H@PpY P@$$w0rD D@Y!

May 5, 2016

Happy World Password Day!


...now go change your passwords.


Some of you may argue that the password isn't something that should be celebrated. But with passwords still so prevalent in today's world, it's hard to deny that changing your passwords and evaluating your password habits are two of the best things you can do to help secure your online identity. World Password Day, an annual event which occurs on the first Thursday in May, was established as a celebration to promote better password habits. We may not like passwords, but we're certainly happy to participate.


As part of this year's celebration, the official World Password Day site asks visitors to "pledge to take passwords to the next level" by sharing a number of tips--some of which might seem overly familiar. But they're certainly worth sharing with that uncle or cousin whose email or social media accounts are embarrassingly compromised (routinely, it seems). Here are some tips for next-level passwords:


  • Make long and strong passwords. This one is pretty self-explanatory, and most sites already enforce strong password restrictions (even if they're not consistent). In general, passwords should be, at a minimum, longer than eight characters and contain a mixture of uppercase and lowercase letters, numbers and symbols.

  • Use unique passwords for every account. Many account breaches in the past few years have occurred because of the theft of improperly stored passwords that were reused across accounts. If you use the same password for your email as you do for any other site, I would strongly encourage you to change it, now.

  • Don't casually share your passwords. Again, this is self-explanatory. Strengthening this statement to just "don't share your passwords ever" is closer to my own advice, but there are some cases where it's unavoidable.

  • Change your passwords regularly. Another no-brainer. If you don't remember when you last changed your passwords, do it now.

  • Let a manager memorize your passwords. If you're the type of person who writes down passwords or stores them in a spreadsheet, this is really good advice. There are a number of solutions available for storing those long, complex passwords that you should be using for your accounts. However, if you haven't changed your master password recently, today is the perfect time to do so.

  • Lock your mobile with a PIN or password. Trust me, this is worth the inconvenience, especially since almost everyone uses their mobile devices for email--which is the most common mechanism for password recovery. More on this later.

  • Stop using one-word passwords. If you're still using single word passwords, have a laugh with this concise explanation as to why you should stop.

  • Enable multi-factor authentication (MFA). Today, this is perhaps the best thing you can do to help secure your online identity. You should consider using MFA for every site and account that supports it as an additional mechanism to secure your account.

If these tips seem trite and predictable, that's a good thing--it means education is working (and hopefully not that you've been a victim). But even if these tips are old hat to you personally, there's a good chance that someone you know (or even share a password with) would benefit from this advice regarding password security.


So this is where the "but" comes in.


All of this talk about strengthening passwords and password habits makes us recall a study we conducted last year. The number of respondents who reused passwords and were willing to share passwords with family members (even though they believed it was risky) was astounding. So yes, there are ways to make passwords better, BUT there's more you can do to help ensure the safety of your accounts. Here are some things to keep in mind:


  1. Enable MFA for your email account. We touched on this in the final bullet point above, but we mean now. Like, before cake. Email is the most common mechanism for password recovery, and MFA can prevent attackers from using your email to change all of your passwords and lock you out of your own accounts.

  2. Use an "out-of-band" mechanism for MFA such as a mobile authenticator, an SMS message or even a hard, physical token versus one-time passwords (OTPs) delivered via email.

  3. Be very wary of savvy criminals and their MFA phishing attempts. An OTP delivered via MFA is almost as easy as phishing for a password, so make sure you're entering your OTPs from machines and applications that are familiar and trusted. If the site looks fishy, don't enter your code.

  4. Consider evaluating and changing your password recovery mechanisms, especially for sensitive or critical accounts (like email). For example, if you use your dog's name as your security answer to reset your password and you have an Instagram account dedicated to your canine buddy, a dedicated attacker can easily connect the dots.

  5. Biometrics like fingerprints and facial recognition provide convenience for authentication, but be careful. If you consider how many fingerprints you leave over the course of a day, some might say this is no different than "hiding" your password on a sticky note. You might think, "No hacker would target me." But if your fingerprint is ever stolen, it's not something you can change.

Armed with this knowledge, we hope this helps you make some positive changes to improve your security. We also encourage you to participate in the World #PasswordDay #ChatSTC Twitter chat at noon PDT, 3:00 p.m. EDT today and share your #PasswordConfession.


Oh, and change your passwords.