Skip to main content

The one and only password tip you need. Almost everything we told you about passwords was wrong!

Posted: by
https://www.malwarebytes.com/blog   

OK, it’s time for me to keep a promise.

Back in October 2022, I wrote an article called Why (almost) everything we told you about passwords was wrong. The article summarizes how a lot of what you’ve been told about passwords over the years was either wrong (change your passwords as often as your underwear), misguided (choose long, complicated passwords), or counterproductive (don’t reuse passwords).

Most damningly of all, the vast effort involved in dispensing this advice over decades has generated little discernible improvement in people’s password choices. If it hasn’t quite been a wasted effort, it has certainly represented a galactically inefficient use of resources.

We know that this advice isn’t what it’s cracked up to be thanks to intrepid researchers, such as the folks Microsoft Research, who made it their business to discover what actually makes a difference to password security in the real world, and what doesn’t.

If you want the full, three-course meal version of why all the password advice you've been told stacks up to much less than the sum of its parts you can read the original article. Here's the snack version:

How strong, long, and complicated your password is almost never matters in the real world. The most common type of password attack is credential stuffing, which uses passwords stolen in data breaches. It works because it's so common for people to reuse the same password in two places and it is completely unaffected by password strength. The next most common attack is password spraying, where criminals use short lists of very simple passwords on as many computers as possible. In both situations a laughably simple but unique password is good enough to defeat the attack.

There are rare types of attack—offline password guessing—where a strong password might help, but the trade-off is that strong passwords are far harder for people to remember, which leads them to use the same password for everything, which makes them much more vulnerable to credential stuffing. Notebooks are a really good, simple solution to the password reuse problem, but for years people were ridiculed for using them. Password managers are also a good solution but they are much harder to use than notebooks and a majority of people don't use them, and don't trust them, despite years of positive press and advocacy.

OK, back to the promise I mentioned.

As somebody who has done his fair share of dispensing this kind of advice, I ended my Why (almost) everything we told you about passwords was wrong article with a mea culpa in the form of a promise. Never again would I dish out laundry lists of things you should do to your password. I would instead focus my energy on getting you to do one thing that really can transform your password security, which is using Two-Factor Authentication (2FA):

So, from now on, my password advice is this: If you have time and energy to spare, find somewhere you’re not using 2FA and set it up. If you do I promise never to nag you about how weak your passwords are or how often you reuse them ever again.

Well, today is World Password Day, and it’s time to make good on that promise. I was asked to write a list of password tips, so here they are:

  • Set up 2FA somewhere.

To explain why I’m all-in for 2FA I can’t do any better than quote Microsoft’s Alex Weinert from his 2019 article, Your Pa$$word doesn’t matter. (He calls it MFA but he means the same thing, I’ll explain why lower down).

Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.

Yes, he wrote 99.9%, and he wasn’t exaggerating. 2FA defeats credential stuffing, password spraying, AND password reuse, AND a bunch of other attacks.

Even if you don't know what 2FA is, you've probably used it. If you’ve ever typed in a code from an email, text message or an app alongside your password you’ve used 2FA.

In the real world, 2FA just means “do two different things to prove it’s you when you log in”. One of those things is almost always typing a password. The other thing is often typing a six-digit code you get from your phone, but it might also be responding to a notification on your phone or plugging in a hardware key (a small plastic dongle that plugs into a USB port and does some fancy cryptographic proving-its-you behind the scenes).

2FA is very widely supported and any popular website or app you use is likely to offer it. In an ideal world those sites and apps would take responsibility for your security and just make 2FA a mandatory part of their account setup process. Unfortunately, we don’t live in an ideal world, and the tech giants that know better than anyone else how much 2FA can protect you have left it for you to decide if you need it.

To make your life a little harder still, they also give it different names. You’ve already met MFA, which means multi-factor authentication, while Google, WhatsApp, Dropbox, Microsoft, and others brand their version of 2FA with a slightly altered name: two-step verification (2SV).

If you have a choice, the best form of 2FA is a password and hardware key, but you’ll need to buy a hardware key. They are worth the small investment and not nearly as intimidating as they can seem.

If you aren’t ready for that, the next best form of 2FA uses an app that prompts you with a notification on your phone. The next best after that is 2FA which uses a code from an app on your phone, and the least good version of 2FA uses a code sent over SMS.

However, don't let anyone tell you any form of 2FA is "bad." It's all relative. Adopt any one of them and you can safely ignore the rest of the password advice you were probably ignoring already.

