being used in passwords
● “1991” is the third most popular year used in passwords (with over 8 million variations)
● Around 50% of internet users use the same password across all accounts
● Less than half of respondents use a password manager
● 35% of respondents admit to choosing convenience over security in password creation
With so many negligent password habits, we have ourselves to thank for a great deal of password-based attacks. Until we move away from BasicAuth and fully adopt Modern Authentication tactics like MFA (fully adopt), passwords are still widely in use and they’re the lowest hanging fruit around. Don’t believe us? We’ll share some even more frightening stats, below.
Dangers of password sharing
Password sharing doesn’t have to be intentional. In fact, most of the time it probably isn’t. Think about it – you probably write your username/password combo for that new gym app on some sticky note next to your laptop, or share a Netflix login via text with a friend. Bad, bad, bad. If it’s anywhere out in the open – meaning unencrypted – it’s not safe.
Also, password sharing can be inbred. That means you didn’t share it with someone else – you shared it amongst your own apps. That way, it’s like a login jackpot should some bad actor pick up your credentials floating around online (or should you get phished): with one password, they’ll be able to access a ton of your sites, really ruining your life. Be careful, and use different passwords.
Also, it’s good to check to see if your password is already floating around on the dark web somewhere via a link such as https://haveibeenpwned.com/. There have been a list of major data breaches within the past five years alone (like we’ve seen with Marriot, Facebook and LinkedIn so you never know.)2
Here are some of the consequences of poor password management:3
● 33% of malware breaches were caused by password dumper malware
● As many as 555 million stolen passwords have been published on the dark web since 2017
● 17% of hackers correctly guess a password
● Every 39 seconds there’s a hacking attempt running scripts to guess usernames and passwords
● 81% of company breaches are caused by poor passwords
That last one is hard to take. Over 80 percent of data breaches are essentially preventable – and caused by poor password management. When the average breach costs upwards of $4 million, it would be far cheaper to invest in some password security education.4
How to keep your passwords safe
To use a password is to get targeted, so here are some good password hygiene techniques to stay safe.
● Never leave your password in a public place, or use it in more than one place.
● Don’t text, email, or save passwords unencrypted (yes, there are encrypted text and email options).
● Use MFA, biometrics or some other form of Modern Authentication wherever possible: in other words, avoid the simple password if you can.
● If you’re a business, consider an Identity and Access Management (IAm) solution to account for the (potentially sloppy) password habits of your employees.
● If you must use passwords – use a password manager.
Let’s focus on that last one. A good password manager can spell the difference between confusion and securely accessing anything, anywhere – anytime. A lot of us use something simple like “Password 1” or our birthday (is that just my mom?) because it’s easy to remember. Unfortunately, that also makes it easy to guess.
And, when we try to make a secure, 16-digit unguessable monstrosity filled with letters, numbers, symbols and zero words in English – we typically forget. This leads to us writing our “super secure” password down in a notebook, on a Sticky or texting it to a friend. Back to bad, bad, bad.
Password managers have alleviated that burden by saving all your passwords automatically, and even generating (with a super randomizer) ultra secure passwords that no one would ever guess (without a million years of spare time and a supercomputer). It’s safe. We’d recommend options like OneLogin or LastPass, but it’s up to you.
Also, it’s never too late to generate buzz around security awareness, and companies like Know Be 4 provide good training around how to watch out for phishing campaigns. There’s even a tool to find out how weak your passwords really are.5
Or, use an identity and access management (IAM) provider like the one under the Cisco Umbrella; Cisco Cloud Security IAM service.6 A good IAM provider can move you from passwords altogether to Single Sign On (SSO), Privileged Access Management (PAM), and other ways of multi-point authentication. But, that’s a blog for another day.
1. Chang, Jenny. “55 Important Password Statistics You Should Know: 2022 Breaches & Reuse Data,” Finances Online, https://financesonline.com/password-statistics/, accessed April 2022.
2. Henriquez, Maria. “The top data breaches of 2021,” Security, 9 December 2021, https://www.securitymagazine.com/articles/96667-the-top-data-breaches-of-2021 accessed April 2021.
3. Chang, Jenny. “55 Important Password Statistics You Should Know: 2022 Breaches & Reuse Data,” Finances Online, https://financesonline.com/password-statistics/, accessed April 2022.
4. “How much does a data breach cost?” IMB, 2021, https://www.ibm.com/security/data-breach, accessed April 2022.
5. “How weak are your user’s passwords?” Know Be 4, https://www.knowbe4.com/weak-password-test, accessed April 2022.
6. “Cisco Cloud Security IAM Services,” IAM Networks, https://iamnetworks.net/security/cloud-identity-and-access-management/cisco-cloud-security-iam-services/, accessed April 2022.