Typing in a password to access one of the tens or hundreds of services that we use has become such an everyday part of our lives that we rarely give it a second thought. Quite often we try to keep our passwords simple and easy to remember so we can move quickly past logging in and get on with what matters. That is just one of the many mistakes we make when it comes to something that we rely on to secure a part of our digital identity.
Since today is World Password Day, there is no better occasion than now to look at the five most common mistakes that you may be making when it comes to passwords.
One of the most common and prevalent mistakes is password recycling. The problem often starts with the creation of the password itself. More often than not, people create passwords that are easy to remember, which usually means that they are short and simple, although now most services have requirements for a minimum length and the types of characters that must be included.
Once we have memorized the password and then sign up for another service, and another, and another, we don’t want to have to remember another one, and another one, and another one, so we reuse the password we have already committed to memory. According to a Google survey, 52% of respondents reuse the same password for multiple accounts, while a surprising 13% use the same password for all their accounts. Substituting letters for numbers or lower case for upper case and vice versa is also considered password recycling, although some might consider it to be a slight improvement.
The gravest problem with password recycling is that it opens you up to credential stuffing. That is an account takeover attack that leverages bots to hammer sites with login attempts using stolen access credentials from data breaches at other sites until they stumble upon the right combination of new site and “old” credentials. As you can see, diversifying your passwords is in your best interest.
Creating simple passwords
As we have already mentioned, a lot of the problems begin when the passwords are created. Simple ones tend to lead the pack. You may have seen the movie Wrongfully Accused, where Leslie Nielsen attempts to hack a computer by guessing the login credentials, which simply turn out to be Login and Password.
If you think that in real-life people are more careful about their choice of passwords, sadly you would be wrong. An annually compiled list goes to show that when it comes to passwords, people make questionable choices, with 12345 and password ranking in the top five most popular passwords.
Aside from simple patterns and obvious words, a frequent mistake you may be making when creating passwords is incorporating details into the password from our personal lives that can be easily guessed or found. Six of ten US adults have incorporated a name (theirs, their spouse’s, children’s or pet’s name) or a birthday into their passwords.
Ideally, switching to a strong passphrase is preferable to using a password. Two-factor authentication (2FA) should also be activated when possible, since it adds an extra layer of security against various types of attacks aimed at revealing your login credentials.
Storing passwords in plain text
Another oft-occurring mistake is writing down our passwords. This takes two forms: jotting them down on paper or sticky notes, or saving them in spreadsheets or text documents on our computers or smartphones. In the case of the former: unless the bad actor wants to add breaking and entering onto their record, there is no way to access it.
RELATED READING: How to spot if your password was stolen in a security breach
That’s not saying that you should write them down or have them just lying about; if you actually do (but don’t!), they should be more of hints that help you remember, and should be stored in a place safe from prying eyes. In the case of storing them on your devices, you have a series of challenges you are contending with. If hackers hack your device and rummage through it, they will have access, with little to no effort, to a whole trove of sensitive data, including your passwords that you stored in plain text.
Alternatively, if your device gets compromised by malware that copies your data and sends them to a remote server, a bad actor can access all of your accounts before you have a chance to notice. Or, in some cases, they can just go through your device with a fine-toothed comb to see if they can find any exploitable data on it, including the file with the passwords. It suffices to say that storing passwords in plain text on any connected device is a bad idea.
"Sharing is caring" does apply to a lot of areas in life, but passwords are an exception. Yet some would beg to differ, like the 43% of US respondents who admitted to sharing their passwords in the past with someone else. Those included passwords to streaming services, email accounts, social media accounts, and even online shopping accounts. Over half of them said they shared their password with their significant others. While sharing a password to a streaming service account is a widespread phenomenon, it is less dangerous than the rest of the mentioned choices.
Once you share your password with someone else, the security of your account plummets dangerously, since you’ve lost your tight grip on it. You cannot be sure how it will be handled and if the person you trusted with it won’t share it with someone else. A lot rides on how you shared the password: did you type it in for them into your account and save it? Or did you perhaps send it to them by email or through an instant messaging app in plain text form? In the case of the latter, you are at the mercy of their discretion and you have to hope that their devices are secure, since we have discussed the implications of saving a password in plain text form in the previous section.
Another important thing to remember is that if you shared your password to any communication platforms you use, the people you shared them with can wreak havoc on your relationships, be it business or personal, since they can now log in under your identity. If you shared your credentials to any of your online shopping platforms and your payment methods are saved, then the party you shared with can easily rack up a bill on your credit card, which you may live to regret. Even if the person you’re sharing your credentials with is your spouse, keeping all of your eggs in one basket is ill-advised.
Changing passwords periodically (without giving it much thought)
Some organizations force their users to change their passwords every two or three months “for security reasons”. But contrary to popular belief, changing your password regularly – without evidence of a password breach – doesn’t automatically make your account more secure or harder to hack.
Carnegie Mellon computer science Professor Lorrie Cranor says that research shows that when people are forced to change their passwords frequently, they do not put a lot of thought into it. In addition, researchers at the University of North Carolina (UNC) found that users would lean towards creating passwords that followed predictable patterns that they call “transformations”. Professor Cranor lists some examples: “such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end).” She went on to add that she heard of examples where users would include the month and on some occasions the year of the password change as an easy fix to remember these frequent changes.
This makes it quite easy for the hackers to do their job since, as the UNC researchers have shown, once hackers know one password, they can guess the next one with little effort. It is also worth noting that once cybercriminals gain access to your device, they can install a keylogger that will allow them to keep track of your passwords whenever you change them. Of course, if you have a top-tier security endpoint solution installed on your device, there’s a far greater chance that the keylogger will be detected and defanged.
Creating a password that works for you may seem like a daunting task, but there are multiple ways to go about making it easier for yourself. As we’ve mentioned before, creating a passphrase is preferable to a simple password, and adding an extra layer of security by activating 2FA where available should be second nature. If you find remembering all of the unique passwords you’ve come up with tedious, then a password manager could be the answer to your needs: that way you’ll have to remember just one password, but make sure it is one that follows the good advice we’ve given you above.