Docs Information Security

5 Tips for World Password Day 2021

Image Description
Taube, Dan Published on May 06, 2021 

In celebration of World Password Day, the Information Security Office would like to share guidance on better password practices. We hope you join us and do your part to Secure the Bird!

National Nurses Day

I would like to also take the opportunity to personally recognize National Nurses Day. If you have the opportunity to thank a nurse today, do it!

About the Day

Originally inspired by a security researcher, Mark Burnett, encouraging people to have a "password day," Intel Security declared the day for the first time in May 2013.

If you would like to read more on the day, visit the Celebrating the 8th Annual World Password Day article from Intel.

Guidance

Take a moment and consider the following guidance to better secure your accounts, data, and devices.

Please be aware that the websites and services described below have no affiliation to the University. Always evaluate information and resources as it applies to you.

While data breaches have become far too common, there is a small benefit to them. They provide insight into the most common, and often weakest, passwords used by people.

The following list includes the top 5 most commonly used passwords from 2020. These are the top 5 of 200 reported by a third-party company that conducts data breach research.

  1. 123456
  2. 123456789
  3. picture1
  4. password
  5. 12345678

If you use any of these passwords for any accounts, you should consider changing them immediately.

There is a website that will let you know if a password you use has ever been breached and exposed. The website is called Have I Been Pwned? and is a great resource for technology experts and users alike.

At the time of writing this article, they have a repository of over 600 hundred million passwords previously exposed in data breaches.

Complete these steps to check if one of your passwords has been exposed:

  1. Visit https://haveibeenpwned.com/Passwords.
  2. Enter a password of your choosing (you can test with a fake one).
  3. Click the "pwned?" button or hit enter.

If the password you enter has been previously exposed, you will be notified and given a count of just how many times it has been seen.

Pro Tip

In addition to having a password checker, the Have I Been Pwned? website can also check if your accounts have been seen in data breaches.

If the email or phone number you used has been found in a breach, you will get a report of all the services (there may be several) where it was seen. It will also provide you with information on the other type of data that was breached.

Just visit the homepage at https://haveibeenpwned.com/ and enter an email address or phone number to start. You can use this to check family member accounts as well.

Threat actors employ a variety of tactics to gain access to accounts, data, and systems. While users have become more aware of social engineering attacks like phishing, few have learned about credential stuffing attacks.

As shared in tips 1 and 2 above, data breaches have led to massive exposure of passwords. In credential stuffing attacks, threat actors use those exposed passwords directly against valuable websites and services. Instead of having to "pick the lock" in a sense with brute force password guessing, they simply have a ring of keys they can try.

If you found that you had been "pwned" by following the guidance in tip 2 above, you should make sure that same account or password is not used anywhere else. It is safe to assume that any such information will be used against bank, email, and social media websites.

Pro Tip

In addition to not reusing passwords across multiple services, considering enabling multi-factor authentication (sometimes called two-factor authentication or 2FA) where possible.

With this extra layer of security, a threat actor would not only need to obtain your password, but they would also need to gain access to your additional factor (e.g. phone). There are certainly ways for them to do that, but it is often reserved for high value targets such as political, corporate, and world leaders.

When it comes to technology-based attacks against passwords, the length and complexity of the password matters. However, users are often frustrated by trying to come up with such a password and having it be memorable. Our advice is to use a passphrase instead of a password.

For example, a complex and likely difficult to remember password of R3d&i4d$ might seem secure, but can actually be reasonably cracked in a matter of 3 days. Alternatively, a simpler and memorable passphrase of GoYouRedbirds1857! would take about 4 years to crack.

Pro Tip

If you choose to set a passphrase, it is recommended that you do not actually use a phrase that makes sense. The one provided is purely for illustrative purposes and would be considered weak for any member of the Illinois State University community.

Consider visiting a site like https://www.useapassphrase.com/ for examples of randomly worded passphrases. You want to find a phrase that you can easily memorize that no human or machine can reasonably guess.

For our final tip, we would like to suggest the use of a password manager. Password managers are apps and websites that can securely store all of your passwords in a vault. This is a valuable tool when you start practicing tip 3 and 4 above.

While the University does not make a password manager available for personal use, here is a list of popular choices to check out:

  • LastPass
  • Bitwarden
  • Keepass
  • 1Password
  • Dashlane

We recommend reading reviews to determine which may be best for you. A good starting point would be this The Best Password Managers article from the Wirecutter which is owned by The New York Times Company.

Pro Tip

If you are an employee of the University with departmental or institutional passwords used for official operations or business (e.g. social media accounts, vendor portals, state and federal reporting, etc.), contact the Office of Technology Solutions to learn about a password manager that is available for that use.

Check out our these related articles on passwords:

Make Strong Passwords to Boost Security

Become a Password Pro