To help you get started, here are links to the 2FA setup instructions for the five most visited websites:

Comments

Popular posts from this blog

Digital Payments Lead the Way Globally: Key Insights from Worldpay Study

According to a recent Worldpay study, digital payments are rapidly becoming the preferred choice worldwide. The research highlights significant shifts in consumer behavior and payment preferences, driven by technological advancements and the growing acceptance of cashless transactions. Key findings from the study reveal that digital payments now account for a substantial portion of global transactions. Mobile wallets, contactless payments, and online banking are gaining traction, reflecting consumers' desire for convenience and speed. This trend is especially prominent in regions like Asia Pacific, where mobile payment adoption is leading the charge. The study also emphasizes the importance of security in fostering consumer trust in digital payments. As fraud concerns continue to rise, businesses must prioritize robust security measures to protect customer information and enhance the payment experience. Moreover, the transition to digital payments is not just about c...

Embracing ARMs And Battling Members’ Misconceptions

With adjustable-rate mortgages back in fashion, credit unions are educating members about the ins and outs of these products, dispelling misunderstandings along the way. With housing stock low, home prices high, and interest rates showing no signs of coming down, many credit unions are turning to adjustable-rate mortgages to help would-be borrowers find a home. ARM loans gained a bad reputation after the 2008 housing crisis and the Great Recession, but credit union leaders insist that with the right education and a clear understanding of how the product works, adjustable-rate mortgages can be an ideal solution for would-be homeowners. The Big Picture53% of those who don’t own a home believe homeownership is out of reach, according to a study from Northwestern Mutual . 58% of millennials feel this way, but roughly half of baby boomers and Gen X share the sentiment. According to Federal Reserve data, the average price of a home topped $510,000 at the end of 2024. That’s 32% higher than f...

Jim Nussle To Retire From America’s Credit Unions

  WASHINGTON—America’s Credit Unions President and CEO Jim Nussle plans to retire from the trade association, ACU announced. ACU said Nussle did not specify an exact date for his retirement but rather expressed his desire to provide the ACU board the “full flexibility” to conduct a search for a CEO over the next several months on a timeline of their choosing, and to ensure his ongoing efforts to champion the organization’s advocacy agenda.   Jim Nussle “Serving credit unions is a deep personal privilege. After a long career in advocacy from both sides of the policy making table, leading CUNA and the honor of helping to create and lead America’s Credit Unions, it is soon time for me to pursue new interests in retirement. My announcement today is intended to provide the board the time to conduct a thorough national search to find the next leader for the Association,” Nussle said.  “My full and ongoing focus will be on our intensive credit union advocacy efforts to prot...

Havoc.’ ‘Debacle.’ Analysts See Rough Road Ahead for Autos With Tariffs

WASHINGTON–What’s known: should President Trump’s tariffs remain in place, new and used vehicle prices are going to get even higher. The unknown: Will members stop buying cars, move from new to used, or given how many buy cars according to payment, move to less-expensive models? The tariffs also may create challenges for credit unions that serve some autoworkers. All of those questions and more remain much in flux with analysts predicting  auto prices could rise by $5,000 to $10,000 per vehicle and wreak havoc on the market as the result of 25% import tariffs on vehicles and auto parts.   As the CU Daily reports separately, however, Black Book believes automakers will spread out the incremental cost of tariffed vehicles across their entire showroom to retain relative vehicle transaction prices. Still, the company expects tariffs to push the average transaction price on vehicles to more than $50,000. ‘A Debacle’ “The tariffs are a debacle of epic proportions for the a...

Zelle Discontinues Standalone App, Shifts Users to Bank and Credit Union Platforms

SCOTTSDALE, Ariz.—The standalone Zelle app is no longer available for sending or receiving money. Users are now encouraged to enroll through a participating bank or credit union’s app to continue using the peer-to-peer payment service, PYMNTS reported. Zelle had announced in an Oct. 31  blog post  that it would make this change, and it completed the move as of Tuesday (April 1), according to a frequently asked questions  page  on its website PYMNTS said/ “More than 2,200 banks and credit unions across the U.S. now offer Zelle through their mobile app or online banking site,” the company said on the FAQ page. “As a result of this growth, in October of 2024, we announced that we are removing the ability for users to send or receive money using the Zelle app starting April 1, 2025.” PYMNTS noted that the page advised users of the Zelle app to visit a “find your bank” page on its website to see if their bank or credit union offers Zelle; to...