Popular misconceptions around passwords and their security could be holding workers back from achieving correct password hygiene for a solid cybersecurity posture, according to the passwords and secrets management provider Keeper Security.
Some three-quarters (75%) of respondents to a US survey by Google find dealing with IT passwords frustrating, the vendor’s CTO and co-founder Craig Lurey explained in a blog post — so it’s easy to understand why problems managing passwords and the like remain.
“You need to be careful about misinformation and what counts as good password hygiene,” Lurey wrote. “In reinforcing the need for stronger passwords, several opinions are shared – some of which are untrue.”
Lurey said nine popular myths and misconceptions continue to affect password practices, although passwords are typically the first line of defence against attackers.
It’s not true, for example, that you automatically strengthen a password by adding ‘special characters’ — such as & or ^ — and numbers, he said.
Reusing the same combination on multiple accounts makes your strong password susceptible to malicious actors. What’s needed instead is a combination of special characters and numbers that are unique to each account, he explained.
Another myth, he said, is a belief that complexity is more important than length of password.
“A 12-character password containing numbers alone will take only 25 seconds to crack, yet complex passwords that need to be changed every 90 days give employees headaches,” Lurey said.
As a result, workers can end up pasting passwords into a note, or even pasting sticky notes on computer screens.
To avoid successful brute force attacks involving credentials, passwords should be complex but also long — about 10 characters or more, he said.
“The shorter a password, the easier it is to guess.”
In a 2022 study by Keeper, 56% of respondents had reused their passwords.
Also, easy-to-memorise combinations involving pet names, addresses, maiden names and the like can be equally easy for attackers to discover — perhaps simply by searching social media.
“Passwords can be words that are easy to remember but should be within best practices. For example, having ‘northcarolina99’, being your place of birth, as your password will be better worded as ‘N0r+Hc^R0|in^99’,” Lurey noted.
Also, password-strength checkers should not be completely relied upon; resetting passwords frequently is very important in combination with using complex, hard-to-guess, long passwords, he added, ideally stored in a password manager.
Read Lurey’s other top tips on password security here.