Change Your Password Day

Your banking, email and online accounts contain important information that makes up your digital identity. Passwords have been used as a means to protect that information since the earliest days of personal computing.

Because a password is something you ‘know’, there’s always a chance you could forget it. Similarly, it’s possible someone could guess it, particularly if you’ve chosen something obvious like ‘123456’, or it contains easily discoverable information like your date of birth. And of course, as last year’s data breaches at Medibank and MyDeal proved, even the strongest password can be stolen.

For these reasons and others, having strong, unique passwords that are changed regularly is essential to maintain your online security and privacy. In this article, we look at the history of Change Your Password Day, what makes a strong password, the pros and cons of password managers, and what a password-less future might look like.

Change Your Password Day

Held on February 1 every year, Change Your Password Day was created by tech journalist Matt Buchanan in 2012. As someone who had suffered two hacks himself, Buchanan was especially concerned by how many people used passwords that the average 12-year-old could guess.

Here are the top five most commonly-used passwords from 2012:

• password
• 123456
• 12345678
• abc123
• qwerty

Now, you’re probably thinking people aren’t quite so naïve these days, right? Wrong. The uncomfortable truth is, the list has barely changed a whole decade later.

Here are the top five most commonly-used passwords from 2022:

• password
• 123456
• 123456789
• guest
• qwerty

Furthermore, a report in March from cybersecurity firm SpyCloud found that 64% of users reuse passwords for multiple accounts, and that 70% of credentials compromised in previous breaches are still in use.

So, in addition to needing ‘strong’ (i.e., difficult, if not impossible, to guess) passwords, it’s clear that they need to be changed on a regular basis too.

What makes a strong password?

A strong password:

• Consists of a mix of letters, numbers and symbols (e.g., a question mark or underscore).
• Has the symbols in the middle, not just at the start or the end.
• Uses as many characters as is realistically possible. Using a passphrase like a passage from your favourite book is a great way of generating a strong, memorable password.
• Doesn’t contain easily discoverable personal information like your date of birth, children’s names or your address.
• Avoids using common words that can be found in a dictionary.

As mentioned above, a passphrase (i.e., a series of words that is easy for you to remember but difficult for others to guess) is preferable to a single word.

Additionally, you should avoid using the same password for different accounts and never share them with anyone, ever!

Multifactor Authentication

As strong as a password may be, having a second factor of authentication is considered best practice for keeping your information private.  Multifactor authentication is an approach that requires more than one method to positively identify you. Many applications today, including social media and email services, offer multifactor authentication (MFA) functionality capable of blocking the majority of automated attacks.

Password Managers

Given the need to create and remember unique passwords for all your services, the obvious question is, “How do I keep track of them all?” That’s where password managers come in. A password manager allows you to store all your passwords in one place, protected by a ‘master password’. The addition of multifactor authentication (see above) further safeguards your privacy and security.

Many of the top password managers can generate strong, complex passwords so you don’t have to come up with them on your own and, as an added bonus, they will work across all your devices!

Biometrics

Given the inherent flaws in passwords, people have been thinking about alternatives for a long time. In fact, some are in use already. Newer smartphones employ what’s known as biometrics, meaning you can unlock them using a finger or thumbprint, or even just your face.

Not only is this much more convenient than using a password, it’s also many times more secure. As Stephen Cox, chief security architect of SecureAuth, puts it, "A password is something you know. A device is something you have. Biometrics is something you are.”

A future without passwords

Many of the big technology companies will soon support a means to use online applications without the need for passwords altogether. Security experts believe this will help protect customers from many of the common social-engineering attacks.

Sampath Srinivas, Director of Security Authentication at Google and President of the FIDO Alliance, has said that under the new system your phone will store a “passkey” which will be used to unlock your online account.

“The passkey makes signing in far more secure, as it’s based on public key cryptography and is only shown to your online account when you unlock your phone,” Srinivas wrote. “To sign into a website on your computer, you’ll just need your phone nearby and you’ll simply be prompted to unlock it for access. Once you’ve done this, you won’t need your phone again and you can sign in by just unlocking your computer.”

Johannes Ullrich, Dean of Research for the SANS Technology Institute, called the announcement, “by far the most promising effort to solve the authentication challenge.”

That’s all a little way off though. In the meantime, we’re mostly stuck with passwords. This being the case, be sure to mark Change Your Password Day tomorrow to keep your personal information as secure as possible.

• For more information about digital security, check out our article about how to avoid online scams.