Compromised passwords are responsible for 81% of all data breaches. Compromised passwords impact both individuals and organizations, resulting in data loss or reputation and financial loss.
Crowe MacKay's Technology Consulting experts share how the future of passwords is changing and what actions you need to take to keep your personal and business accounts secure. If you require assistance, connect with us in Alberta, British Columbia, Northwest Territories, or the Yukon.
The Current Password Landscape
Strong password policies are standard in the enterprise world. Most organizations enforce strong password policies and educate employees on password best practices. As an extra measure, password management solutions are deployed to help employees cope with the hassle of creating multiple passwords. They come with their own set of vulnerabilities and issues, which are discussed in more detail below.
Most strong passwords, even with the added complexity of uppercase and lowercase letters, numbers, and symbols, are not difficult to crack. A lucky guess with some light doxing could make you vulnerable. It's really not your fault; passwords are meant to be remembered, and that's what makes them predictable.
There is too much individual responsibility and blame on you. You are not supposed to use easy-to-guess passwords like "P@$$w0rd!" or reuse your passwords on multiple sites. It is impossible for an individual to create and remember hundreds of complex passwords. Requiring that you create a unique, complicated password on tens or hundreds of digital accounts is error-prone and hugely annoying. Most advice you hear about passwords from security experts is unrealistic, scolding and, in many cases, outdated.
In the long term, passwords will be replaced by one-time passcodes, fingerprints, and face recognition as proof that you are who you claim to be. More and more websites are adopting these techniques to replace passwords.
However, for now we recommend you use one of the techniques below to add an extra layer of security to your accounts.
Make Your Accounts More Secure
Create Longer Password Phrases
Passwords with 16 characters or more are the most difficult to crack. Use phrases like "HumptyDumptyS@tOnaWall" with a number and a symbol replacing a couple of letters. Or, put together four unrelated words into nonsense like "Sp00nKey$MonitorPhone." Not all websites let you set passphrases as your passwords because of restrictions of obsolete systems and/or security guidelines. However, if you're making your accounts more secure, start by creating strong passwords or passphrases for your most important accounts such as email, financial accounts, and password managers.
Use Two-Step Authentication on Your Important Accounts
Two-factor authentication requires a password plus a second step, such as a texted code, to log into your account. This increases the security of your account than logging in with just a password.
If you can manage it, add two-step authentication to all your important accounts like email, bank, and social media accounts. This is a common online security feature that many don't implement because it takes work and requires having a second device with you at all times. Two-factor authentication isn't always an option for all online accounts. You can see if your online provider offers two-factor authentication here.
Using a dedicated app for one-time codes like Authy, Google Authenticator, or Microsoft Authenticator adds additional security compared to receiving codes by text.
Use a Password Manager
A password manager generates strong passwords on each of your accounts, stores them in a digital lockbox, and fills them in automatically when you are logging into a website or an app. You need to create a single password to your password vault and the service saves the rest.
Password managers are not easy to set up. Before you buy one, you have to make sure that they are compatible with all your devices and the browsers you use. It will also require setup on each device.
Remember: Password managers are not foolproof! A data breach at "LastPass," a password manager, allowed hackers to back up vaults containing encrypted user data such as passwords, email addresses, billing information, and IP addresses.
Some apps allow you to log in just with your fingerprint or face scan; however, this mostly works on mobile devices (phones, tablets, MacBooks, and some Windows laptops).
Microsoft now allows you to log in to your account without a password using their authenticator app on your phone. This requires you to unlock the Authenticator app with your fingerprint or face scan.
This password-less system known as "passkeys" uses proven cryptography practices and is more secure than the password systems in use today. Hackers also cannot steal passwords or trick you into giving them away if there are no passwords at all.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.