As we approach the end of the calendar year, NordPass has released their list of the 200 most common passwords of 2020.
While there are a number of the usual suspects listed, senha (Portuguese for password) and picture1 were new entries on the list, and 2019’s worst password, 12345, came in 8th this year. You can also sort by password categories including names, numbers, swear words and entertainment. The entertainment list was especially interesting, showing that superman, pokemon, naruto and blink182 were quite popular in 2020.
In addition, our cybersecurity team has shared best practices for creating secure passwords and password management below.
Avoid Bad Passwords
The first step is simple: stop using passwords that can be commonly guessed, including sports teams, regional terms, company names, seasons or variations of the word password (i.e. P@ssw0rd). While these are not as egregious as the ones listed in the top ten list, they are just as susceptible and easy to guess for many threat actors. And if you saw your password in this article or on the full list, change it immediately.
Create Passphrases
Look beyond password criteria such as length, numbers and special characters. Think about something unique to you that only you would know. We like to say think about passwords as passphrases. Put together random words from a personal story or memory. If you string along several small words, this helps to increase password complexity and should meet most length requirements. Remember, a secure password isn’t secure just because it meets a site’s requirements. It’s secure if it’s something only you would know.
Password Manager Solutions
We know how hard it can be to remember all of your passwords, especially with the vast amount of unique requirements from different sites. One option is to use password management software, which essentially acts as a master lock for all of your passwords. Password managers not only add a layer of convenience to password security, but many help you create strong passwords with stringent requirements. Many password management software providers, such as LastPass and 1Password, offer options for personal and enterprise security needs.
P.S. – writing passwords on paper is not a password management solution…
Use Different Passwords
If you are not using a password manager, having unique passwords for accounts is an absolute must. One of the first things threat actors do when stealing passwords is see where else it works. Known as credential stuffing, attackers will see how many accounts they can compromise with stolen credentials to increase their earning potential. Take a moment to think about how many accounts you have the same password and username/email address protecting and chances are you can see the potential damage of having one password.
Update Security Questions
Security questions are a common part of account protection at this point, but with the growing world of digital footprint left through social media and search engines, can be easy targets for threat actors. Think about some of the most common questions asked and where the answers can be found:
- Birthday – Social media, public records
- Where did you and your spouse meet – Social media, wedding registry sites
- What high school did you go to – Social media, public record, alumni associations
- What was your first job – Social media, professional biographies
Pretty concerning, right? Remember to treat the answers to these questions as you would a password and update them frequently.
Multi-Factor Authentication
With the reality that passwords will get compromised, implementing supporting authentication controls is an important step in all security programs. Since moving to remote accommodations, many of us are used to multi-factor authentication through mobile apps, texts or receivers, which require you to enter your password to receive a temporary code to login.
Monitor Breaches
Just because somebody has your credentials doesn’t mean they use them immediately. In many cases, data breaches occur and account owners are notified through email months later. Major companies including Capital One, Yahoo, Equifax and Intel are just a few of the major companies who experienced breaches over the last year resulting in personal data theft.
So what happens if you find out you are part of a data breach? Hopefully you are implementing password best practices outlined in this article, but if not, change your password immediately on other sites that are using the same one or a variation of the compromised credentials. We also recommend using a rapid breach alert service such as www.haveibeenpwned.com, which sends you an email alert if they find your email address tied to any breaches as they become known.
Remember, the New Year marks an opportunity to remind your end users of the importance of password security to keep both their personal information and your organization secure against the growing threat landscape of today and tomorrow.
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts offering a comprehensive set of information technology security services, including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity or contact the team at [email protected].
If you suspect or are experiencing a network incident, our Incident Response Team is available 24x7x365 at 1-800-993-8937.
Want more cybersecurity content? Subscribe to our bi-weekly newsletter, Focus on Cybersecurity, for the latest insight and news in the cybersecurity world.