Secure passwords and what you need to know about them

[Written: May 03, 2023 Revised: April 25, 2024]

‍

With a strong password, you and your employees can make an important contribution to your organization's security. You protect yourself from attacks that target weak passwords. It is important that you always use unique and complex passwords for each user account and update them regularly to increase your security. If you and your employees don't, you're taking a big risk.

World Password Day is celebrated every year on the first Thursday in May. It is an annual event to raise awareness about the importance of strong passwords and protecting our user accounts. On May 2, 2024, it's that time of year again. So let's use this day to tell you everything you need to know about passwords.

Introduction to the World of Strong Passwords

A strong password is essential for your security, privacy, and compliance. It protects you from various types of attacks that target weak passwords. It is important that you always use unique and complex passwords for each user account and update them regularly to increase your security.

Some interesting facts about passwords:

1. The passwords "123456" and "password" are still at the top of the most used and weakest passwords. The names of fictional characters like Superman or Batman, your own name, or even swear words are anything but strong passwords.
2. Most of these weak passwords take hackers a fraction of a second to figure out.
3. one-third of people worldwide use the same password for five to ten user accounts. On top of that, about half of them use the same passwords for both their personal and professional accounts.

These three facts tell us why it is important to use "strong" passwords. But what are strong passwords? And what tools are there to make them easy to remember? Read more in this blog post.

The dangers of weak passwords

The risks of weak passwords can be deadly.

• Data theft: If an attacker cracks your password, they can gain access to your account and steal personal information, manipulate data, or misuse the account.
• Identity theft: Attackers can use stolen or cracked passwords to access personal information and commit identity theft. The attackers impersonate you and access your accounts or data.
• Data leakage: If you use one password for multiple user accounts and one of those accounts is hacked, attackers can gain access to all the other accounts with the same password! This can lead to major data leaks, putting personal information or sensitive data in the wrong hands.
• Loss of confidentiality and privacy: Insecure passwords can compromise private information or communications in email accounts, social media, or other online services, resulting in loss of confidentiality and privacy.
• Financial loss: If a bank account or online payment service is hacked, attackers can steal money or make unauthorized transfers. The financial loss can be substantial.

Strong passwords and PINs are therefore central to authentication, the mechanism that protects information from unauthorized access. If passwords are not structured according to certain rules, they can easily be found out using special tools. If passwords are not stored securely or even passed on, they lose their protective effect.

What does a strong password look like?

There are a number of things you can look for in a strong password. Whenever you create a new password, be sure to follow these rules.

A strong password ...

• Is not personally related to you (e.g., date of birth, name, license plate number) or your login name.
• is at least 12 characters long and preferably contains numbers, uppercase and lowercase letters, and special characters. The longer the better.
• is non-trivial, i.e. contains no more than two identical characters or simple numeric sequences (e.g. AAA, 888, abcd, QWERT, 9876, etc.)
• is not found in a dictionary, unless it is a string of at least 4 different words. Also use made-up words to further increaseprotection.
• is not identical to another password, especially one used for personal or Internet purposes. In general, you should choose a different password for each application.
• is not generated by the system. Default passwords must be replaced with individual, secure passwords before using the system for the first time.

A secure PIN...

• is at least 6 digits, if technically possible. Caution with bank and credit card PINs. Depending on the country and device, you may only be able to enter 4 characters for the PIN. If you have a 6-digit PIN, you will not be able to withdraw or deposit money.

Be careful when using ...

• Unlock pattern: This so-called "wipe code" is only supposed to be secure. When exposed to light, the entered pattern becomes visible due to possible finger grease. Therefore, do not use unlock patterns.
• Biometric methods: Again, there are vulnerabilities, as attackers are constantly looking for ways to overcome biometric defenses. Biometric data, such as fingerprints or facial characteristics, can be stolen. Once compromised, biometric data is difficult to change or revoke. A strong password is a big advantage here because users can easily change their passwords if they are stolen. This is not so easy with stolen biometrics. In addition, biometric data is subject to privacy laws. There is a risk that biometric data could be unlawfully collected, stored or used, which could result in a violation of privacy.

Despite these risks, biometrics can help improve security when used in conjunction with other security measures, such as strong passwords and Multi-Factor-Authentication (MFA).

How to remember complex passwords

Always forgetting your passwords? No problem. These simple tricks can help you remember even the toughest passwords. You usually need at least two strong passwords. You need them for your password manager and for logging on to your Windows system. However, it is difficult for all of us to remember complicated passwords. So we have put together two tips to help you create passwords that are easy to remember:

Acronyms

Create a password from a phrase using the first letter of each word:

Example: "From my living room at home I can see 2 high mountains!"
Password: FmLr@hIc$2hm!

Multiple words

Combine at least four random words and replace individual letters of a word with similar-looking numbers or characters. Warning: One or two words are not secure enough because hackers know this trick. In addition to real words, also choose 1-2made-up words to further increase security.

Example: False shark battery blue
Password: FalseSharkBatteryBlue or Fa!s3$harkB2t_eryBlue

Password management made easy

The best way to manage your passwords is to use a digital password manager. In the best case scenario, you will always create a new password with the help of your password manager.

