Every year, on the first Thursday of May, World Password Day is celebrated, on the occasion of which the Check Point Software Technologies Ltd., the world's leading specialist cyber security provider, takes the opportunity to send a reminder about the importance of paying close attention to passwords, as they are one of the main barriers a user can put up against cybercriminals.
Passwords are used by billions of users around the world, but despite their immense importance, there are still a large number of bad practices when it comes to managing and creating them. In 2019, the National Cyber Security Center in the UK revealed that 23 million people worldwide continue to use unsafe passwords such as the number sequence “123456”, proving that many users are still unaware of the potential risks.
But that's not the only problem. Continuous technological advancements not only benefit users, they also provide new tools to cybercriminals who use them to launch their attacks. What were once considered secure passwords are now becoming obsolete, creating new vulnerabilities.
The advent of new graphics cards with virtual memory (VRAM) has opened the door for hardware devices to process data at high speed, in the same way used in cryptocurrency mining. However, they can also be used in brute-force cyberattacks to obtain passwords, as they are the newest models that can perform more than a million checks in just one second, much faster than previously achieved by central processing units (CPUs). This means that if we have a password with less than 12 characters that is based solely on the use of letters and numbers, it can be cracked in just a few days.
According Hive Systems' latest report, which shared the approximate times it would take cybercriminals to "crack" our passwords, ranging from minimal effort and near-instantaneous moments for the most insecure passwords, to 438 trillion years for the strongest keys . In just one year, these same numbers have seen their potential times of vulnerability drop by as much as 90%, with the entry of new factors such as cloud services or artificial intelligence, and the percentage could be higher in the coming years.
The goal and reasons are clear, but what does a password need to be secure and strong? Check Point Software presents the defining key points for achieving it:
The bigger and more characters the better: it should consist of at least 14-16 characters between which should be different letters, combining upper and lower case, symbols and numbers. However, it has been noted that by simply increasing the password to up to 18 characters together, a completely unbreakable key can be constructed. This belief is based on the number of attempts brute-force requires, where the total number of combinations is equal to the number of characters multiplied by their length.
Easy to remember, complicated to guess: it should be a combination that only the user knows, so it is recommended that you do not use personal information such as anniversary or birthday dates or family members' names, as these are likely to be easier to guess. A simple way to create passwords that anyone can remember is to create full sentences, either using common or nonsensical scripts, such as 'meryhadalittlelamb', or its even more secure equivalent with different characters '#M3ryHad@L1ttleL4m8'
Unique and unrepeatable: create a new password each time access to a service is required and avoid using the same password for different platforms and applications. This ensures that if a password is breached, the damage will be minimal and it will be easier and faster to fix. According to a research of Google, at least 65% of respondents reuse their passwords across multiple accounts and web services, which increases the chances of multiple platforms or applications being compromised.
Always private: a condition that may seem basic but is important to remember. A password should not be shared with anyone and it is highly recommended not to write it down anywhere near the computer or even in a file on it. For this task, you can use tools like password managers, which do the same job, but in a more secure way.
Real security is just "two steps" away: in addition to a strong and secure password, the use of two-factor authentication (2FA) is a significant security improvement. This way, whenever an intruder or an unauthorized person wants to access someone else's account, the account holder will receive a notification on their mobile phone to grant access or not.
Change it periodically: sometimes, even after following all these practices, incidents occur beyond our control, such as company database leaks. Therefore, it is recommended that you periodically check if an email message has fallen victim to a third-party vulnerability, as well as try to identify the accounts that may have been compromised. To do this, there are public access tools such as website Have I Been pwned, which try to gather basic information about these leaks in order to offer support and help to users. Likewise, even if they haven't been compromised, it's always a good idea to update passwords every few months.