Photo of a keyboard and a lock

Password change day – how to act

​Hello there Andrei Sabelfeld, Professor at the division of Information Security at Chalmers. January 20, is the annual Password Change Day set to remind us to review and change login to our Internet accounts. We often hear reports of leaked login information, hijacked accounts and are urged to choose a safe password. So how can we keep our accounts secure online?
What constitutes a good password?
A good password is both difficult to guess for someone else and difficult to detect with a password cracker but it’s at the same time easy for the user to remember. Tools for cracking passwords usually test typical patterns using common words in different languages, common passwords and passwords that have leaked before, so those are important factors to consider when choosing a new password.
There are various password meters for evaluating passwords, but one should be careful not to share sensitive password information for evaluation by a third party online.

Why change my password?
Unfortunately, password information is often breached. The list is long on companies and authorities, including Sony and Sega, where users' passwords have been leaked and circulated online. Therefore, it is important to change passwords sometimes.

How often should I change it?
It is good to change passwords every now and then, but at the same time you should not change them too often. It is not uncommon that guidelines tell us to change passwords, say every 90 days, but that can be quite confusing for the user. A rule of thumb is to change at least one, but preferably a few times a year and really consider your choice of password so that you can easily remember it, even after changing.

The security firm Splashdata has listed people's worst passwords, based on millions of leaked and scattered data. The 2019 list is topped by: "123456", "123456789" and "qwerty". In fourth place comes “Password”. What do you say about such passwords?
Unfortunately, it proves that users sometimes don't care about making stronger passwords. In addition, this shows that it is not always a good idea to rely on password-based authentication mechanisms.

Many people use the same password for multiple accounts. What is your word on that?
The problem with using the same password for multiple accounts is that leaked information about one account is enough to access other accounts with the same password. Different accounts may have different security requirements. Here, your email account is especially important. Because if the attacker manages to access an e-mail account, it is enough to reset the passwords of all accounts linked to that e-mail address. Therefore, one should take passwords for email account especially seriously.

What do you think about using a password manager?
One advantage is that password managers are good at generating strong passwords that the user does not need to remember. At the same time, some of the password managers have been susceptable to attacks. Therefore, one should be careful when choosing a password manager and make sure it is secure. There are both built-in password managers in most browsers and separate password managers that work on different devices.

To summarize, please give me your three best tips for my new passwords today?
  1. Try to avoid password-based authentication when possible. Use multifactor authentication, where instead of relying only on a single password, you present different proofs (factors) of your identity to log in. Such factors can be about something you know (for example, a password) combined with something you have (for example, a credit card) or something you are (for example, your fingerprint). Multifactor authentication is already widely used by, for example, the banks, which for their Internet services require either a bank card reader with a PIN code or a registered smartphone with software (Mobile Bank ID), which also requires a PIN code.
  2. If you do need a password, make sure to use a secure password manager.
  3. If you must come up with your own password, there are techniques to improve security. You often get the advice to use capital letters and special symbols, but such a password can be difficult to remember. One trick is to make up your own rule based on a phrase that is easy to remember. For example, you can pick the first letters of the words from a line in a song that is special to you and combine them with a few special symbols.

Text: Helena Österling af Wåhlberg
Photo: Pixabay/Anneli Andersson

Published: Mon 20 Jan 2020.