The technology industry celebrates an event on the first Thursday of May to raise awareness of the need to improve practices in the use of passwords. Despite multiple alerts, World Password Day 2023 is still much needed, as analysis of the millions of passwords left exposed by multiple data breaches at companies large and small paints a disastrous picture .
Certainly, passwords are painful in terms of usability and insecure if we do not follow precise rules. But until the technology industry massively deploys other friendlier and more secure systems, such as passkeys , passwords continue to be the preferred form of authentication to access Internet services, authenticate with operating systems, applications, games, networks, and everything. type of machines.
Although additional features such as 2FA have strengthened the security of passwords by forcing the use of two-step verification, the truth is that passwords are not a reliable method today in the midst of an ever-increasing number of attacks. And much less if users and companies continue to break the basic rules for its creation, use and maintenance.
World Password Day 2023
Security specialists estimate that more than 50 million password attacks are launched every day , about 580 per second. And they are highly effective, as it is proven that 60% of data breaches are attributed to compromised credentials.
And we make it very easy for cybercriminals . The list of the worst passwords should make us reflect because they are repeated year after year and the group of old ones known as “123456”, “111111” or “password” dominate the usage lists. And they are the ones that must be avoided at all costs since a hacker can obtain them in less than a second simply with a command that tests the most used ones. Or using brute force attacks, words, numerical combinations and others that allow obtaining the credentials.
And it is that users are “lazy” by nature or carefree despite how much we are at stake by exposing our digital life that covers both professional and personal issues. And financial… The most sought after for obvious reasons. To raise awareness of the seriousness of the matter, the industry is relaunching this International Day as a reminder of what should and should not be done in its management.
How to create strong passwords
The recommendation is the usual one. We must make an effort to create and maintain it with basic rules that are included in any cybersecurity manual and indicate what to do and what not to do when creating and using passwords. We remind them again:
- Do not use typical words or common numbers.
- Do not use personal names, pet names or dates of birth.
- Combine upper and lower case.
- Combine numbers with letters.
- Add special characters.
- Lengthen the term with the largest number of digits.
- Do not use the same password on all sites.
- Especially, use specific passwords and the strongest possible for banking and online shopping sites where we expose our financial information.
- Keep the password safe from any third party.
- Never reveal the password to anyone. Nor in supposed official requests from emails or messages from messaging services, since they are usually phishing attacks that impersonate your identity.
- Vary the username and email.
- Strengthen the use of passwords whenever functions such as double authentication (2FA) or biometric systems, fingerprint sensors or facial recognition are available.
- Cleaning online accountsthat we do not use as a regular maintenance task.
- Check if your passwords are hacked. Have I Been Pwnedis a good place to look.
It is almost impossible for a human Internet user to safely manage the credentials to access the hundreds of accounts that we are surely subscribed to. There is a group of applications that are very helpful. Basically, this type of software reduces human errors in the management of passwords , since it automates the process of
generating and accessing websites and services.
Of course, the passwords created by these managers are highly secure, meeting standard standards for size and complexity. They also help against phishing attacks by immediately identifying characters from other alphabets and add a huge benefit: we only need to remember one master password and the manager will do the rest .
Surely applications like the renowned LastPass and other commercial and/or paid ones sound familiar to you, but from our practical section we once proposed these five totally free open source solutions that our users liked a lot. The great advantage of open source administrators is the possibility of auditing the software and keeping the credentials under your control, installing and self-hosting them on our own machine. We remind you of the most interesting:
KeePass . It is the ‘granddaddy’ among open source password managers and has been around since the days of Windows XP. KeePass stores passwords in an encrypted database that you can access using a password or digital key. You can import and export passwords in a wide variety of formats.
Bitwarden . Especially intended for LastPass users looking for a more transparent alternative, it works as a web service that you can access from any desktop browser, while Android and iOS have their respective mobile apps. Bitwarden can share passwords and has secure access with multi-factor authentication and audit logs.
Passbolt . A self-hosted password manager designed specifically for work teams. It integrates with online collaboration tools such as browsers, email, or chat clients. You can self-host the program on your own servers to maintain complete control of the data, although teams with no experience or infrastructure can use a cloud version that hosts them on company servers.
Pson . Psono is another option for teams looking for open source enterprise password management software. This is a self-hosted solution that offers a beautiful web-based client written in Python, with source code available under the Apache 2.0 license.
team pass . A team-oriented manager with a base offline mode that we like, where it exports your items to an encrypted file that can be used in locations without an internet connection. Teampass isn’t the prettiest app in the world, but the design is terrific and you can quickly define roles, user privileges, and folder access.
And if you want to use this type of mobile software, you should know that there are also specialized developments such as these 6 password managers for Android that we recently offered you.
Managers in browsers
If you don’t want to use third-party password managers, another option is to use the browser’s own password managers . Chrome, the leader in the segment, has improved its operation and capacity considerably in the latest versions, including functions offered by the specialized ones above, such as the detection of compromised passwords, the warning when you create a weak one or a very simple edition of it in the own manager.
The manager stores them securely, allows their management in chrome://settings/passwords and uses them to fill in the username and password fields the next time you visit a website. Very similar to what Mozilla has been doing for Firefox with its ‘Password Manager’, which is one of the best in web browsers. Microsoft’s Chromium-based Edge also comes with its own manager, which offers the bare essentials of a dedicated manager.
A new reminder this World Password Day 2023 to raise awareness of the need to invest a few minutes of our time in attending to a crucial element for Internet security and that of the digital home. And there are no excuses. We have the information and the means. Let’s not make it so easy for the enemies of others .
If you liked this special, we recommend our Man in the Middle podcast. In this chapter, we spoke with Javier Candau, head of the Cybersecurity Department of the National Cryptological Center and Artillery Colonel, about the future of passwords and if the day that they disappear is near or far.