Cybersecurity Today: Creating Strong Passwords

Psst: CISOs and experts, this is one of our beginner-oriented articles! If you're looking for more advanced material, we recommend a dive into the blog archives!

For as long as anyone can remember, we’ve been told to have more secure passwords. Creating a strong password might seem like a tedious task that sucks up valuable time in our busy lives, but having a complex and secure password is one of the most important ways to protect yourself against potential malicious cyber activities.

Check Out A Case Study

Still, most users have fairly weak passwords

Michael McIntyre: “You should probably change your password."

The 2023 Verizon Data Breach Investigations Report re-confirms the importance, as 44.7% of breaches rely on stolen user credentials, the top access method again this year, confirming a long-time trend. CISOs lament users’ poor password hygiene, yet they largely understand that only by forcing stricter requirements, do they elongate their passwords and increase their complexity.

Increased complexity certainly helps:

However, the frequency with which users reuse passwords (hint: Facebook and your Bank should NOT have the same password) makes those credentials a perennially interesting target for hackers.  Moreover, advances in AI and machine learning enable them to expedite brute force attacks, which are made possible by users having rudimentary password constructs.

Creating a good password is hard. Remembering it is even more difficult. Having different passwords for every application and website—in a world where the average person has more than 100—is a nearly impossible task. This results in frustrating and frequent password resets. While that process is mostly secure, the help desk costs for fielding those tasks as well as the increased attack surface area created by having so many password resets mean that better solutions are required.

Here are several ways that cybersecurity leaders are trying to help the people and organizations they protect, and what individuals can do to help.

The Password Even YOU Don’t Know

The best password is one you don’t even know! This can be accomplished in at least a couple of ways: 

• Password managers. Although there have been breaches, even the native capabilities within browsers such as Google Chrome have proven to better protect user identities. One password, a master password, is used for the password manager. 
• Password generators. Password managers will often create a randomized, strong, secure password for you. 
• Passwordless Authentication. This can be done with certificates, security tokens, one-time passwords (OTPs), or biometrics.  They use some combination of knowledge factors, possession factors, or inherence factors

A Practical Way to Avoid Password Reuse

As with all scams, practicing proper cyber security awareness is key. Your company should ensure employees are educated on how to spot malicious activity (feel free to send this blog to your whole company). Companies can implement training and simulations or drills to get employees used to looking out for common scam techniques, prompting them to double-check whom they are dealing with and use multi-factor authentication when transferring sensitive information. Additionally, ensuring employees have strong passwords and backup authentication methods like 2FA or MFA in place will help protect against unwanted visitors trying to exploit people.

Schedule A Demo

• To avoid password reuse, come up with a memorable way to have a different password for each application. Say your favorite password combination is “Chicago123!” This is still quite weak (especially if you live in, or are known to love Chicago), but could be made stronger if used widely and varied across where it is used.
  • For example, on your bank website, it could be “Chicago$Bank123!”, and on your mobile phone carrier “Chicago$Phone123!”, then on your cable account access perhaps “Chicago$Cable123!” Numbers and symbols are your friends.
  • In this way, one can still just remember “Chicago123!” and know that a $ symbol alongside the name of the site (or the name as you would remember it) varies with each one - ego a different password for every application, without reusing the same one
  • Important note: This would NOT be a particularly strong way to secure credentials if you are likely to be the target of a social engineering attack, as in - if a hacker could guess that “Chicago” is your favorite place or the name of your dog, then brute force methods as described above could land on “123!” and some sleuthing by the hacker could encourage them to branch out as suggested above! Personal information in passwords can be risky if you publicly proclaim your love for Chicago, for example.

Multi-Factor Authentication (MFA)

Using two or more methods (e.g. Two-Factor Authentication or 2FA) is a great way to increase security. Again, for those who may be targeted for advanced attacks, this method is still susceptible to bypass by hackers. Using a range of methods including well-crafted phishing emails, MFA is not “unhackable.”

Innovative New Identity Technology

LiStill more options exist for rethinking UserID and Password (taken together as “credential”) combinations. Startups like Nametag are looking at interesting ways to authorize users by using combinations of biometrics and trusted devices. Expect to see more new technologies arriving shortly.

The Big Thing

Here, it is changing the mindset of users throughout the organization that will make lasting changes. The Cybermaniacs team has spent a great deal of time and creative energy to understand the psychology of the average user, and what can be done to make a lasting change in organizational culture to improve how users think about cybersecurity in every situation they face. 

As with all scams, practicing proper cyber security awareness is key. Your company should ensure employees are educated on how to spot malicious activity (feel free to send this blog to your whole company). Training, simulations, and drills should get users used to looking out for the common scam techniques, prompting them to double-check whom they are dealing with and think about higher levels of security when transferring sensitive information in particular. 

you're Better than the average password

Knowledge is power; now you're equipped to approach your passwords better than your average bear. Whatever method or concept you employ, keep in mind that getting into users’ heads is what makes the big difference.  (Call us for more on why we’re particularly good at that part!)

If you're curious about talking to someone about cybersecurity training that works: We can help.