World Password Day 2021: '123456' is still a bad idea

World Password Day 2021

Eight years ago, Intel launched World Password Day to encourage people to use stronger, more unique passwords. Since then, IT professionals have seen enormous advancements in the field of technology — but weak passwords remain a problem.

As of November 2020, the three most common passwords around the world were:

  1. 123456
  2. 123456789
  3. picture1

You don’t have to be an IT pro to know that passwords like this are about as useful as a soup fork.

Last year cyberattacks rose by 400%. According to the 2021 Acronis Cyber Protection Week Global Report, 75% of personal IT users and 50% of IT professionals lost data last year — exposing the personal information of themselves, their businesses, and their clients to cybercriminals. At the same time, the vast majority of individuals and IT professionals reported that their passwords were strong and reliable, and that they had protections in place to defend their data.

That said, these claims are difficult to believe given the ongoing rise in data loss and the continued prevalence of weak passwords and vulnerable cybersecurity defenses. In fact, the struggle with weak passwords is so universal that it’s even been mocked by world-class comedians on Netflix:

To help stop the wave of Post-it notes that say “Password1!” this World Password Day, we asked Acronis Cybersecurity Analyst Topher Tebow and VP of Cyber Protection Research Candid Wüest to offer tips for building strong passwords and a prediction of how the use of passwords will change in the years ahead.

The state of password security

“Data breaches seem to have become an everyday occurrence,” reflected Topher Tebow. “This means that our sensitive data, including account credentials, are more likely than ever to find their way into public view.” For an individual IT user, this threatens the privacy of personal information including everything from bank accounts to social security numbers. For organizations and IT service providers, the risk is even greater: steep fines, costly downtime, and reputational damage that leads to client loss and can even torpedo the business.

In the 2020 Acronis Cyberthreats Report, we predicted that service providers would be a growing target in the years ahead, given their connections to multiple different businesses. By attacking managed service providers (MSPs), for example, cybercriminals can compromise dozens of client companies in one fell swoop and reap more money through ransomware infections or banking Trojans. In addition, the attackers can make use of well-established tools, such as remote access and software delivery solutions, to make their strikes more successful.

To minimize these threats, our experts recommend an increased focus on unique passwords, the use of password managers, and the use of multi-factor authentication (MFA) to strengthen your password security.

1.Always use unique passwords

“Of course, passwords should not be easily guessable or so short that they could be cracked with brute force,” said Candid Wüest. “Even more important, however, is that your passwords are unique for each service. If you use the same password on multiple services, then one leak at one of these services is enough to break all of them. Attackers will use the leaked credentials from one breach and try them with a huge list of other services. These so-called credential stuffing attacks are unfortunately still very successful.”

That said, keeping track of all the different unique passwords you’re using can be frustrating — leading to lapses back into bad habits. The solution? Password managers.

2.Find a password manager

“I personally have over 450 different passwords,” admitted Tebow. “But I only have to remember the one to my password manager, and the ones for each computer I log into. If one of my passwords gets leaked, it won’t help an attacker get into any of my other accounts.”

Password managers are gaining wider adoption and integration every day. Popular password managers include LastPass, 1Password, and many others, including some natively built into browsers like Google Chrome. Many of these solutions are enhancing their own security by incorporating degrees of multi-factor authentication.

3.MFA, biometrics, U2F, and password maintenance

Multi-factor authentication (MFA) is quickly becoming the standard for stronger password security. This approach adds a second step to the sign in process, usually in the form of a confirmation text sent to your phone, a security question, or a token provided by authenticator apps. MFA provides another layer of security to your password that doesn’t rely on you to remember anything — increasing both the ease of adoption and the efficacy of the security measure.

With all that in mind, MFA isn’t a universal solution to password strengthening. Instead, it’s an important part of a larger shift in a user’s mindset.

“I always recommend performing regular password maintenance,” said Tebow. “Using complex unique passwords might not require going through and changing all of your passwords, but rather reviewing the accounts you have passwords for, and removing any accounts you no longer need. Keeping your passwords to a minimum can also decrease the chances of your usernames and email addresses being stolen. Using a U2F key, which is a physical device that connects to the computer, and biometrics can also add a level of complexity to your credentials.”

Ultimately, however, achieving stronger password security depends on users taking a new approach to their cyber protection. To learn how Acronis is helping to guide this new approach by integrating cybersecurity, data protection, and protection management into a single platform, download a copy of the Acronis Cyber Protection Week Global Report here.