secure passwords

Yes, there’s really a World Password Day. Celebrated on the first Thursday of May, the event was started by Intel in 2013 to raise awareness of the need for secure passwords.

As a security professional, I must admit that 7 years later, I question the need to continue to observe this event. Do we, in the year 2020, really still need to be told that passwords are important? Sadly, yes. We still need a reminder that secure passwords are incredibly important. While I imagine most people would say they know that, it’s one thing to know it and quite another to put it into practice. In 2020, issues associated with passwords still abound.

Password-Based Attacks Often Rely on Re-Used Passwords

Within the past few weeks, I’ve seen a resurgence in a common email scam based on old passwords. In this scam, a user receives an email that includes a password the person may have used in the past (or is still using). The attacker demands bitcoin, claiming to have embarrassing videos of the user that they will release if they’re not paid. This type of scam first originated in 2018 and was so widespread that we dedicated a blog post to it.

Another story that recently caught my attention was about password information for the National Institutes of Health, the World Health Organization and others involved in fighting the current COVID-19 pandemic. In this case, it is believed that the credentials and passwords that were exposed on the Internet were obtained from previous data breaches (in some cases going all the way back to 2016).

These two seemingly unrelated threats are both the result of the same problem – reused passwords. When you use the same password for multiple different systems, your exposure level goes sky high if any of these systems are compromised. Lists of email addresses and passwords are dumped from compromised platforms. These credentials are then sold on the dark web for attackers to use on other systems. No longer do attackers have to rely on “cracking” passwords, they just have to hope you are one of the two-thirds of people that reuse passwords.

Follow These Best Practices for Secure Passwords

This is not a losing battle. There are several simple things you can do to make yourself more secure:

  • Don’t. Reuse. Passwords. Definitely don’t reuse the same password for everything you log into. Please. Use different passwords or password variations.
  • Consider using a password manager application. These systems allow you to maintain and keep track of a wider variety of more complex passwords.
  • Use multi-factor authentication (MFA) wherever possible. The use of MFA greatly increases your security and diminishes your exposure if your password information is somehow exposed.

Sadly, there’s no World Multi-Factor Authentication day yet – I checked. Until there is (hopefully) such a day and we’re all fully aware of how much MFA can help, it’s going to be up to us to utilize password security best practices. In short, the more each of us works at this, the safer the Internet becomes. Have a safe and secure World Password Day!