May 6 is World Password Day, an annual reminder to promote better password habits and digital security. With more of our lives online than ever before, what should people know about passwords to better protect their identity and private information?
Michael Fudge
Michael Fudge is a professor of practice in the School of Information Studies (iSchool). His areas of study center around digital transformation and the impact of information technology on society.
In this Q&A, Professor Fudge provides tips for password creation and advice on how to keep them safe and discusses extra safety steps you can set up on your devices today to better protect your digital identity.
Q: What are some of the most common mistakes people make when setting passwords?
Fudge: There are two common mistakes users make when deciding on which password to use.
First: using the same password for more than one account. When you re-use the same password on multiple websites, if one of those websites gets compromised and an attacker gets a hold of that password, they can use that password to gain access to the other sites. This is usually automated through an approach called credential stuffing. You should always use a different password for each account.
Second: using too simple of a password. When a website has password complexity requirements (must be at least 10 characters, one uppercase character, one digit, etc..) we sometimes resort to approaches that do not necessarily ensure good password complexity. For example, you might think using your middle name as a password (mine is Alexander) and then to meet the complexity requirements add the current year with a question mark (Alexander2020?). Automated attacks can take this into account nowadays so while at one time this was a good choice it no longer is. The more characters in the password the harder it is to guess, but to meet the length requirement we tend to do some really foolish things like:
These password choices offer little additional complexity. They are predictable and provide insight into my algorithm, or process for creating a password.
The best choice for a password is a truly random sequence of characters that satisfy the complexity requirements. So how do you remember hundreds of randomly generated passwords? You don’t—use a password manager to do it for you.
The password manager is a personal database of your passwords. It will generate random passwords for you and store them securely. Some password managers will recall the password for you when to return to the site.
Q: So that leads well into this question…My iPhone offers me the option to create a complicated password and save it so I don’t have to remember it. Sounds like that is a good idea?
A: This is Apple’s keychain password manager. The Google phones have one as well. These options are better than you coming up with your own passwords. The risk is you are trusting Google or Apple to securely store your passwords, but it’s better than Post-It notes under your keyboard! There are third-party password manger services: Lastpass, 1Password, Dashlane, and RoboForm. They do the same thing but are not tied to just your phone or Apple/Google devices. The important thing to remember is that when you use these services, we are trusting these organizations to store the key that decrypts our passwords. If you wrote all your passwords in a notebook and locked that notebook in a safe, it would be like giving Google, Apple, Lastpass, etc. the keys to that safe. This is necessary for a password manager to function.
Q: How often should you be changing passwords? Are some accounts more important than others to update regularly?
A: With my passwords randomly generated, I do not change my passwords unless the service requires it.
What is really important is to enable two-factor authentication. This adds an extra layer of security, requiring you to not only know your password but also have a device that can verify your identity, most of the time this device is your smartphone. Two-factor might send SMS TXT to your phone each time you log in or use a special Authenticator app. For example, each time I log into my bank, I must reach for my phone and allow it to read my fingerprint. That way if my bank password does get stolen an attacker would also need my phone (and fingerprint) to log in to my account.
Two-factor authentication also gives you peace of mind as I get a notification each time someone tries to use my password to log in. If that person isn’t me, I need to change my password.
If the service supports two-factor, I turn it on. If you use a password manager to store your passwords, enable two-factor to protect your passwords!
Q: What are your thoughts on other types of security measures connected to biometric technology, such as facial recognition and fingerprint security?
A: These technologies work well as part of a two-factor strategy. For example, facial recognition paired with a pin on your phone is a good idea.
Q: With many of us living in the digital world now more than ever, what do we neglect or not know about when it comes to passwords and our digital security?
A: The ways attackers can attempt to obtain our passwords are numerous and varied. Some things we can control, like only installing software from trusted sources, and never clicking on links in an email. For the times the company gets hacked and the password exposure is not your fault, I suggest checking the email used when you signed up for the service on haveibeenpwned.com. When you enter your email, it will check to see if that email account was used with a service where your data was leaked. For the companies appearing on that list, change your password on that company’s website and set up two-factor if allowed.
