In ancient times, the Roman military devised an elaborate system of “watchwords” to distinguish friend from foe, effectively preventing enemies from entering controlled areas. Believed to be the first use of passwords, the Romans even deployed an intricate handoff system of authentication to ensure the current password was being used by all the approved commanders.
Today, passwords are woven into the fabric of everyday life at home, school, and work. They form the first line of defense to prevent unauthorized access to confidential data; financial, medical, and other sensitive records; and personally identifiable information online. They are also a highly coveted prize for malicious actors.
If passwords are so valuable, then, why are bad password habits so prevalent? Everyday, online users make decisions that favor convenience over security, reusing the same password over and over, despite the risks. Even the more security conscious among us often choose a password that’s easy to remember over one that’s hard to crack.
With our expanding digital world and technology reliance, data breaches will unfortunately continue to make headlines, reminding everyone to take password security seriously. Here are six password best practices to help guide the way.
Passwords and other means of user authentication, called credentials, are a primary target for hackers. A single cracked password, especially if reused, can open the door to multiple places that contain the information malicious actors seek. Compromised passwords account for 61% of breaches, according to the Verizon 2021 Data Breach Investigations Report.
Many consumers may have been affected by a data breach and don’t even know it. Have I Been Pwned? is a website that checks if your email, phone number, or password has been exposed in a data breach. The free service checks your credentials against username and password combinations that have appeared in a public data breach or leaked database.
Leading password managers such as Bitwarden integrate with Have I Been Pwned?, enabling account owners to run reports that reveal if their passwords, usernames, email addresses, or other credentials have been compromised.
The strongest passwords are unique, unpredictable, and long. In fact, length is critical. Consider these stats from Hive Systems: A hacker can brute force an 8-character password made up of numbers, upper- and lowercase letters, and symbols in just 39 minutes. But a hacker needs 1 billion years to crack a 16-character password of similar composition.
The number of characters used is no longer center stage when you use a passphrase. Often easier to remember than passwords, a passphrase is a random combination of words often separated by dashes that forms a unique phrase. For instance, agile-apple-princess-morse is a passphrase with four random words, each containing a different volume of characters in length.
Although long by design, passphrases aren’t inherently stronger than passwords and may be susceptible to dictionary attacks where hackers crack a password-protected system using a dictionary list of commonly used words and phrases. The risk of such attacks can be mitigated when passphrases are created with more unique separator characters, and the addition of numbers, or other random characters.
Bitwarden has a free password generator that will produce a strong, random passphrase for you. You can also use the free password strength tester to test the strength of your passwords or passphrases.
Two-factor authentication (2FA), also known as two-step login, two-step verification, or multifactor authentication, involves using more than one method to unlock your account, which makes it more secure than inputting only a username and password. 2FA has fast become mainstream— and will continue to gain a foothold.
Most two-factor setups generate a numeric code that expires within a set timeframe, from 30 seconds to a few minutes. These time-based one-time password (TOTP) codes integrate easily with 2FA implementations and have become the most popular method of 2FA among consumer, corporate, and government websites.
Users receive TOTP codes via SMS text message on a mobile phone, email, an authenticator app, or a security key. Some 2FA notification methods are more secure than others. Generally, authenticator apps are more secure than SMS or email notifications because they are not vulnerable to SIM-jacking (phone number stealing) and are a completely separate channel from email, which may be more susceptible to hacking. Some authenticators offer easy options to back up the original authentication keys, so that you can stay protected if you lose one device. Regardless of what method you use, having any 2FA is significantly more secure than none!
Password sharing offers real benefits and has become critical to how we operate both at home and at work. According to the Bitwarden 2022 Password Decisions Survey, the number of IT decision makers sharing passwords via email skyrocketed from 39% to 53% year over year, due in part to the rise in remote work stemming from the pandemic.
Easy, effective password sharing can improve productivity, promote collaboration, and enhance your overall experience online. The problems come when sharing takes place using unsecured methods, making sensitive company and employee data vulnerable to attack. Most email platforms, for example, are not encrypted. Copies of the contents are often saved in multiple places, including the provider’s backup servers. Given this, password sharing over email presents a huge security risk. Likewise, text messages are not protected by end-to-end encryption.
Safe and simple ways to share passwords and other sensitive data do exist. Bitwarden, for instance, has a one-to-one sharing tool that enables you to transmit a file or text directly to another person for a specific period of time and protects the information with end-to-end encryption. You can share private tax documents with your accountant, for example, with a secure link that can also be password protected for heightened security.
Despite a year of high-profile cyberattacks and increasing vulnerabilities sparked by remote work, nearly all (92%) of Bitwarden survey respondents admitted to reusing passwords across multiple sites.
Password reuse is widespread for a variety of reasons. Chief among them is users’ fear of forgetting logins and being locked out of their online accounts, along with plain password fatigue. Remembering dozens of passwords without help isn’t easy, and many people succumb quickly to the sheer convenience of using the same password for multiple accounts. But reusing the same password increases the likelihood that your account could be compromised by attacks such as credential stuffing. This form of cyberattack uses a bot that is programmed to take your leaked credentials from one website and try them on thousands of other websites in just a few seconds.
To ensure your online information remains secure, it’s important to use a different complex password for every unique account. The safest and most stress-free way to maintain your unique and complex passwords is to use a secure password manager.
A password manager helps you easily keep password security in check. Instead of having to remember dozens (or hundreds) of passwords for your online accounts, a password manager encrypts your password database with a master password. This master password is the only one you need to remember. In addition to safely storing all your passwords, a password manager can:
Generate random passwords for your accounts that are strong and difficult to crack
Enable you to share passwords securely where you control who has access
Sync with all of your devices so you can access all your logins from anywhere
Simplify changing and resetting your passwords
Store files, credit cards, identity, and other sensitive information
Share sensitive information, like tax or mortgage documents, in an encrypted environment
Some password managers, like Bitwarden, also integrate a variety of password-less authentication technologies such as Windows Hello, Face ID, Touch ID, and Android biometrics.
When you begin your search for the right password manager, it's important to start by learning how security is built into the password manager infrastructure. An important consideration is whether or not the provider uses end-to-end encryption while transmitting data. This ensures all of your sensitive data is encrypted before it ever leaves your device, so not even the provider itself can access the information. You can also consider how resistant the password manager is to known exploits and security vulnerabilities. Even a simple Google search can reveal if a provider has a history of breaches or has known vulnerabilities that may put its user data at risk. Finally, a trusted provider will conduct regular third-party audits and will adhere to security and compliance frameworks such as GDPR, SOC 2, and HIPAA.
An increasingly digital world requires ever more passwords. A password manager empowers you to have secure password habits without compromising on convenience. Moreover, it can bring you the peace of mind that comes with online security as a whole. If you’re ready to start taking control of your online security, check out why Bitwarden was recently ranked #1 among password managers in the SoftwareReviews data quadrant report. Join the millions of individuals, families, teams, and enterprises worldwide that rely on Bitwarden to securely manage and share passwords with a free Bitwarden account today.