3 easy steps to save yourself from stupid passwords

We all have them, and now's the time to make them both hacker-proof and easier to manage.

Passwords are stupid.

Yet what's stupid about passwords is not that they are inherently insecure, but they allow users--and in fact, encourage users--to do insecure things. When faced with the creation, and subsequent memorizing, of a new password, most users decide to use the same, stupid, easy-to-remember password they've used elsewhere. That's just the kind of vulnerability hackers are looking for.

Don't be that victim. You can turn all your stupid passwords into safer ones that are easier to manage, in three easy steps.

1. Acknowledge you have a password problem 

Everyone has stupid passwords. Take the findings of managed security firm Trustwave, which regularly tests the security of its clients to find vulnerabilities. During its security tests in 2014, the company collected 625,000 password hashes (the scrambled form in which passwords are stored), and its researchers tried to break them. Within two minutes, more than half--54 percent--fell to common password guessing techniques. In a month, the company had recovered 92 percent of the passwords.

The most common passwords? "Password1," followed by "Hello123" and, yes, "password."

"The inherent problem with passwords is that they give the users far too much ability to do something stupid, but good security controls should not allow users to do stupid things," says Charles Henderson, vice president of Trustwave.

No wonder tech companies and online services are looking for alternatives. The recent announcement by Yahoo! that the company will allow devices to store and send passwords--thus, eliminating the need for the user to remember them--is one example. Adding a second factor, such as the fingerprint sensor on Apple's TouchID or the facial recognition of Windows 10, is another.

Yet, these solutions have their own problems. Consumer-level biometrics are often easy to defeat, because companies trade security for convenience. Apple's TouchID fell to hackers within months, and other fingerprint sensors have had similar problems.

"Everyone in the security community agrees that passwords stink, but we are not going to get rid of passwords anytime soon," says Henderson.

2. Use a password manager to create new codes

Creating secure passwords means using long strings of characters, numbers and special characters. While passwords are stored as one-way "hashes," attackers have learned a variety of tricks to crunch through millions of possibilities very quickly, making complex passwords a necessity.

But let's be honest: You can't create them all by yourself. A variety of password managers--from LastPass to Dashlane to 1Password to KeePass--allow users to generate complex passwords, manage them across devices, and autofill login forms. There are even mobile-app password managers readily available.

3. DIfferent account, different password

The average user holds between 30 and 60 online accounts. With so many breaches of online services, there's every reason to have a different password for each service. Otherwise, a breach at one site allows a attacker to try the same username and password on other sites.

Assigning a single password to each account, however, means the number of tricky passwords or passphrases that people have to remember has skyrocketed, according to password-management service Dashlane. "Now, we not only need several tens of passwords, but we also need to use them on various devices at different times," says Emmanuel Schalit, CEO of Dashlane. "The complexity has blown up and become too much for human beings to manage."

This is the other reason to use a password manager. Just remember to use them for good, not stupid. Avoid storing the same bad passwords in your password manager. Create the longest, most complex passwords possible, and a different one for every account.

Join the CSO newsletter!

Error: Please check your email address.

Tags trustwavesecuritypasswordssecurity software

More about AppleTrustwaveYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place