Oh Password, Where Art Thou?

Oh Password, Where Art Thou?
A cybersecurity photo illustration. (Unsplash)

I have longed for a ‘passwordless society’ for some time now and Microsoft has taken steps this year toward that possibility. The company announced in mid-September that it will introduce a “passwordless account” option for all users of several popular services such as Microsoft Outlook and Microsoft OneDrive in the coming weeks. Microsoft previously made this option available to corporate accounts earlier in the year.

You may be asking yourself – why is this relevant? You’ve been listening to the age-old teaching of eight-character passwords, and you are about to update all your accounts to "Fall2021!" so you’ll be golden. You’ll also be very diligent to update everything that prompts you to. For anything that doesn’t allow a pattern, you’ll leverage your child, pet, or hobby in some way to accomplish the goal.

Below are some password statistics from August 2020 that may alarm you:

• 59% use their name or birthdate in their password
• 43% have shared their password with someone
• Only 45% would change a password after a breach
• A 12-character password takes 62 trillion times longer to crack than a six-character password
• 42% of organizations rely on sticky notes for password management
• IT professionals reuse passwords more than average users
• Almost two-thirds of people use the same password across multiple accounts
• Employees use the same password an average of 13 times
• MFA (Multi-Factor Authentication) blocks 99.9% of all attacks
• 24% of people use a password manager
• 80% of hacking-related breaches are linked to passwords

Clearly, passwords present a problem - and a vulnerability. Microsoft understands it and is taking steps toward addressing it. What should we, as users, do? Below are things we recommend implementing without delay:

• Implement a password manager to keep up with your passwords
• Implement 2FA (2-Factor Authentication) on every single account that allows it
• Use a password manager to create your passwords – never do it on your own
• Set the default length for all passwords to at least 12 characters, but preferably more
• Never share your password with anyone else
• Never share your passwords across multiple items

You may be asking yourself – what happens if the password manager gets breached? That’s a great question and valid because anything is possible. In fact, that very thing happened in 2015 to LastPass – one of the leaders in the industry. In that breach, hackers gained access to several pieces of information including encrypted versions of the passwords. If anyone was using a weak master password (such as Password123), then their data would be compromised in no time. That master password is critical to securing yourself when utilizing a password manager.

The CIA Triad is a common industry model in security and consists of the following: Confidentiality, Integrity and Availability. The intent with security is to strike a balance – we need ease of use while still knowing that our data is private and secure. The more layers of security in place, the more secure something tends to be. Much like your home – if you leave the door unlocked, you have no security at all. If you twist the lock on the knob, it’s an added layer. Add a deadbolt and you have one more. Lock the chain and you’re even more protected. Add security cameras, motion sensors, an alarm and automation and you turn it into a fortress. It makes it more of a process to get into your home, but it also enhances your security ten-fold.

Why should your data security be any less important?