Until the technology industry massively deploys other more friendly and secure systems, passwords continue to be the preferred form of authentication to access Internet services, log in to operating systems, applications, games, networks and all kinds of machines.
Although additional features such as 2FA have strengthened security by forcing the use of two-step verification, the truth is that passwords are not today a reliable method in the midst of an ever-growing number of attacks. And much less if users and companies continue to fail to comply with the basic rules for its creation, use and maintenance.
Security specialists estimate that hackers launch an average of 50 million password attacks every day, about 580 per second. And they are highly effective, with 60% of data breaches proven to be attributed to compromised credentials.
World Password Day 2022
To raise awareness of the seriousness of the issue, the technology industry celebrates the first Thursday of May a World Day event. This reminder is motivated by the analysis of the millions of passwords that are exposed after multiple data breaches in companies large and small. And it paints a disastrous scene.
The list of the worst passwords should make us think because they are repeated year after year and the group of old ones known as “123456”, “111111” or “password” dominate the usage lists. And they are the ones to avoid at all costs since a hacker can get them in less than a second simply with a command that tests the most used. Or using brute force attacks, words, numerical combinations and others that allow to obtain the credentials.
How to create strong passwords
We make it very easy for cybercriminals. Users are “lazy” by nature or carefree despite how much we risk exposing our digital life that encompasses both professional and personal issues. And financial… The most sought after for obvious reasons.
The recommendation is the usual. We must make an effort to create with basic rules that are included in any cybersecurity manual and indicate what to do and what not to do when creating and using passwords. We remember them again:
- Do not use typical words or common numbers.
- Do not use personal names, pet names or dates of birth.
- Combine uppercase and lowercase.
- Combine numbers with letters.
- Add special characters.
- Lengthen the term with the largest number of digits.
- Do not use the same password on all sites.
- Especially, use passwords that are specific and as strong as possible for banking and online shopping sites where we expose our financial information.
- Keep the password safe from any third party.
- Never reveal the password to anyone. Nor in supposed official requests from emails or messages from messaging services, since they are usually phishing attacks that impersonate your identity.
- Vary username and email.
- Strengthen the use of passwords whenever functions such as double authentication (2FA) or biometric systems, fingerprint sensors or facial recognition are available.
- Clean up online accounts that we do not use as a regular maintenance task.
- Check if your passwords are hacked. Have I Been Pwned is a good place to watch.
It is almost impossible for a human Internet user to safely manage the credentials to access the hundreds of accounts that we are surely subscribed to. There is a group of applications that are very helpful. Basically, this type of software reduces human errors in handling passwordssince it automates the process of generating and accessing websites and services.
Of course, the passwords created by these managers are highly secure, meeting the standard rules in size and complexity. They also help against phishing attacks by immediately identifying characters from other alphabets and add a huge advantage: we just need to remember a master password and the manager will do the rest.
Surely applications like the renowned LastPass and other commercial and/or paid ones sound familiar to you, but from our practical section we once proposed these five open source and totally free solutions that our users really liked. The great advantage of open source administrators is the possibility of auditing the software and keeping the credentials under your control, installing and self-hosting them on our own machine. We remind you of the most interesting:
KeepPass. It is the ‘grandfather’ among open source password managers and has been around since the days of Windows XP. KeePass stores passwords in an encrypted database that you can access using a password or digital key. You can import and export passwords in a wide variety of formats.
Bitwarden. Specially aimed at LastPass users looking for a more transparent alternative, it works as a web service that you can access from any desktop browser, while for Android and iOS it has their respective mobile apps. Bitwarden can share passwords and has secure access with multi-factor authentication and audit trails.
Passbolt. A self-hosted password manager designed specifically for work teams. Integrates with online collaboration tools like browsers, email or chat clients. You can self-host the program on your own servers to maintain complete control of the data, although teams without experience or infrastructure can use a cloud version that hosts it on company servers.
psono. Psono is another option for teams looking for open source enterprise password management software. This is a self-hosted solution that offers a beautiful web-based client written in Python, with source code available under the Apache 2.0 license.
team pass. A team-oriented manager with a base offline mode that we like, where you export your items to an encrypted file that can be used in locations without an internet connection. Teampass isn’t the prettiest app in the world, but the design is tremendous and you can quickly define roles, user privileges, and folder access.
And if you want to use this type of mobile software, you should know that there are also specialized developments like these 6 password managers for Android that we recently offered you.
Managers in browsers
If you don’t want to use third-party managers, another option is to use the browser password managers. Chrome, the leader in the segment, has improved its operation and capacity considerably in the latest versions, including functions offered by the specialized ones above, such as the detection of compromised passwords, the warning when you create a weak one or a very simple edition of it in the own manager.
The manager stores them securely, allows their management in chrome://settings/passwords and uses them to fill in the username and password fields the next time you visit a website. Very similar to what Mozilla has been doing to Firefox with its ‘Password Manager’ which is one of the best web browsers. Microsoft’s new Edge based on Chromium also has its own manager that offers the most basic of a dedicated manager.
A new reminder this World Password Day 2021 to raise awareness of the need to invest a few minutes of your time in attending to a crucial element for your Internet security and that of your digital home. And there are no excuses. We have the information and the means. Let’s not make it so easy for the enemies of others.