To prepare for and in honor of National Change Your Password Day (NCYPD) on February 1, we are providing a refresher course in good password hygiene. (Look back at prior Privacy Perils.) NCYPD is only one of at least three days across the world promoting password security. Others include March 1 (designated by the Better Business Bureau) and World Password Day on May 7. Celebration of these “holidays,” publication of numerous password articles, the re-telling of password horror stories, and other password education over the past few years have dramatically increased awareness of the need for password security and radically changed user behavior, as plainly seen from this comparison of the annual lists of worst passwords:
| Password | 2015 Rank | 2019 Rank |
| 123456 | 1 | 1 |
| 123456789 | 6 | 2 |
| Qwerty | 4 | 3 |
| Password | 2 | 4 |
| 1234567 | 9 | 5 |
| 12345678 | 3 | 6 |
| 12345 | 5 | 7 |
| Iloveyou | — | 8 |
| 111111 | 14 | 9 |
| 123123 | — | 10 |
Despite this progress, we are offering a five-part mini-series that will serve as an update on password creation and management. Part I below will touch on the role, goals and hurdles of password creation and management.
Part I. Password Security Role, Goals and Hurdles
Before getting to practical password security suggestions, a few preliminary notes are in order:
First, these Tips do not tackle the use of multifactor authentication (MFA) previously addressed. MFA (a combination of what you know, what you have, who you are, and where you are) remains the gold standard of password security and should be used whenever available. Unfortunately, not all sites offer MFA. A list of those sites that do allow for use of MFA can be found here. Alternatively, on your personal PC or laptop you might opt to download and install a browser plugin that automatically notifies you when a site supports MFA (Better Account Security with Multi Factor Authentication (John Opdenakker)).
Second, no number of secure password habits will avoid the most prevalent method of privacy breaches and data loss – old fashioned phishing schemes.
Any useful password security option should comply with the Golden Rules of password creation and use – the passwords should be unique across various sites, they should be relatively complex, and yet they should be easy to remember. These simple and common sense rules are often frustrated because different sites mandate different password criteria, including a minimum (typically six ) and/or maximum (typically eight to 12) number of characters; and requiring use of numbers, small and large caps, and/or special symbols. These rules may be further complicated by the imposition of password expiry dates. (Perhaps surprisingly, some in the cybersecurity field are beginning to question the need for regularly forced password changes.) In part because of these restrictions, there is no one best method of password management.
In the next three Privacy Perils we will discuss different ways to increase your password security practices within the parameters of the Golden Rules. Each of these password security suggestions may be used alone or in conjunction with the others.
Read the other installments of our five-part series:
- Privacy Perils: Refresher Course in Good Password Hygiene, Part 2 – Your Browser’s Built-in Password Manager
- Privacy Perils: Refresher Course in Good Password Hygiene, Part 3 – Third-Party Password Managers
- Privacy Perils: Refresher Course in Good Password Hygiene, Part 4 – Password Mnemonics
- Privacy Perils: Refresher Course in Good Password Hygiene, Part 5 – Parting Password Protection Pearls
Check out our series, Privacy Perils, to learn what steps you can take to guard your personal and company data. For more information about this topic and other cyber security concerns, please contact a member of our Privacy & Data Security team.