World Password Day has come around again. Since its inception, it’s an awareness day designed to promote and reinforce the importance of better habits when it comes to password settings. As such, we expect to be inundated with research highlighting the percentage of consumers who still have ‘poor’ password habits, lists of the most common ones still in use, and accompanying advice from a multitude of companies reinforcing what ‘good’ looks like.
Now, as passwords are often the first port of call for our online / digital identities – it’s of course important that good habits are encouraged. However, the headlines and research we’ll see on this day won’t have changed, the stories and issues are the same – we’re stuck in Groundhog Day.
With this in mind, we’re taking this opportunity to look into the problem with passwords, and how we might want to change how we think about securing digital identities.
Too Many to Remember
Do you know how many passwords the average consumer has? A recent study from NordPass found that it’s around 100 – an increase of 25% in recent years. That’s unsurprising given the pandemic had us all signing up for new online services – be that for entertainment, personal or work purposes. There are countless other studies out there, and while the average figure may vary slightly, they all point towards the same thing – it’s an unmanageable amount.
At this juncture it’s worth asking yourself if you know how many passwords you have? If you have an iPhone there’s a quick way you can find out using the following steps (the final number might be sobering):
- Start the Settings app.
- Tap “Passwords”
- Tap “Website & App Passwords.” Authenticate with FaceID or TouchID
- Your iPhone will now display the complete list.
There’s also a way to find this out via Google Chrome:
- On your computer, open Chrome
- At the top, click More Settings
- Select Passwords, Check Passwords
Having an unmanageable number of passwords correlates with the coinciding factor that consumers are faced with information overload. Put simply, there’s a lot of rules and guidance to follow. Official best practice on what makes a good password varies depending on who you ask, general advice includes.
- Using three random, unconnected words. Official advice from the National Centre for Cyber Security (NCSC)
- At least twelve characters, including a mixture of upper- and lower-case letters, numbers and special characters I.e. “R3plac!ng l3tt€rs with numb3r$”
Not only should they meet certain specifications, but it’s also recommended that they are updated regularly – as an example some employers and IT departments will force employees to update them at least every six weeks.
There’s a lot of rules to follow, especially as we’re meant to have a different password for every account. Password managers are often touted as the best way to manage this, but whichever way you cut it, it puts almost all the responsibility on the end- user.
The consequences for weak and easy to guess passwords are clear – and you can hardly make it through the month without a high-profile data breach hitting the headlines. However, all things considered we can hardly act surprised that the text-based password continues to plague individuals and organisations alike.
In part two, we’ll be discussing why we need to look at a password-less future of digital identification.
*** This is a Security Bloggers Network syndicated blog from Enterprise Security Archives - Thales blog authored by Tim Cawsey. Read the original post at: https://dis-blog.thalesgroup.com/security/2023/05/04/world-password-day-2022/