The technology industry is holding an event on the first Thursday of May to raise awareness of the need to improve practices in the use of passwords. Despite multiple alerts, World Password Day 2023 is still very much needed, because the analysis of the millions of passwords that are exposed after multiple data breaches in companies large and small, paints a disastrous scene.
Certainly, passwords are painful in usability and insecure if we do not follow precise rules. But until the technology industry massively deploys other more user-friendly and secure systems, such as passkey, passwords remain the preferred form of authentication for accessing Internet services, authenticating to operating systems, applications, games, networks and all kinds of machines.
While additional features such as 2FA have strengthened password security by forcing the use of two-step verification, the truth is that passwords are not a reliable method today amid an ever-increasing number of attacks. Even less so if users and companies continue to fail to comply with the basic rules for their creation, use and maintenance.
World Password Day 2023
Security specialists estimate that every day more than 50 million password attacks every dayabout 580 per second. And they are highly effective, as it is proven that 60% of data breaches are attributed to compromised credentials.
And we make it very easy for cybercriminals.. The list of the worst passwords should give us pause for thought because they are repeated year after year and the group of old acquaintances such as “123456”, “111111” or “password” dominate the lists of use. And they are the ones to avoid at all costs because a hacker can obtain them in less than a second simply by using a command that tests the most used ones. Or by using brute force attacks, words, numeric combinations and others to obtain the credentials.
And it is that we users are “lazy” by nature or carefree despite how much we stake by exposing our digital life that covers both professional and personal issues. And financial… The most sought after for obvious reasons. To raise awareness of the seriousness of the issue, the industry is relaunching this International Day as a reminder of the dos and don’ts of how to handle it.
How to create strong passwords
The recommendation is the usual one. We should make an effort in its creation and maintenance with basic rules that are included in any cybersecurity manual and indicate the dos and don’ts when creating and using passwords. We remind you of them again:
- Do not use typical words or common numbers.
- Do not use personal names, pet names, or birth dates.
- Combine uppercase and lowercase letters.
- Combine numbers with letters.
- Add special characters.
- Lengthen the term with the largest number of digits.
- Do not use the same password on all sites.
- Especially, use specific and as strong as possible passwords for banking and on-line shopping sites where we expose our financial information.
- Keep the password safe from any third party.
- Never reveal your password to anyone. Neither in supposed official requests from e-mails or messages from messaging services since they are usually phishing attacks that impersonate your identity.
- Vary your user name and e-mail address.
- Reinforce the use of passwords whenever features such as two-factor authentication (2FA) or biometric systems, fingerprint sensors or facial recognition are available.
- Clean online accounts that we do not use as a regular maintenance task.
- Check to see if your passwords are hacked. Have I Been Pwned is a good place to look.
It is almost impossible for a human internet user to securely manage the credentials to access the hundreds of accounts we are likely to be subscribed to. There is a group of applications that are of great help. Basically, this type of software reduces human errors in the handling of passwords.by automating the process of generating and accessing websites and services.
Of course, the passwords created by these managers are highly secure by meeting the standard rules in size and complexity. They also help against phishing attacks by immediately identifying characters from other alphabets and add a huge advantage: we only need to remember a master password and the manager will do the rest.
Surely you are familiar with applications such as the renowned LastPass and other commercial and/or paid applications, but from our practical section we proposed in its day these five open source and totally free solutions that our users liked a lot. The great advantage of open source administrators is the possibility to audit the software and keep the credentials under your control, installing and self-hosting them on your own machine. We remind you the most interesting ones:
KeePass. It is the ‘granddaddy’ among open source password managers and has been around since the days of Windows XP. KeePass stores passwords in an encrypted database that you can access using a password or digital key. You can import and export passwords in a wide variety of formats.
Bitwarden. Especially intended for LastPass users looking for a more transparent alternative, it works as a web service that you can access from any desktop browser, while Android and iOS have their respective mobile apps. Bitwarden can share passwords and has secure access with multi-factor authentication and audit logs.
Passbolt. A self-hosted password manager designed specifically for work teams. It integrates with online collaboration tools such as browsers, email or chat clients. You can self-host the program on your own servers to maintain complete control of the data, although teams without expertise or infrastructure can use a cloud version that hosts it on company servers.
Psono. Psono is another option for teams looking for open source enterprise password management software. This is a self-hosted solution that offers an attractive web-based client written in Python, with source code available under the Apache 2.0 license.
Teampass. A team-oriented manager with an offline base mode that we like, where you export your items to an encrypted file that can be used in offline locations. Teampass is not the prettiest application in the world, but the design is tremendous and you can quickly define roles, user privileges and folder access.
And if you want to use this type of mobile software you should know that there are also specialized developments such as these 6 password managers for Android that we offered you recently.
Managers in browsers
If you don’t want to use third-party handlers, another option is to use the password managers of the browsers themselves.. Chrome, the leader in the segment, has improved its performance and capabilities considerably in the latest versions by including features offered by the specialized ones above, such as detection of compromised passwords, warning when you create a weak one, or very simple editing of the password in the manager itself.
The manager stores them securely, allows their management in chrome://settings/passwords and uses them to fill in the username and password fields the next time you visit a website. Very similar to what Mozilla has been doing for Firefox with its ‘Password Manager’. which is one of the best in web browsers. Microsoft’s Chromium-based Edge also has its own manager, which offers the basics of a dedicated manager.
A further reminder this World Password Day 2023 to raise awareness of the need to invest a few minutes of our time in attending to a crucial element for Internet and digital home security. And there are no excuses. We have the information and the means. Let’s not make it so easy for the enemies of others..