IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Email Security, Working from Home and World Password Day

What is the future of passwords? More urgently, how are you doing with using (or reusing) passwords now? Here are some helpful tips ahead of World Password Day on May 6.

Filled-in password field on a blue computer screen
Shutterstock/kpatyhka
One day last week I received an unexpected email from Google’s security team. The subject said, “Take action to secure your compromised passwords.”

Yes, I am sure it was legit (I checked). The body of the message said this:

“Google found some of your passwords online. Anyone who finds them can access your accounts.

Your Google Account is still secure. This leak came from somewhere else on the web, and you can secure your saved passwords now using Password Manager.”

As it turns out, there were several websites where, I must admit, I reused some passwords.

I know, I know, I preach this stuff — so why do I not practice what I preach?

Well, in my (weak) defense, these were rarely visited websites that had no sensitive data on me. No banks, airlines, investments or other “important” logons. I consider these “old” websites that were not very important. (Honestly, I had forgotten about some of them long ago.)

Nevertheless, I was vulnerable with those reused passwords and owe a big thank-you to Google security. I am glad that those weak (and even compromised) passwords are now all corrected.

By the Numbers: Tough Stats on Passwords

Here are some eye-opening stats, courtesy of 1Kosmos:
  • About 80 percent of data breaches in 2019 were caused by password compromise.
  • Top five most popular passwords across the globe: 123456, Password, 12345678, qwerty, 123456789.
  • At least 65 percent of people reuse passwords across multiple sites.
  • 13 percent of people use the same password for all passworded accounts and devices.
  • Although 91 percent of participants in a recent survey understand the risk of password reuse, 59 percent admitted to doing it anyway.
  • In 2019, 42 percent of companies were breached by a bad password.
  • 48 percent of workers use the same passwords in both their personal and work accounts.
  • Compromised passwords are responsible for 81 percent of hacking-related breaches.
  • The average person reuses each password 14 times.
  • 49 percent of employees only add a digit or change a character in their password when required to update it.
  • Passwords were leaked in about 65 percent of the breaches that happened in 2019.
  • 43 percent of employees have shared their password with someone.
  • 42 percent of organizations rely on sticky notes for password management.

What About Your Passwords?

The importance of this topic cannot be underestimated. With the move to working from home during the pandemic, many people are sharing PCs and mixing home and work life more than ever before. This recent article from Bill Detwiler over at ZDNet drives the point home that more people are using their work laptop for personal use — and the problems that can result. Here’s an excerpt:

“In the age of remote work, it's easier than ever to blur the lines between our personal and professional tech. Maybe it's sending personal texts or emails from your work phone, editing personal documents or photos on your work laptop, or joining a virtual happy hour with friends from your work tablet.

None of these actions may sound like a particularly risky activity, but as a former 'IT guy' I'm asking, nay pleading, with you to stop doing them. At least the potentially more hazardous activities, such as storing personal data on your work machine or storing sensitive company data on your personal devices. Do it for the security of your employer. But more importantly, do it for the safety, privacy and wellbeing of yourself, your family and friends.”

Bill then goes on to share a few stories to motivate action.

But getting back to passwords, I wrote about the importance of two-factor authentication back in 2014, and the topic is still as important as ever. Sadly, the percentage of people that use (free) two-factor for email, LinkedIn, Twitter and other websites is still rather small. And it is so easy to do! (See the article for tips.)


World Password Day Advice

World Password Day is coming up on May 6. It is a day designated to remind us of the importance of this first line of defense against ransomware, spyware and other bad actors.

Yet contrary to prevailing advice on picking strong passwords, Security.org’s second annual report on America’s password habits and strategies revealed that 14 percent of us used "COVID" in our passwords; 21 percent used “Trump” or “Biden”; and 20 percent used a curse word.

Here is a good quote on the importance of proper care of passwords from JG Heithcock, GM of Retrospect:

“A global survey conducted by Gartner found that 88 percent of business organizations mandated or encouraged employees to work from home (WFH) as a result of the COVID-19 pandemic. With millions of workers around the world now having to access their organization’s data remotely, data protection was put under increased pressure. For many, the answer was to employ a strong password — oftentimes requesting that employees do so employing a random mix of no fewer than 15 characters. Undeniably, this was a step that could not be ignored. Unfortunately, many learned the hard way that this was not enough to stop today’s increasingly determined and aggressive cyber criminals. And given that research, such as that from the Harvard Business School, shows that the WFH paradigm will likely endure, it is clear that stronger measures must also be taken.

The next step in the data protection and business continuity process for virtually any organization (or personally, for that matter) is an effective backup strategy. And the good news is that there is no need to reinvent the wheel here. A simple 3-2-1 backup strategy will do the trick. This means that data should be saved in at least three locations — one on the computer, one on easy-to-access local storage and another on offsite storage. The options range from local disk, to removable media, to the cloud and even tape. And, if at least one copy is 'air-gapped,' meaning completely unplugged from the network, all the better.

In 2021 and beyond, multi-layered data protection strategies — such as those employing strong passwords combined with thorough backup practices — will help to ensure you, your data and your organization remain protected in the event of a simple accident, cyber attack or any other disaster.”

Final Thoughts

There are plenty of experts who say the answer is to eliminate passwords now. The sentiment is that we need to go to something new ASAP. I tend to agree with that , as outlined well in this article from Microsoft on how they will get rid of passwords in 2021.

Still, we all use passwords today, and struggle with passwords on “legacy websites” that we use for home and work from years ago.

My advice: Take time today to act in these areas:
  1. Tactically find and eliminate or change your reused or weak passwords on the Internet (both home and work).    
  2. Implement two-factor authentication when possible.
  3. Make a strategic project a reality to begin your plan to eliminate passwords, as described by Microsoft and 1Kosmos or others, using the links provided in this blog.  
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.