Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

Passwords: Common Mistakes, Best Practices & Tips
Sandro Affentranger
|
04.05.2023
(updated on: 09.09.2024)

May 4, 2023 is World Password Day. This day takes place every year on the first Thursday in May and aims to raise awareness about the importance of secure passwords. The aim is to educate about best practices in password management and encourage people to take steps to improve the security of their online accounts.

Passwords: Common Mistakes, Best Practices & Tips

In today’s digital world, passwords have become an integral part of our everyday lives. From social media to online banking, we rely on passwords to protect our personal data and online accounts. Despite of this importance, many people still make mistakes when it comes to their passwords that compromise their security. The World Password Day is an opportunity to reflect on our password practices and take steps to increase their security. In this blog post, we look at the importance of passwords, common mistakes, and strategies for creating strong passwords to best protect our online accounts.

Common Password Mistakes

Nowadays, you usually need an account with a password to access services in both private and business environments. Since most people have several of such accounts, they quickly accumulate a large number of accounts for which a correspondingly large number of passwords are required. According to a report by the company LastPass, which develops the password manager of the same name, its business customers store an average of 191 passwords – and the number is growing.

Although passwords are so ubiquitous and important, the same mistakes are made over and over again when dealing with them:

Using weak passwords

Many people use passwords that are easy to guess or crack. They are often short, simple, and use common words or phrases that can be easily guessed by hackers using special software. For example, “password”, “123456” or “qwertz” are all weak passwords that are commonly used. Personal data such as name, date of birth or address are also frequently used. Such information can easily be found out by hackers.

Using the same passwords for several accounts

Using the same password is tempting, but poses a serious security risk. Hackers can exploit data leaks to use automated tools to try out the stolen usernames and passwords on another service or platform. Consequently, they could access multiple accounts at once with one password.

Password sharing

People who share their passwords with others are putting their security at risk. When multiple people use the same account, this causes a lack of traceability. It can be difficult to determine who is responsible for the actions performed with that account and holding that person accountable.

No two-factor authentication

Using two-factor authentication as another security measure further protects your accounts. If only a username and password are required to access an account, it is more vulnerable to hacking attacks. If an attacker gets hold of the credentials, they can easily access the account and steal personal data or perform malicious activities.

Tips & Tricks

Here are some important tips and tricks for creating and managing strong passwords to best protect your online accounts and prevent unauthorized access.

Use Strong Passwords

There are several strategies for creating strong passwords to protect your accounts from unauthorized access. Here are a few tips:

  • Avoid common words and phrases like “password” or “123456” as they can be easily guessed by hackers.
  • Do not use personal information in your password, such as your name, date of birth, or address, as they can be easily found out or guessed by hackers.
  • Use long passwords. As a rule, the longer a password is, the harder it is to crack. Aim for a password with at least 12 characters.
  • Use a passphrase: a combination of several words instead of a single word. For example, “Blue elephants in the clouds 12” is a strong passphrase, and still easy to remember.
  • Choose a mnemonic sentence and take the first letter of each word as well as numbers and special characters for your password. As an example, the sentence “I always drink my coffee at 5 past 9. ” would thus result in the password “Iadmca5p9”.

Use Unique Passwords

You should use a separate password for each account. However, since it is difficult to remember so many passwords, a password manager, where you can create and save unique passwords for each account, can help. This way, you will not have to remember several complex passwords. Of course, it is important that access to the password manager is very well protected.

If someone does not want to use a password manager, there are still strategies to create strong passwords that are unique for each service. For example, use a formula or pattern that combines a base password with a unique identifier for each service. For example, you could use “My-secure-password!1” as your base password and append the name of the service to the end of the password. So for Gmail, your password would be “My-safe-password!1Gmail” and for Facebook it would be “My-safe-password!1Facebook”. However, if one of these passwords is stolen, it is important to change the pattern and all passwords.

Active Two-Factor Authentication

Enabling two-factor authentication (2FA) is another highly recommended security measure that can significantly improve the security of your accounts and is still helpful even if you use strong and unique passwords.

When two-factor authentication is enabled, you must provide a second authentication factor in addition to your password, such as a fingerprint scan, security token, or verification code sent to your phone. This means that even if a hacker manages to steal your password, they will still need access to your second authentication factor to access your account.

Many services and platforms offer two-factor authentication as an option, and it is important that you enable it whenever possible. You can check your account security settings to see if two-factor authentication is available and set it up.

Check if Your Passwords Have Been Leaked

There are several services that can be used to check whether you have been affected by a data leak. For example, the Australian security expert Troy Hunt operates the services “Have I Been Pwned” and “Pwned Passwords”.

“Have I Been Pwned”

With the platform “Have I Been Pwned” it is possible to perform a check if you have been affected by known data leaks. If you enter your email address, you will receive a list of data leaks in which this address was affected. It is also possible to register to be notified of new data leaks with the affected email address.

Have I Been Pwned Website

“Pwned Passwords”

As the name suggests, “Pwned Passwords” is a collection of known compromised passwords. You can enter your password and find out not only whether it occurs in data leaks, but also how often. Of course, one should be very careful when entering their password on a website. “Pwned Passwords” implements a k-anonymity model to prevent compromising the password during the check itself. Therefore, when verifying a password, the password is first hashed, with only the first 5 characters of the hash sent to the server. The server then responds with all hashes starting with the transmitted substring. Subsequently, a check is made locally in the browser to determine whether or not the password is in a leak. The password leaves the browser and the server does not know which password was checked. 

Pwned Passwords Website

Conclusion

World Password Day is a reminder that passwords play a crucial role in our online security. It is important to use them carefully, avoid common mistakes like weak passwords and re-use. Instead, the key is to rely on strong and unique passwords for each service. By following these guidelines and enabling additional security measures like two-factor authentication, we can take important steps to protect our online accounts and personal data.

Although there are efforts to move away from passwords and use more secure authentication methods, for the time being, we will have to rely on passwords as the main method of securing our online accounts. Therefore, it is important to remain vigilant and take the necessary precautions to ensure that our passwords are strong, unique and secure.

A Password Quality Audits by a Penetration Testing Team can help bring clarity to you and your company. The security can also be increased by an Awareness Training about password use at the Cyber Security Academy.  In these as well as in all other cybersecurity topics, we are happy to be of service. We look forward to hearing from you:

Author

Sandro Affentranger is part of the Oneconsult Red Teaming & Penetration Testing team since October 2017, performing security tests of any networked components and systems.

LinkedIn

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts