Skip to main content

The one and only password tip you need. Almost everything we told you about passwords was wrong!

Posted: by
https://www.malwarebytes.com/blog   

OK, it’s time for me to keep a promise.

Back in October 2022, I wrote an article called Why (almost) everything we told you about passwords was wrong. The article summarizes how a lot of what you’ve been told about passwords over the years was either wrong (change your passwords as often as your underwear), misguided (choose long, complicated passwords), or counterproductive (don’t reuse passwords).

Most damningly of all, the vast effort involved in dispensing this advice over decades has generated little discernible improvement in people’s password choices. If it hasn’t quite been a wasted effort, it has certainly represented a galactically inefficient use of resources.

We know that this advice isn’t what it’s cracked up to be thanks to intrepid researchers, such as the folks Microsoft Research, who made it their business to discover what actually makes a difference to password security in the real world, and what doesn’t.

If you want the full, three-course meal version of why all the password advice you've been told stacks up to much less than the sum of its parts you can read the original article. Here's the snack version:

How strong, long, and complicated your password is almost never matters in the real world. The most common type of password attack is credential stuffing, which uses passwords stolen in data breaches. It works because it's so common for people to reuse the same password in two places and it is completely unaffected by password strength. The next most common attack is password spraying, where criminals use short lists of very simple passwords on as many computers as possible. In both situations a laughably simple but unique password is good enough to defeat the attack.

There are rare types of attack—offline password guessing—where a strong password might help, but the trade-off is that strong passwords are far harder for people to remember, which leads them to use the same password for everything, which makes them much more vulnerable to credential stuffing. Notebooks are a really good, simple solution to the password reuse problem, but for years people were ridiculed for using them. Password managers are also a good solution but they are much harder to use than notebooks and a majority of people don't use them, and don't trust them, despite years of positive press and advocacy.

OK, back to the promise I mentioned.

As somebody who has done his fair share of dispensing this kind of advice, I ended my Why (almost) everything we told you about passwords was wrong article with a mea culpa in the form of a promise. Never again would I dish out laundry lists of things you should do to your password. I would instead focus my energy on getting you to do one thing that really can transform your password security, which is using Two-Factor Authentication (2FA):

So, from now on, my password advice is this: If you have time and energy to spare, find somewhere you’re not using 2FA and set it up. If you do I promise never to nag you about how weak your passwords are or how often you reuse them ever again.

Well, today is World Password Day, and it’s time to make good on that promise. I was asked to write a list of password tips, so here they are:

  • Set up 2FA somewhere.

To explain why I’m all-in for 2FA I can’t do any better than quote Microsoft’s Alex Weinert from his 2019 article, Your Pa$$word doesn’t matter. (He calls it MFA but he means the same thing, I’ll explain why lower down).

Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.

Yes, he wrote 99.9%, and he wasn’t exaggerating. 2FA defeats credential stuffing, password spraying, AND password reuse, AND a bunch of other attacks.

Even if you don't know what 2FA is, you've probably used it. If you’ve ever typed in a code from an email, text message or an app alongside your password you’ve used 2FA.

In the real world, 2FA just means “do two different things to prove it’s you when you log in”. One of those things is almost always typing a password. The other thing is often typing a six-digit code you get from your phone, but it might also be responding to a notification on your phone or plugging in a hardware key (a small plastic dongle that plugs into a USB port and does some fancy cryptographic proving-its-you behind the scenes).

2FA is very widely supported and any popular website or app you use is likely to offer it. In an ideal world those sites and apps would take responsibility for your security and just make 2FA a mandatory part of their account setup process. Unfortunately, we don’t live in an ideal world, and the tech giants that know better than anyone else how much 2FA can protect you have left it for you to decide if you need it.

To make your life a little harder still, they also give it different names. You’ve already met MFA, which means multi-factor authentication, while Google, WhatsApp, Dropbox, Microsoft, and others brand their version of 2FA with a slightly altered name: two-step verification (2SV).

If you have a choice, the best form of 2FA is a password and hardware key, but you’ll need to buy a hardware key. They are worth the small investment and not nearly as intimidating as they can seem.

If you aren’t ready for that, the next best form of 2FA uses an app that prompts you with a notification on your phone. The next best after that is 2FA which uses a code from an app on your phone, and the least good version of 2FA uses a code sent over SMS.

However, don't let anyone tell you any form of 2FA is "bad." It's all relative. Adopt any one of them and you can safely ignore the rest of the password advice you were probably ignoring already.

To help you get started, here are links to the 2FA setup instructions for the five most visited websites:

Comments

Post a Comment

Please no profanity or political comments.

Popular posts from this blog

Open Banking To Hit $94B By 2029—But U.S. Lags Amid Global Surge

Watch our Video on Understanding Open Banking NEW YORK—By 2029, open banking is projected to surge globally to a staggering $94.14 billion in value. Yet despite its rapid evolution and expanding global footprint, adoption remains uneven—hindered by inconsistent regulatory frameworks across countries. According to GlobalData, this disparity poses a key challenge for the sector’s success, with the U.S. notably trailing behind global peers in embracing open banking. The U.K. pioneered open banking and continues to be one of the leaders globally. The country has seen the number of users increasing, with there being 12.09 million active users of open banking in 2024 and 223.9 million payments made. This is an increase of 72% compared to the year before. “As open banking continues to flourish, it is positive to see that the Financial Conduct Authority (FCA) and Payment Systems Regulator (PSR) have outlined how open banking can expand further in the U.K., and also be used in variable...
Post a Comment
Read Complete Article HERE>»

Sunday Reading - What is the Declaration of Independence?

What is the Declaration of Independence ? The Declaration of Independence is the founding document that formally announced the American colonies' break from British rule. It laid the philosophical and moral foundation for American democracy, asserting that individuals possess inherent rights and that governments must be accountable to the people ( read summary here ). Although Thomas Jefferson is often remembered as the sole author ( read initial draft ), extensive collaboration shaped the Declaration. Benjamin Franklin and John Adams made small but impactful revisions— including Franklin’s reported suggestion  to change “We hold these truths to be sacred and undeniable” to “self-evident”—before submitting the draft to Congress. On July 4, 1776, the final text was adopted and sent to printer John Dunlap, who produced an estimated 200 broadsides that night—but that wasn’t the actual day of American independence . Congress had voted for independence two days earlier, ...
Post a Comment
Read Complete Article HERE>»

Why Avoiding "I" in Marketing Presentations Matters

  Grant Sheehan, CCUE | CCUP | CEO NCOFCU  You know how things just stick with you? Well, many years ago, my marketing professor started off his class with the following, and it has never left me.  The Power of Perspective: Why Avoiding "I" in Marketing Presentations Matters In the world of marketing, effective communication is paramount. One valuable piece of advice that often comes from experienced instructors and industry veterans is the importance of avoiding the use of the word “I” in presentations and reports. At first glance, this may seem counterintuitive; after all, many individuals feel that personal anecdotes and experiences can enhance a message. However, upon deeper reflection, the reasoning behind this approach reveals itself as essential for achieving impactful communication. Building Objectivity When marketing professionals present their findings or insights, it’s important to establish credibility. Utilizing data, surveys, and feedback from cu...
Post a Comment
Read Complete Article HERE>»

๐Ÿ‘จ‍๐Ÿ‘ฉ‍๐Ÿ‘ง‍๐Ÿ‘ฆ You Need to Prepare Now to Compete for New Fed Gov’t Funded Savings Accounts for Children

WASHINGTON–Credit unions, which often talk about the need for younger members, will now have the opportunity to compete in a new arena for the youngest members of all, as the recently passed reconciliation bill includes language creating and funding for a new savings account for children, with a one-time deposit of $1,000 from the federal government for those born in 2025 through 2028. The new accounts are expected to create a new battleground of competition for credit unions as every provider from banks to fintechs to others seeks to capture the accounts.  The final version of the bill makes the tax-free savings accounts for minors, called Trump accounts, a form of individual retirement account (IRA) under Sec. 408(a), according to the Journal of Accountancy. Under the legislation, the accounts will be IRAs (but not Roth IRAs) for the exclusive benefit of individuals under 18.  About the Contributions “Contributions can only be made in calendar years before the beneficia...
Post a Comment
Read Complete Article HERE>»

Agencies Issue Exemption Order To Customer Identification Program (CIP) Requirements

WASHINGTON--The Federal Deposit Insurance Corporation, the Office of Comptroller of the Currency, and NCUA, with the concurrence of the Financial Crimes Enforcement Network, issued an order Friday granting an exemption from a requirement of the Customer Identification Program (CIP) Rule implementing Section 326 of the USA PATRIOT Act. The CIP Rule requires a bank or credit union to obtain taxpayer identification number (TIN) information from its customer before opening an account, and the exemption permits a bank or credit union to use an alternative collection method to obtain TIN information from a third-party rather than from the customer, the agencies stated in a joint release. The order applies to accounts at all entities supervised by the agencies. "Since the CIP Rule was issued initially in 2003, there has been a significant evolution in the ways consumers access financial services, along with a rise in reported customer reluctance to provide their full TIN due, in part, to...
Post a Comment
Read Complete Article HERE>»