World Password Day 2024: '123456' is still a bad idea

It has been nearly eleven years since Intel commenced its World Password Day initiative on May 2, 2013 to spread awareness on password protection best practices. But over the years the digital landscape has seen significant change, and although threats have become more complex, the importance of strong and unique passwords remains paramount in an era of AI-driven cyberattacks. The effectiveness of traditional passwords has raised concerns amid AI-powered brute force attacks coming into picture. Ideally, multiple security measures should be implemented such as two-factor authentication (2FA).  

Although additional security measures are widely adopted by MSPs, businesses and home users, that does not give us a pass when it comes password creation. We should not make it easy for cybercriminals to crack passwords with minimal effort. This World Password Day draws attention to the latest threats with the goal of encouraging organizations and communities to embrace new strategies to protect sensitive information. 

“123456,” “password” and “admin” were the most common passwords used in the U.S. in 2023. Even without a background in IT, it is a no brainer that predictable passwords such as these are like rolling out the welcome mat to cybercriminals. 

According to the Acronis Cyberthreats Report H2 2023, ransomware growth skyrocketed by 63% over the course of 2023. A staggering 44% of ransomware payouts amounted to $25,000-$99,999 — breaches that exposed personal information and other lucrative data.  

Threat actors are using indirect means to bypass perimeter defenses and get their hands on critical data. In a recent quishing attack (an attack that combines a phony QR code and phishing), adversaries targeted Microsoft 365 users via a bogus email that alerted recipients to update their network password. Users would unknowingly scan the fraudulent QR code to enable a purported MFA method for their Microsoft account. Individuals who fell victim were directed to a look-alike Microsoft page disguised to be legitimate. The fake page would gather the customer’s credentials with illegitimate login fields.  

What we learn from these attacks can help shape cybersecurity best practices and stress the importance of building strong passwords and regularly updating them. Had the victims updated their password recently, the initial email would have sounded alarms.

The Acronis SOC leaders and authors of Secure MSP, offer their tips, best practices and insights for building strong, future-proof passwords. 

On the emphasis of unique passwords, Candid Wuest explained, "Passwords should not be easily guessable or too short to withstand brute force attacks. Equally, when creating passwords, we should ensure that each password is unique for every service, software and online account. If the same password is used across multiple services, a breach in one of them can compromise all the others. Attackers exploit these leaked credentials through credential stuffing attacks, which unfortunately remain highly successful.” 

In a 2022 article about security vulnerabilities for SMBs, Gaidar Magdanurov, President of Acronis, noted, “Weak cybersecurity policies are the usual for many SMBs. Just using weak passwords undermines all safety measures. A modern computer only takes around an hour to break an eight-character password with at least one uppercase letter and one number. Short passwords or passwords with only numbers and letters are even more insecure, with computers able to guess such combinations almost instantly.” 

Since the evolution of AI-enabled cyberthreats, criminals are abusing AI tools to refine password-breaking techniques and significantly shorten the amount of time it takes them to crack them. It is estimated that an 8-character password takes five minutes to crack.

However, managing numerous unique passwords can be challenging and may lead to reverting to bad habits. This is where password managers come in. Password managers are increasingly popular and integrated into various platforms. Well-known options include LastPass, 1Password, and even built-in solutions like Google Chrome's password manager. Many of these tools enhance security by incorporating additional layers of authentication, such as MFA. 

Implement multifactor authentication (MFA), biometrics, universal second factor (U2F), and maintain passwords. MFA is rapidly becoming the standard for bolstering password security. This method introduces an extra step during the sign-in process, such as receiving a confirmation text on your phone, answering a security question, or utilizing tokens from authenticator apps. MFA provides an additional security layer that doesn't solely rely on memorizing passwords, making it easier to adopt while enhancing effectiveness. 

However, MFA alone is not a universal solution for strengthening passwords. It forms part of a broader shift in user mindset. Achieving robust password security requires users to be vigilant and embrace a fresh approach to securing their or their organization’s digital assets. Acronis is actively educating, training and informing service providers, businesses and home office users on the latest cyberthreats, cutting-edge technology and security governance best practices.