With 31% of global companies being attacked by cybercriminals at least once a day, and most of the attacks involving phishing, it is clear that weak passwords remain a major challenge, eight years after the first World Password Day. 2021 Acronis Cyber Protection Week Global Report, 75% of personal IT users and 50% of IT professionals lost data last year — exposing the personal information of themselves, their businesses, and their clients to cybercriminals.
Ahead of World Password Day 2021 tomorrow, here are some comments from Candid Wüest, Acronis’ VP Cyber Protection Research, with vital recommendations on how and why individuals should protect their password security.
Comments from Candid Wüest, VP Cyber Protection Research, Acronis
Data breaches seem to have become an everyday occurrence. What this means is that our sensitive data, including account credentials, are more likely than ever to find their way into public view. Even if only a username or a password was leaked, it can still be used with a dictionary list of common passwords, or data from another leak, to find the correct combination of a username and a password. From there, all an attacker needs to do is throw the password in as many accounts as possible, and they are likely to find one that lets them in. These so-called credential stuffing attacks are unfortunately still very successful. This is why password reuse is so dangerous. If your password is leaked or easily guessed, you may have multiple accounts compromised before you even know it has happened.
As a bare minimum, it is time for anyone who isn’t already using a password manager to do so. With these tools, you can easily use long and complex passwords for each account. This not only makes it significantly harder for cybercriminals to crack them, but also means that if one password gets leaked, it won’t help an attacker get into any other accounts. I also recommend enabling multi-factor authentication (MFA) wherever it is available. Even though there have been successful attacks against text message based MFA in the past, it still is better than no MFA at all. Many password managers are also incorporating MFA into their service, so you don’t need different apps for your passwords and your MFA tokens. In addition to this, password managers can prevent you from copying the credentials to phishing websites as they detect that the website URL has changed. It may be a change in mindset to implement these processes, but a slight shift in how we log in will make it significantly more difficult for an attacker attempting to access our accounts.
Additionally, I recommend performing regular password maintenance. This does not necessarily mean going through and changing all of your passwords, but rather reviewing the accounts you have passwords for, and removing any accounts you no longer need. Keeping your passwords to a minimum can also decrease the chances of your usernames and email addresses being stolen. Using a U2F key, which is a physical device that connects to the computer, and biometrics can also add a level of complexity to your credentials. However, it is important to keep in mind that physical keys can be lost or stolen, and biometrics are really more of a username than a password, as you cannot change them.