Discover effective password management techniques, avoid common pitfalls, and protect yourself from cyber threats. So, how do you manage your passwords?
That’s a question LastPass asked in its 2022 Psychology of Passwords Report. And the data it got back was… less than reassuring:
- Just 73% of people thought that they had good password management methods.
- However, 62% of people reused passwords or used variations of a password on different sites.
In case you missed it, that means that most of the respondents didn’t actually have good password management methods at all.
Here are some common password strategies that people use:
- Names of loved ones: spouses, children, or pets.
- Favourite sports teams.
- Characters that are close together on a standard keyboard, like 1q2w3e.
- Dates as numeric sequences, like 30052023.
- Letters replaced with numbers.
- Adding numbers or punctuation to the end of a password.
- Using the same password over and over again.
Do you do any of these? Cyber criminals know these strategies for remembering passwords, and they will exploit them.
Why is it bad to reuse passwords?
Reusing your passwords makes it easier for you to log in to multiple sites. But conversely, it can make life easier for attackers. Imagine: an attacker hacks a site that you have an account on. Now they have your login details for that site. Except you’ve also used the same password on other sites. The attacker can now access your account on those other sites, too.
Creating variations of a password to use on different sites is almost as bad. It might seem like a great compromise, but in fact, the variations are usually pretty easy to guess. Our thought processes aren’t as unique as we like to think, and hackers can create bots to cycle through common variant options.
While increasing your hack footprint is bad enough, there are more consequences to reusing passwords. If you’re reusing a password, it’s usually because you find it easy to remember. Sadly, passwords that are easy to remember often use one or more common password strategies, like those I mentioned above. If your password is something that you find simple to remember, chances are that other people can figure it out too.
How can I create new complex passwords?
Manually creating complex passwords generally isn’t a great option. Our brains tend to create patterns and use them – like always creating specific sequences of numbers. We might not notice we’re doing it – but it still makes them easier for people to guess.
Many password manager and antivirus software vendors offer a free password creation tool on their websites. You can set the complexity and length you need, and the tools spit out randomised passwords. These aren’t bad, but a lot of people run into problems with saving the new passwords securely.
Your best option is a password manager that will create a random password for you, then save your login details against the site address or app information.
What is password spraying?
Password spraying is a type of cyber attack. Like a brute force attack, the aim is to gain access to people’s logins. But brute force attacks focus a lot of computing power on a few logins. In contrast, password spraying attacks take a few passwords and try them with a long list of email addresses as logins on major sites like Facebook and Gmail.
Password spraying tends to provide positive results for attackers. That’s because we aren’t usually as original with our passwords as we like to think. All attackers need to do is try common passwords and combinations – and generally someone on the list will be using one of them. Another tactic they can use is to generate random passwords based on a platform’s minimum password requirements – knowing that most users will only create passwords that meet the bare minimum.
How can I protect against password spraying?
There are two very simple rules you can follow to protect yourself and your employer against password spraying attacks:
- Don’t reuse passwords. Don’t use variations on a password either.
- Create a unique, complex password for every site. Use a random password generator to avoid creating unconscious patterns.
If I use unique, complex passwords, how can I remember all of them?
Remembering passwords is a common problem! After all, if it were easy to remember many complicated passwords, password spraying would hardly be an issue. But it’s not. Many of us have logins to dozens of websites and applications just for our everyday jobs. Add in home streaming services, retail sites, email, and social media, and the list of passwords to memorise just keeps growing.
There is an easier way, though. Password managers exist to help you with this exact problem. A solution like LastPass will store your passwords for you online, create and save new passwords, and even go through and change your passwords on external sites if it’s time for a refresh.
Train your team on good password practices
Your team won’t know good password practices unless you teach them. Not just how to create good passwords; but why it’s important to your business.
Empower your team and create a resilient cyber culture to protect your business.
About PhishNet
PhishNet trains people to recognise everyday scams and cyber threats through our Cyber Security Awareness Training platform. With clear measurable results, orgnaisations can meet compliance requirements and proactively reduce the risk of cyber incidents. Talk to us about how awareness training can help protect your people and business.