The Annual World Password Day painfully reminds us that the concept of people choosing their own passwords seems flawed. Thankfully, things are getting better, and password security is evolving with new tools, but the need for a World Password Day remains.
People often say that they don’t have anything that criminals want. Yet, deep down they know that’s not true. Users have passwords for everything, email services, video streaming platforms, school accounts, and so on. Passwords usually guard personal information or metadata about people. That wouldn’t happen unless some of the information is of value to someone.
Despite all that, people also treat passwords as something that takes up time and effort. It’s a burden on our daily lives, so we take shortcuts, like using the same password on multiple services or choosing simple passwords that are easy to remember.
Three ugly truths
A recent survey showed that 66% of people don’t consider changing passwords after finding out about major data breaches, and more than half haven’t changed their passwords in 12 months. This behavior ensures that data breaches will always provide threat actors with a large number of valid credentials.
Despite technological advances and online services requiring more complex passwords, the most widely used password in the world remains ‘123456’. A recent investigation showed that, out of a billion inspected credentials, around seven million were ‘123456.’
The same old passwords now protect more data. As time passes, online services gather more and more information pertaining to their user or belonging to them, and we’re not even counting the metadata. This means that all those unsecure passwords actually protect an ever-increasing pool of personal data.
There’s hope yet
Whether forced by online services or due to increased awareness, password security has evolved. More people now choose complex and unique passwords than ever; a good behavior helped in part by the advent of password managers. This type of software acts as a handy vault for all a user’s credentials so people don’t have to remember them all.
Furthermore, the rate of adoption for multi-factor authentication (MFA) is now more than 50%. Multiple layers of security are always better, and MFA quickly became essential.
Finally, all major browsers now offer robust and unique passwords when creating new accounts, or they check if the currently used passwords were exposed in data breaches. Cybersecurity companies have also released tools that verify if people’s credentials are part of any data breach, and users seem more aware of the importance of their choice of credentials.
If anything, pestering users about password security years on end seems to be paying off. It’s a long process that will likely continue, and this is not the last Password Day we observe. But it’s part of the same ‘pestering’ process that helps security companies make people aware of the importance of their data and their responsibilities when it comes to safeguarding that information.