A password manager will help you

• Create strong passwords and
• avoid forgetting passwords by storing them securely.
  Use this important tool! It will make your life easier and increase your security significantly.

Important: Your password manager must be protected with a strong password that you can remember!

‍

Multi-factor authentication: An extra layer of security for your passwords.

Some sites support multi-factor authentication (MFA). Multi-factor authentication involves a multi-level verification of the user. Enable it whenever possible to increase your security. It requires you to provide your mobile phone number or an email address to your service provider. Specifically, you will receive a confirmation code after the password request. This is usually a numeric code that you receive by email, SMS, or application.
The service provider then sends you a numeric code each time you want to log in, which you must enter in addition to your password. This prevents others from logging in, even if they know your password.

But be careful; MFA does not protect you 100% these days! There are a few potential dangers or challenges:

• Prompt bombing: For example, one potential risk is "prompt bombing". This is a method of phishing. First, the attacker obtains the victim's credentials. The attacker then uses these credentials to repeatedly log into a site that supports MFA. If the victim uses MFA, he or she will receive login prompts in this manner over and over again. Eventually, the victim becomes so stressed that he or she inadvertently confirms the additional factor, giving the attacker access to all the information.
• Reliance on the additional factor: As described above, MFA uses an additional factor, such as a smartphone. If it is lost, stolen, or damaged, you will no longer be able to access your account. It may also be unavailable due to software bugs, battery problems, or network outages.
• Social engineering attacks: Attackers may use phishing or social engineering to trick users into revealing their second factor. Users should be cautious and never give their second factor to unknown people or websites.
• Complexity and ease of use: Using MFA can be cumbersome and require additional effort, especially when using multiple accounts with different MFA methods. This can impact the user experience and cause users to minimize their efforts and fall into unsafe habits such as using weak passwords or reusing MFA codes.

Despite these potential dangers, using MFA is usually a good security practice to improve your security and minimize the risk of unauthorized access.

Passkey as a new authentication method

Passkey is a new authentication method that aims to replace passwords with a more secure and user-friendly solution. It is a type of digital key that is stored on the user's device and allows the use of biometrics or a security code to confirm identity.

Passkeys use what is known as public key cryptography. When logging into a website or app, the user's device generates a key pair consisting of a private key and a public key. The private key remains securely stored on the device, while the public key is transmitted to the server. To authenticate, the user must unlock his or her device (e.g., by fingerprint, facial recognition, or PIN code), whereupon the device generates a digital signature with the private key that is verified by the server.

By eliminating the need for traditional passwords, passkeys are designed to reduce the risk of phishing attacks and data leakage while making logon easier and faster.

The safe use of passwords

Now you know how to create strong passwords. But that's not all! What good is a strong password if it is not used securely? Here are three important rules to follow:

1. Don't write down a password - unless you keep it safe: in your password manager or in writing in a sealed envelope in a locked place (such as a safe or locked office furniture).
2. Never share your password or username with anyone. This information is also never required byinternal departments (e.g., IT Service Desk), your bank, or telecommunicationsproviders. Be careful who you give access to your accounts, and use features such as "account shortcuts" or "delegated access" with caution.
3. Choose a separate password for each application, otherwise all information will be immediately exposed if your password is found.

Passwords and Phishing - What do they have in common?

Passwords and phishing have a lot in common. Phishing attacks are often designed to trick unsuspecting users into revealing their passwords. In this fraudulent method, attackers try to obtain sensitive information such as usernames, passwords, and personal data by posing as a trusted organization or individual.

Here are some important things to keep in mind to help prevent phishing attacks and keep your passwords safe:

1. Beware of suspicious emails: Phishing emails usually contain fake links, fake logos, or deception. The attackers want you to click on a link and enter your passwords. Be wary of emails that ask you to enter passwords or personal information, especially if they seem unexpected or suspicious. Always carefully check the sender's address, the content of the email, and the links it contains before clicking on them or revealing any personal information.
2. Use secure Web sites: Only enter your passwords on secure Web sites that begin with "https://" and have a closed padlock in the address bar. Always check the URL of the web page carefully. That way, you can be sure it is correct and legitimate. Never enter passwords on suspicious websites and do not click on links in suspicious emails that redirect you to unknown websites.
3. Train and educate your employees: Educate yourself and your employees about phishing attacks. Teach your employees how to recognize suspicious emails, links, or Web sites. Awareness and vigilance are key to preventing phishing attacks. It's important to know that a one-time training session is not enough. Your employees need to be educated on a regular basis.
4. Report suspicious activity: If you suspect you have been the victim of a phishing attack, report it immediately to the company or organization involved. The quicker you respond, the quicker action can be taken to minimize the potential damage.

Conclusion: Strong passwords are essential these days. There are some tools and tricks that can help you create and remember strong passwords. However, there are some rules to follow when it comes to passwords. Also use modern tools like password managers, MFA or Passkey. Even if they are not 100% secure, you will be safer with them than without them.

‍

‍

Sources:

• NordPass: Top 200 most common passwords

• Pass Securium: Latest facts and statistics about password management

‍